Asterisk 1.4.30-rc2, 1.6.0.23-rc2, 1.6.1.15-rc2 e 1.6.2.3-rc2 Now Available
Il Team di Sviluppo di Asterisk, ha annunciato il rilascio delle versioni candidate di: 1.4.30-rc2, 1.6.0.23-rc2, 1.6.1.15-rc2 e 1.6.2.3-rc2.
Questi i ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.30-rc2
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.23-rc2
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.15-rc2
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.3-rc2
Sicurezza: AST-2010-001 – T.38 Remote Crash Vulnerability
Description:
An attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash occurs when the FaxMaxDatagram field is omitted from the SDP as well.
Resolution:
Upgrade to one of the versions of Asterisk listed in the “Corrected In” section, or apply a patch specified in the “Patches” section.
Sono affette tutte le versione 1.6.x. Le versioni 1.6.0.22, 1.6.1.14 e 1.6.2.2 sono già corrette.
PATCH:
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff (v1.6.0)
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diff (v1.6.1)
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diff (v1.6.2)
Questo il link per scaricare il documento in pdf: AST-2010-001