Full Disclosure mailing list archives
CORRECTED asterisk release certified-18.9-cert6
From: Asterisk Development Team <asteriskteam () digium com>
Date: Thu, 14 Dec 2023 13:32:12 -0700
The earlier release announcement should NOT have had any User or Upgrade notes. The Asterisk Development Team would like to announce security release Certified Asterisk 18.9-cert6. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert6 and https://downloads.asterisk.org/pub/telephony/certified-asterisk The following security advisories were resolved in this release: - [Path traversal via AMI GetConfig allows access to outside files]( https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f ) - [Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation]( https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq ) - [PJSIP logging allows attacker to inject fake Asterisk log entries ]( https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7 ) - [PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update']( https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh ) Change Log for Release asterisk-certified-18.9-cert6 ======================================== Links: ---------------------------------------- - [Full ChangeLog]( https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-certified-18.9-cert6.md) - [GitHub Diff]( https://github.com/asterisk/asterisk/compare/certified-18.9-cert5...certified-18.9-cert6) - [Tarball]( https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-certified-18.9-cert6.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) Summary: ---------------------------------------- - res_pjsip_header_funcs: Duplicate new header value, don't copy. - res_rtp_asterisk.c: Check DTLS packets against ICE candidate list - manager.c: Prevent path traversal with GetConfig. - res_pjsip: disable raw bad packet logging User Notes: ---------------------------------------- Upgrade Notes: ---------------------------------------- Closed Issues: ---------------------------------------- None _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CORRECTED asterisk release certified-18.9-cert6 Asterisk Development Team (Dec 19)