ASTERWEB Blog

26Set/14Off

Rilasciato Asterisk 12.6.0

Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.6.0.

Dal post originale:
The release of Asterisk 12.6.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24027 - MixMonitor AMI action called during AGI
execution from bridge feature causes channel to leave AGI has
hung up (Reported by Matt Jordan)
* ASTERISK-24236 - res_hep_rtcp: Module incorrectly depends on
pjsip (Reported by Matt Jordan)
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24234 - app_meetme: Crash on conference shutdown due to
NULL channel passed to meetme_stasis_generate_msg() (Reported by
Shaun Ruffell)
* ASTERISK-24043 - ARI /continue fails to actually continue into
the dialplan (Reported by Krandon Bruse)
* ASTERISK-24245 - gcc 4.1.2 complains of files that do not end
with newlines (Reported by Shaun Ruffell)
* ASTERISK-24229 - ARI: playback of sounds implicitly answers
channel, preventing early media playback (Reported by Matt
Jordan)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23994 - res_pjsip_sdp_rtp: owner address in SDP may not
be fully qualified domainname (Reported by Private Name)
* ASTERISK-24147 - ARI: channel hangup crashes asterisk process
(Reported by Edvin Vidmar)
* ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24143 - pjsip: Outbound call to WebRTC UA fails to
transmit ACK on received 200 OK (Reported by Aleksei Kulakov)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24264 - ARI: Adding a channel to a holding bridge
automatically starts MOH (Reported by Samuel Galarneau)
* ASTERISK-24212 - testsuite: Sporadic crash due to assert on
stopping RTP engine (Reported by Matt Jordan)
* ASTERISK-24241 - crash: CDRs recursively attempt to update Party
B information in a multi-party bridge, overrunning the stack
(Reported by Deepak Singh Rawat)
* ASTERISK-24254 - CDRs: Application/args/dialplan CEP updated
during dial operation (Reported by Matt Jordan)
* ASTERISK-24231 - crash: CLI execution of realtime destroy
sippeers id 1 causes crash due to NULL name provided to
ast_variable (Reported by Niklas Larsson)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 - res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24161 - PJSIPShowEndpoint gives inaccurate count of
list items (Reported by Mark Michelson)
* ASTERISK-24331 - Unexpected Errors in Asterisk Manager Interface
Output (Reported by xrobau)
* ASTERISK-24136 - Security: Crash in Asterisk's PJSIP code when
subscribing to an event with an unexpected body type (Reported
by Mark Michelson)
* ASTERISK-24301 - Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
* ASTERISK-24290 - Endpoint identifier match value fails to parse
when CIDR network format is specified (Reported by Ray Crumrine)
* ASTERISK-24237 - CDR: FRACK With PJSIP blonde transfer.
(Reported by Richard Mudgett)

Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.6.0

26Set/14Off

Rilasciato Asterisk 11.13.0

Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.13.0.

Dal post originale:
The release of Asterisk 11.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 - res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24301 - Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)

Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0

26Set/14Off

Rilasciato Asterisk 1.8.31.0

Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.31.0.

Dal post originale:
The release of Asterisk 1.8.31.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)

Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.31.0

20Set/14Off

Remote crash when handling out of call message in certain dialplan configurations

Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.

Dal post originale:

Asterisk Project Security Advisory - AST-2014-010

Product Asterisk
Summary Remote crash when handling out of call message in
certain dialplan configurations
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Minor
Exploits Known No
Reported On 05 September 2014
Reported By Philippe Lindheimer
Posted On 18 September 2014
Last Updated On September 18, 2014
Advisory Contact Matt Jordan
CVE Name Pending

Description When an out of call message - delivered by either the SIP
or PJSIP channel driver or the XMPP stack - is handled in
Asterisk, a crash can occur if the channel servicing the
message is sent into the ReceiveFax dialplan application
while using the res_fax_spandsp module.

Note that this crash does not occur when using the
res_fax_digium module.

While this crash technically occurs due to a configuration
issue, as attempting to receive a fax from a channel driver
that only contains textual information will never succeed,
the likelihood of having it occur is sufficiently high as
to warrant this advisory.

Resolution The fax family of applications have been updated to handle
the Message channel driver correctly. Users using the fax
family of applications along with the out of call text
messaging features are encouraged to upgrade their versions
of Asterisk to the versions specified in this security
advisory.

