From: Asterisk Development Team via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 14 Dec 2023 19:56:58 +0000
The Asterisk Development Team would like to announce security release
Asterisk 18.20.1.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.20.1
and
https://downloads.asterisk.org/pub/telephony/asterisk
The following security advisories were resolved in this release:
- [Path traversal via AMI GetConfig allows access to outside
files](https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f)
- [Asterisk susceptible to Denial of Service via DTLS Hello packets during call
initiation](https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq)
- [PJSIP logging allows attacker to inject fake Asterisk log entries
](https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7)
- [PJSIP_HEADER dialplan function can overwrite memory/cause crash when using
'update'](https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh)
Change Log for Release asterisk-18.20.1
========================================
Links:
----------------------------------------
- [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.20.1.md)
- [GitHub Diff](https://github.com/asterisk/asterisk/compare/18.20.0...18.20.1)
- [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-18.20.1.tar.gz)
- [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)
Summary:
----------------------------------------
- res_pjsip_header_funcs: Duplicate new header value, don't copy.
- res_pjsip: disable raw bad packet logging
- res_rtp_asterisk.c: Check DTLS packets against ICE candidate list
- manager.c: Prevent path traversal with GetConfig.
User Notes:
----------------------------------------
Upgrade Notes:
----------------------------------------
Closed Issues:
----------------------------------------
None
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- asterisk release 18.20.1 Asterisk Development Team via Fulldisclosure (Dec 19)