ASTERWEB Blog

28Set/16Off

Asterweb e Snom Italia – FreeWebinar – SIP e NAT: problemi e soluzioni

logo-asterweb logo-snom_gray

Asterweb, di concerto con Snom Italia, organizza questo Free-Webinar che riteniamo possa essere di interesse per molti operatori del settore.

Relatori:
- Gaspare Noto di Asterweb Srl
- Luca Livraga di Snom Italia

INFO:
Da martedì 4 ottobre 2016 inizieremo la pubblicazione di una serie di tutorials sui prodotti Snom che potrete trovare nella sezione "Tutorials" del sito asterweb.

DATA: 08 NOVEMBRE 2016

Inizio: ore 14:30
Durata: 30/45 minuti
Costo: Nessuno

10Set/16Off

Rilasciato Asterisk 13.11.2

Il giorno 09 settembre 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk Asterisk 13.11.2.

Dal post originale:

The release of Asterisk 13.11.2 resolves an issue reported by the community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-26349 - 13.11.1 res_pjsip/pjsip_distributor.c: Request 'REGISTER' failed (Reported by Dmitry Melekhov)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.11.2

9Set/16Off

AST-2016-007: RTP Resource Exhaustion

Il giorno 08 settembre 2016, l'Asterisk Security Team ha rilasciato il seguente post.

Dal post originale:

               Asterisk Project Security Advisory - AST-2016-007

Product Asterisk
Summary RTP Resource Exhaustion
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On August 5, 2016
Reported By Etienne Lessard
Posted On
Last Updated On September 8, 2016
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name

Description The overlap dialing feature in chan_sip allows chan_sip to
report to a device that the number that has been dialed is
incomplete and more digits are required. If this
functionality is used with a device that has performed
username/password authentication RTP resources are leaked.
This occurs because the code fails to release the old RTP
resources before allocating new ones in this scenario. If
all resources are used then RTP port exhaustion will occur
and no RTP sessions are able to be set up.

Resolution If overlap dialing support is not needed the “allowoverlapâ€
option can be set to no. This will stop any usage of the
scenario which causes the resource exhaustion.

If overlap dialing support is needed a change has been made
so that existing RTP resources are destroyed in this
scenario before allocating new resources.

Affected Versions
Product Release
Series
Asterisk Open Source 11.x All Versions
Asterisk Open Source 13.x All Versions
Certified Asterisk 11.6 All Versions
Certified Asterisk 13.8 All Versions

Corrected In
Product Release
Asterisk Open Source 11.23.1, 13.11.1
Certified Asterisk 11.6-cert15, 13.8-cert3

Patches
SVN URL Revision

Links https://issues.asterisk.org/jira/browse/ASTERISK-26272

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-007.pdf and
http://downloads.digium.com/pub/security/AST-2016-007.html

Revision History
Date Editor Revisions Made
August 23, 2016 Joshua Colp Initial creation

Asterisk Project Security Advisory - AST-2016-007
Copyright © 2016 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

9Set/16Off

AST-2016-006: Crash on ACK from unknown endpoint

Il giorno 08 settembre 2016, l'Asterisk Security Team ha rilasciato il seguente post.

Dal post originale:

               Asterisk Project Security Advisory - AST-2016-006

Product Asterisk
Summary Crash on ACK from unknown endpoint
Nature of Advisory Remote Crash
Susceptibility Remote unauthenticated sessions
Severity Critical
Exploits Known No
Reported On August 3, 2016
Reported By Nappsoft
Posted On
Last Updated On August 31, 2016
Advisory Contact mark DOT michelson AT digium DOT com
CVE Name

Description Asterisk can be crashed remotely by sending an ACK to it
from an endpoint username that Asterisk does not recognize.
Most SIP request types result in an "artificial" endpoint
being looked up, but ACKs bypass this lookup. The resulting
NULL pointer results in a crash when attempting to
determine if ACLs should be applied.

This issue was introduced in the Asterisk 13.10 release and
only affects that release.

This issue only affects users using the PJSIP stack with
Asterisk. Those users that use chan_sip are unaffected.

Resolution ACKs now result in an artificial endpoint being looked up
just like other SIP request types.

Affected Versions
Product Release
Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x 13.10.0
Certified Asterisk 11.6 Unaffected
Certified Asterisk 13.8 Unaffected

Corrected In
Product Release
Asterisk Open Source 13.11.1

Patches
SVN URL Revision

Links

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-006.pdf and
http://downloads.digium.com/pub/security/AST-2016-006.html

Revision History
Date Editor Revisions Made
August 16, 2016 Mark Michelson Initial draft of Advisory

Asterisk Project Security Advisory - AST-2016-006
Copyright (c) 2016 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

2Set/16Off

Rilasciato Asterisk 13.11.0

Il giorno 01 settembre 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk Asterisk 13.11.0.

Dal post originale:

The release of Asterisk 13.11.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

New Features made in this release:
-----------------------------------
* ASTERISK-25904 - PJSIP: add contact.updated event (Reported by Alexei Gradinari)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-26269 - res_pjsip: Wrong state for aors without registered contacts after startup (Reported by nappsoft)
* ASTERISK-26299 - app_queue: Queue application sometimes stops calling members with Local interface (Reported by Etienne Lessard)
* ASTERISK-26148 - pjsip: Cannot compile 13.10.0-rc1: "libasteriskpj.so: undefined reference to..." (Reported by Hans van Eijsden)
* ASTERISK-26237 - Fax is detected on regular calls. (Reported by Richard Mudgett)
* ASTERISK-26227 - sqlalchemy error due to long identifier name (Reported by Mark Michelson)
* ASTERISK-19968 - TCP Session-Timers not dropping call (Reported by Aaron Hamstra)
* ASTERISK-26214 - Allow arbitrary time for fax detection to end on a channel (Reported by Richard Mudgett)
* ASTERISK-23013 - [patch] Deadlock between 'sip show channels' command and attended transfer handling (Reported by Ben Smithurst)
* ASTERISK-26216 - res_fax: Deadlock when detect fax while channel executing Playback (Reported by Richard Mudgett)
* ASTERISK-26212 - [patch] Makefile: Retain XML Declaration and DTD in docs. (Reported by Alexander Traud)
* ASTERISK-26211 - Unit tests: AST_TEST_DEFINE should be used in conditional code. (Reported by Corey Farrell)
* ASTERISK-26207 - [patch] sRTP: Count a roll-over of the sequence number even on lost packets. (Reported by Alexander Traud)
* ASTERISK-26038 - 'make install' doesn't seem to install OS/X init files (Reported by Tzafrir Cohen)
* ASTERISK-26200 - [patch] res_pjsip_mwi: improve realtime performance - remove unneeded check on endpoint's contacts. (Reported by Alexei Gradinari)
* ASTERISK-26133 - app_queue: Queue members receive multiple calls (Reported by Richard Miller)
* ASTERISK-26196 - pbx: Time based includes can leak timezone string (Reported by Corey Farrell)
* ASTERISK-26193 - chan_sip: reference leak in mwi_event_cb (Reported by Corey Farrell)
* ASTERISK-25659 - res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance (Reported by Edwin Vandamme)
* ASTERISK-26191 - threadpool: Leak on duplicate taskprocessor for ast_threadpool_serializer_group (Reported by Corey Farrell)
* ASTERISK-26046 - [patch] Avoid obsolete warnings on autoconf. (Reported by Alexander Traud)
* ASTERISK-26160 - pjsip: Updated->Reachable during qualify (Reported by Matt Jordan)
* ASTERISK-25289 - Build System does not respect CFLAGS and CXXFLAGS when building menuselect (Reported by Jeffrey Walton)
* ASTERISK-26119 - [patch] fix: memory leaks, resource leaks, out of bounds and bugs (Reported by Alexei Gradinari)
* ASTERISK-26177 - func_odbc: Database handle is kept when it should be released (Reported by Leandro Dardini)
* ASTERISK-26184 - chan_sip: Reference leaks in error paths. (Reported by Corey Farrell)
* ASTERISK-26181 - REF_DEBUG: Node object incorrectly logged during duplicate replacement (Reported by Corey Farrell)
* ASTERISK-26180 - PJSIP: provide valid tcp nodelay option for reuse (Reported by Scott Griepentrog)
* ASTERISK-26179 - chan_sip: Second T.38 request fails (Reported by Joshua Colp)
* ASTERISK-26172 - res_sorcery_realtime: fix bug when successful sql UPDATE is treated as failed if there is no affected rows. (Reported by Alexei Gradinari)
* ASTERISK-25772 - res_pjsip: Unexpected two BYE when answered (Reported by Dmitriy Serov)
* ASTERISK-26099 - res_pjsip_pubsub: Crash when sending request due to server timeout (Reported by Ross Beer)
* ASTERISK-26144 - Crash on loading codecs g729/g723 (Reported by Alexei Gradinari)
* ASTERISK-26157 - Build: Fix errors highlighted by GCC 6.x (Reported by George Joseph)
* ASTERISK-26021 - Build codecs siren7 and siren14 for Asterisk 13 (Reported by Daniel Denson)
* ASTERISK-26326 - Crash when dialing MulticastRTP channel (Reported by George Joseph)

Improvements made in this release:
-----------------------------------
* ASTERISK-26220 - Add support for noreturn function attributes. (Reported by Corey Farrell)
* ASTERISK-22131 - Update the make dependencies script to pull, build, and install the correct pjproject (Reported by Matt Jordan)
* ASTERISK-25471 - [patch]Add subscribe_context to res_pjsip (Reported by JoshE)
* ASTERISK-26159 - res_hep: enabled by default and information sent to default address (Reported by Ross Beer)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.11.0