The Asterisk Development Team has announced security releases for
Certified Asterisk 13.13 and Asterisk 13 and 14. The available
security releases are released as versions 13.13-cert4, 13.15.1, and
These releases are available for immediate download at
The release of these versions resolves the following security vulnerabilities:
* AST-2017-002: A remote crash can be triggered by sending a SIP
packet to Asterisk with a specially crafted CSeq header and a Via
header with no branch parameter. The issue is that the PJSIP RFC 2543
transaction key generation algorithm does not allocate a large enough
buffer. By overrunning the buffer, the memory allocation table becomes
corrupted, leading to an eventual crash.
* AST-2017-003: The multi-part body parser in PJSIP contains a logical
error that can make certain multi-part body parts attempt to read
memory from outside the allowed boundaries. A specially-crafted packet
can trigger these invalid reads and potentially induce a crash.
* AST-2017-004: A remote memory exhaustion can be triggered by sending
an SCCP packet to Asterisk system with “chan_skinny” enabled that is
larger than the length of the SCCP header but smaller than the packet
length specified in the header. The loop that reads the rest of the
packet doesn’t detect that the call to read() returned end-of-file
before the expected number of bytes and continues infinitely. The
“partial data” message logging in that tight loop causes Asterisk to
exhaust all available memory.
Special note: AST-2017-002 and AST-2017-003 actually apply to the
pjproject library directly and not necessarily Asterisk, so systems
utilizing non-bundled versions of pjproject will need to get the fixes
from an upstream version of the library.
For a full list of changes in the current releases, please see the ChangeLogs:
The security advisories are available at:
Thank you for your continued support of Asterisk!