The Asterisk Development Team would like to announce security release
Asterisk 18.20.1.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.20.1
and
https://downloads.asterisk.org/pub/telephony/asterisk
The following security advisories were resolved in this release:
- Path traversal via AMI GetConfig allows access to outside files
- Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
- PJSIP logging allows attacker to inject fake Asterisk log entries
- PJSIP_HEADER dialplan function can overwrite memory/cause crash when using ‘update’
Change Log for Release asterisk-18.20.1
Links:
Summary:
- res_pjsip_header_funcs: Duplicate new header value, don’t copy.
- res_pjsip: disable raw bad packet logging
- res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
- manager.c: Prevent path traversal with GetConfig.