The Asterisk Development Team has announced security releases for Certified Asterisk 11.6, Asterisk 11, Certified Asterisk 13.8 and Asterisk 13.
The available security releases are released as versions 11.6-cert15, 11.23.1, 13.8-cert3 and 13.11.1.
These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerabilities:
- AST-2016-006: Crash on ACK from unknown endpoint
Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an “artificial” endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash when attempting to determine if ACLs should be applied.
This issue was introduced in the Asterisk 13.10 release and only affects that release and later releases.
This issue only affects users using the PJSIP stack with Asterisk. Those users that use chan_sip are unaffected.
- AST-2016-007: RTP Resource Exhaustion
The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up.
For a full list of changes in the current releases, please see the
The security advisories are available at:
Thank you for your continued support of Asterisk!