Asterisk 11.14.2, 11.6-cert9, 12.7.2, 13.0.2 Now Available (Security Release)

The Asterisk Development Team has announced security releases for Certified Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

  • AST-2014-019: Remote Crash Vulnerability in WebSocket Server
    When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read security advisory AST-2014-019, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs:

The security advisory is available at:

Thank you for your continued support of Asterisk!

What can we help you find?