The Digium / Asterisk Security Team has obviously been extremely busy ensuring that Asterisk is as secure as possible given that yesterday they released 7 security advisories, although only one of them (AST2014-16) was rated as “Critical”. The others are rated as “Moderate” or “Minor” – but still are good reasons to upgrade to the latest versions of Asterisk. The list of advisories is:
- AST-2014-012: Mixed IP address families in access control lists may permit unwanted traffic
- AST-2014-013: PJSIP ACLs are not loaded on startup
- AST-2014-014: High call load may result in hung channels in ConfBridge
- AST-2014-015: Remote crash vulnerability in PJSIP channel driver
- AST-2014-016: Remote crash vulnerability in PJSIP channel driver
- AST-2014-017: Permission escalation through ConfBridge actions/dialplan functions
- AST-2014-018: AMI permission escalation through DB dialplan function
The issues are all fixed in the latest versions of Asterisk:
- Asterisk Open Source 1.8.32.1, 11.14.1, 12.7.1, 13.0.1
- Certified Asterisk 1.8.28-cert3, 11.6-cert8
Kudos to the Digium/Asterisk Security Team for the work they do in keeping Asterisk secure – and also for their openness in reporting the issues publicly!