Additionally, users of Asterisk are encouraged to use a
separate dialplan context to process text messages. This
avoids issues where the Message channel driver is passed to
dialplan applications that assume a media stream is
available. Note that the various channel drivers and stacks
provide such an option; an example being the SIP channel
driver's outofcall_message_context option.

Affected Versions
Product Release
Series
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 11.12.1, 12.5.1
Certified Asterisk 11.6-cert6

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-010-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-010-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-24301

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-010.pdf and
http://downloads.digium.com/pub/security/AST-2014-010.html

Revision History
Date Editor Revisions Made
September 18 Matt Jordan Initial Draft

20Set/14Off

AST-2014-009: Remote crash based on malformed SIP subscription requests

Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.

Dal post originale:

Asterisk Project Security Advisory - AST-2014-009

Product Asterisk
Summary Remote crash based on malformed SIP subscription
requests
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Major
Exploits Known No
Reported On 30 July, 2014
Reported By Mark Michelson
Posted On 18 September, 2014
Last Updated On September 18, 2014
Advisory Contact Mark Michelson
CVE Name Pending

Description It is possible to trigger a crash in Asterisk by sending a
SIP SUBSCRIBE request with unexpected mixes of headers for
a given event package. The crash occurs because Asterisk
allocates data of one type at one layer and then interprets
the data as a separate type at a different layer. The crash
requires that the SUBSCRIBE be sent from a configured
endpoint, and the SUBSCRIBE must pass any authentication
that has been configured.

Note that this crash is Asterisk's PJSIP-based
res_pjsip_pubsub module and not in the old chan_sip module.

Resolution Type-safety has been built into the pubsub API where it
previously was absent. A test has been added to the
testsuite that previously would have triggered the crash.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x Unaffected
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 12.x 12.1.0 and up
Certified Asterisk 1.8.15 Unaffected
Certified Asterisk 11.6 Unaffected

Corrected In
Product Release
Asterisk Open Source 12.5.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-009-12.diff Asterisk
12

Links https://issues.asterisk.org/jira/browse/ASTERISK-24136

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-009.pdf and
http://downloads.digium.com/pub/security/AST-2014-009.html

Revision History
Date Editor Revisions Made
19 August, 2014 Mark Michelson Initial version of document

20Set/14Off

Rilasciato Asterisk 13.0.0-beta2

Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.

Dal post originale:
All interested users of Asterisk are encouraged to participate in the
Asterisk 13 testing process. Please report any issues found to the issue
tracker, https://issues.asterisk.org/jira. All Asterisk users are invited to
participate in the #asterisk-bugs channel to help communicate issues found to
the Asterisk developers. It is also very useful to see successful test reports.
Please post those to the asterisk-dev mailing list (http://lists.digium.com).

Asterisk 13 is the next major release series of Asterisk. It will be a Long Term
Support (LTS) release, similar to Asterisk 11. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions

For important information regarding upgrading to Asterisk 13, please see the
Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13

A short list of new features includes:

* Asterisk security events are now provided via AMI, allowing end users to
monitor their Asterisk system in real time for security related issues.

* Both AMI and ARI now allow external systems to control the state of a mailbox.
Using AMI actions or ARI resources, external systems can programmatically
trigger Message Waiting Indicators (MWI) on subscribed phones. This is of
particular use to those who want to build their own VoiceMail application
using ARI.

* ARI now supports the reception/transmission of out of call text messages using
any supported channel driver/protocol stack through ARI. Users receive out of
call text messages as JSON events over the ARI websocket connection, and can
send out of call text messages using HTTP requests.

* The PJSIP stack now supports RFC 4662 Resource Lists, allowing Asterisk to act
as a Resource List Server. This includes defining lists of presence state,
mailbox state, or lists of presence state/mailbox state; managing
subscriptions to lists; and batched delivery of NOTIFY requests to
subscribers.

* The PJSIP stack can now be used as a means of distributing device state or
mailbox state via PUBLISH requests to other Asterisk instances. This is
analogous to Asterisk's clustering support using XMPP or Corosync; unlike
existing clustering mechanisms, using the PJSIP stack to perform the
distribution of state does not rely on another daemon or server to perform the
work.

And much more!

More information about the new features can be found on the Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Documentation

A full list of all new features can also be found in the CHANGES file:

http://svnview.digium.com/svn/asterisk/branches/13/CHANGES

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta2