ASTERWEB Blog

13Feb/16Off

Rilasciato Asterisk 11.21.2

Il giorno 11 febbraio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.21.2.

Dal post originale:

The Asterisk Development Team has announced the release of Asterisk 11.21.2.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.21.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25770 - Check for OpenSSL defines before trying to use
them. (Reported by Kevin Harwell)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.21.2

7Feb/16Off

Rilasciato Asterisk 13.7.2

Il giorno 5 febbraio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.7.2.

Dal post originale:

The release of Asterisk 13.7.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25702 - PjSip realtime DB and Cache Errors since
upgrade to asterisk-13.7.0 from asterisk-13.7.0-rc2 (Reported by
Nic Colledge)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.7.2

5Feb/16Off

AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data

               Asterisk Project Security Advisory - AST-2016-003

Product Asterisk
Summary Remote crash vulnerability when receiving UDPTL FAX
data.
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known Yes
Reported On December 2, 2015
Reported By Walter Dokes, Torrey Searle
Posted On February 3, 2016
Last Updated On February 3, 2016
Advisory Contact Richard Mudgett <rmudgett AT digium DOT com>
CVE Name Pending

Description If no UDPTL packets are lost there is no problem. However,
a lost packet causes Asterisk to use the available error
correcting redundancy packets. If those redundancy packets
have zero length then Asterisk uses an uninitialized buffer
pointer and length value which can cause invalid memory
accesses later when the packet is copied.

Resolution Upgrade to a released version with the fix incorporated or
apply patch.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Asterisk Open Source 13.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Certified Asterisk 13.1 All versions

Corrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-003-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-003-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2016-003-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-003-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-003-13.diff Asterisk
13

Links https://issues.asterisk.org/jira/browse/ASTERISK-25603

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-003.pdf and
http://downloads.digium.com/pub/security/AST-2016-003.html

5Feb/16Off

AST-2016-002: File descriptor exhaustion in chan_sip

               Asterisk Project Security Advisory - AST-2016-002

Product Asterisk
Summary File descriptor exhaustion in chan_sip
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known Yes
Reported On September 17, 2015
Reported By Alexander Traud
Posted On February 3, 2016
Last Updated On February 3, 2016
Advisory Contact Richard Mudgett <rmudgett AT digium DOT com>
CVE Name Pending

Description Setting the sip.conf timert1 value to a value higher than
1245 can cause an integer overflow and result in large
retransmit timeout times. These large timeout values hold
system file descriptors hostage and can cause the system to
run out of file descriptors.

Resolution Setting the sip.conf timert1 value to 1245 or lower will not
exhibit the vulnerability. The default timert1 value is 500.
Asterisk has been patched to detect the integer overflow and
calculate the previous retransmission timer value.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Asterisk Open Source 13.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Certified Asterisk 13.1 All versions

Corrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff Asterisk
13

Links https://issues.asterisk.org/jira/browse/ASTERISK-25397

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-002.pdf and
http://downloads.digium.com/pub/security/AST-2016-002.html

5Feb/16Off

AST-2016-001: BEAST vulnerability in HTTP server

               Asterisk Project Security Advisory - AST-2016-001

Product Asterisk
Summary BEAST vulnerability in HTTP server
Nature of Advisory Unauthorized data disclosure due to
man-in-the-middle attack
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 04/15/15
Reported By Alex A. Welzl
Posted On 02/03/16
Last Updated On February 3, 2016
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name Pending

Description The Asterisk HTTP server currently has a default
configuration which allows the BEAST vulnerability to be
exploited if the TLS functionality is enabled. This can
allow a man-in-the-middle attack to decrypt data passing
through it.

Resolution Additional configuration options have been added to Asterisk
which allow configuration of the HTTP server to not be
susceptible to the BEAST vulnerability. These include
options to confirm the permitted ciphers, to control what
TLS protocols are allowed, and to use server cipher
preference order instead of client preference order. The
default configuration has also been changed for the HTTP
server to use a configuration which is not susceptible to
the BEAST vulnerability.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 11.x All Versions
Asterisk Open Source 12.x All Versions
Asterisk Open Source 13.x All Versions
Certified Asterisk 1.8.28 All Versions
Certified Asterisk 11.6 All Versions
Certified Asterisk 13.1 All Versions

Corrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-001-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-001-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-001-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-001-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-001-13.diff Asterisk
13

Links https://issues.asterisk.org/jira/browse/ASTERISK-24972

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-001.pdf and
http://downloads.digium.com/pub/security/AST-2016-001.html

5Feb/16Off

Rilasciati Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1 (Security Release)

Il giorno 15 gennaio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1.

Dal post originale:

The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security releases
are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1.

The release of these versions resolves the following security vulnerabilities:

* AST-2016-001: BEAST vulnerability in HTTP server

The Asterisk HTTP server currently has a default configuration which allows
the BEAST vulnerability to be exploited if the TLS functionality is enabled.
This can allow a man-in-the-middle attack to decrypt data passing through it.

* AST-2016-002: File descriptor exhaustion in chan_sip

Setting the sip.conf timert1 value to a value higher than 1245 can cause an
integer overflow and result in large retransmit timeout times. These large
timeout values hold system file descriptors hostage and can cause the system
to run out of file descriptors.

* AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data.

If no UDPTL packets are lost there is no problem. However, a lost packet
causes Asterisk to use the available error correcting redundancy packets. If
those redundancy packets have zero length then Asterisk uses an uninitialized
buffer pointer and length value which can cause invalid memory accesses later
when the packet is copied.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert12
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.7.1

The security advisories are available at:

* http://downloads.asterisk.org/pub/security/AST-2016-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-003.pdf