Asterisk Project Security Advisory - AST-2020-004 Product Asterisk Summary Remote crash in res_pjsip_diversion Nature of Advisory Denial of service Susceptibility Remote authenticated sessions Severity Moderate Exploits Known No Reported On December 02, 2020 Reported By Mikhail Ivanov Posted On December 22, 2020 Last Updated On Advisory Contact kharwell AT sangoma DOT com CVE Name Description A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri. Modules Affected res_pjsip_diversion.c Resolution Asterisk now ensures that if it receives a SIP 181 response with a Diversion header that contains a tel-uri a crash does not occur. Affected Versions Product Release Series Asterisk Open Source 13.X 13.38.0 Asterisk Open Source 16.X 16.15.0 Asterisk Open Source 17.X 17.9.0 Asterisk Open Source 18.X 18.1.0 Corrected In Product Release Asterisk Open Source 13.38.1, 16.15.1, 17.9.1, 18.1.1 Patches SVN URL Revision The associated patches for AST-2020-003 also Asterisk 13, 16, 17, 18 fix this issue. Links https://issues.asterisk.org/jira/browse/ASTERISK-29191 https://downloads.asterisk.org/pub/security/AST-2020-003.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2020-004.pdf and http://downloads.digium.com/pub/security/AST-2020-004.html Revision History Date Editor Revisions Made December 22, 2020 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2020-004 Copyright © 2020 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.