Asterisk Project Security Advisory - AST-2019-004 Product Asterisk Summary Crash when negotiating for T.38 with a declined stream Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On August 05, 2019 Reported By Alexei Gradinari Posted On September 05, 2019 Last Updated On September 4, 2019 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2019-15297 Description When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk. Modules Affected res_pjsip_t38.c Resolution If T.38 faxing is not required then setting the “t38_udptl” configuration option on the endpoint to “no” disables this functionality. This option defaults to “no” so you have to have explicitly set it “yes” to potentially be affected by this issue. Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version. Affected Versions Product Release Series Asterisk Open Source 15.x All releases Asterisk Open Source 16.x All releases Corrected In Product Release Asterisk Open Source 15.7.4,16.5.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28495 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-004.pdf and http://downloads.digium.com/pub/security/AST-2019-004.html Revision History Date Editor Revisions Made August 28, 2019 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2019-004 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.