| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAP=uFEsco8knetYgFT0d=CNe+6jdjmwLGoz732w6vSCtgDwUsA@mail.gmail.com> Date: Thu, 14 Dec 2023 13:32:12 -0700 From: Asterisk Development Team <asteriskteam@...ium.com> To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@...ts.digium.com> Cc: fulldisclosure@...lists.org, asterisk-announce@...ts.digium.com, asterisk+news@...coursemail.com, voipsec@...psa.org, Asterisk Developers Mailing List <asterisk-dev@...ts.digium.com>, asterisk-security@...ts.digium.com Subject: [FD] CORRECTED asterisk release certified-18.9-cert6 The earlier release announcement should NOT have had any User or Upgrade notes. The Asterisk Development Team would like to announce security release Certified Asterisk 18.9-cert6. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert6 and https://downloads.asterisk.org/pub/telephony/certified-asterisk The following security advisories were resolved in this release: - [Path traversal via AMI GetConfig allows access to outside files]( https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f ) - [Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation]( https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq ) - [PJSIP logging allows attacker to inject fake Asterisk log entries ]( https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7 ) - [PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update']( https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh ) Change Log for Release asterisk-certified-18.9-cert6 ======================================== Links: ---------------------------------------- - [Full ChangeLog]( https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-certified-18.9-cert6.md) - [GitHub Diff]( https://github.com/asterisk/asterisk/compare/certified-18.9-cert5...certified-18.9-cert6) - [Tarball]( https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-certified-18.9-cert6.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) Summary: ---------------------------------------- - res_pjsip_header_funcs: Duplicate new header value, don't copy. - res_rtp_asterisk.c: Check DTLS packets against ICE candidate list - manager.c: Prevent path traversal with GetConfig. - res_pjsip: disable raw bad packet logging User Notes: ---------------------------------------- Upgrade Notes: ---------------------------------------- Closed Issues: ---------------------------------------- None _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists