ASTERWEB Blog

13Apr/17Off

ISSABEL, il fork di Elastix per mantenere le versioni 2.5 e 4

ISSABEL è stato creato da diverse società con l'intento di mantenere, aggiornare e supportare tutti gli utenti di Elastix 2.5. e 4.

Questo il link del progetto: ISSABEL

ISSABEL, il fork di Elastix per mantenere le versioni 2.5 e 4

13Apr/17Off

OpenELX, il fork di Elastix per mantenere la versione 2.5

OpenELX - fork di Elastix per v. 2.5

OpenELX - fork di Elastix per v. 2.5

OpenELX è stato creato da diverse società con l'intento di mantenere, aggiornare e supportare tutti gli utenti di Elastix 2.5.

Questo il link del progetto: OpenELX

10Apr/17Off

Rilasciato Asterisk 14.4.0

Il giorno 7 aprile 2017, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 14.4.0.

Dal post originale:

The release of Asterisk 14.4.0 resolves several issues reported by the
community and would have not been possible without your participation.

*Thank you!*

The following issues are resolved in this release:

*New Features made in this release:*
-----------------------------------
- [ASTERISK-26878 ] - func_channel: Add ability to get the callid so dialplan has access to it.
(Reported by Richard Mudgett)
- [ASTERISK-26863 ] - res_pjsip: Add endpoint identification scheme based on a configured SIP
header/value
(Reported by Matt Jordan)
- [ASTERISK-17428 ] - [patch] Allow "Comedian Mail" branding to be removed
(Reported by John Covert)

*Bugs fixed in this release:*
-----------------------------------
- [ASTERISK-26851 ] - res_pjsip_sdp_rtp: RTP instance does not use same IP as explicit transport
(Reported by Richard Begg)
- [ASTERISK-26897 ] - chan_sip: Security vulnerability with client code header
(Reported by Alex Villacís Lasso)
- [ASTERISK-26916 ] - res_pjsip: Excessive refcount reached on transport ao2 object
(Reported by Ross Beer)
- [ASTERISK-26705 ] - libasteriskssl.so not found when asterisk is installed for the 1st time
(Reported by George Joseph)
- [ASTERISK-26850 ] - res_hep_pjsip: Asterisk insert wrong protocol name in "Protocol ID" field
in HEP packets
(Reported by Max Norba)
- [ASTERISK-26484 ] - res_pjsip_messaging: Crash when using invalid URI in MessageSend 'from'
argument.
(Reported by Vinod Dharashive)
- [ASTERISK-26776 ] - res_pjsip_pubsub: Crash when generating xpidf content
(Reported by Andrew Green)
- [ASTERISK-26880 ] - Asterisk crashes when multiple speex users join confbridge with pp_vad
and dtx enabled
(Reported by Kirsty Tyerman)
- [ASTERISK-26862 ] - app_queue: Queue stops calling members with local interface after
forwarding in previous call
(Reported by Robert Mordec)
- [ASTERISK-26732 ] - res_rtp_asterisk: Implement RTCP Multiplexing - breaking WebRTC in Chrome
(Reported by Dan Jenkins)
- [ASTERISK-26879 ] - PJSIP external_media_address ignored if no local_net options are provided
(Reported by Matt Jordan)
- [ASTERISK-26867 ] - autochan: Locking in a function ast_autochan_destroy() on destroyed
channel (after masquerade).
(Reported by Krzysztof Trempala)
- [ASTERISK-26869 ] - res_pjsip_refer: blind call transfer w/o a user name doesn't go to the s
extension
(Reported by Torrey Searle)
- [ASTERISK-26668 ] - core: Malformed pattern matching extension (various factors) results in
crash
(Reported by xrobau)
- [ASTERISK-26865 ] - chan_iax2: Reload of iax peer results in loss of host address/port
(Reported by Richard Begg)
- [ASTERISK-26872 ] - Bundled pjproject fails to build when tarball downloaded with curl due to
md5 verification failure in Docker containers (or when there is no terminal)
(Reported by Matt Jordan)
- [ASTERISK-26717 ] - Document the fact that Asterisk HEP support only works with the PJSIP
channel driver
(Reported by Olivier Krief)
- [ASTERISK-26643 ] - Extra new line in Device field of DeviceStateChange AMI Event after
restart of Asterisk
(Reported by Roman Bedros)
- [ASTERISK-25237 ] - stasis_cache.c:845 caching_topic_exec: - misleading ERROR message
(Reported by Smirnov Aleksey)
- [ASTERISK-26857 ] - chan_pjsip: Dialplan function race condition
(Reported by Joshua Colp)
- [ASTERISK-26841 ] - chan_sip: Call not cancelled after receiving a 422 response
(Reported by Jean Aunis - Prescom)
- [ASTERISK-26822 ] - pjsip/cli_commands: pjsip show channelstats shows wrong codec
(Reported by Kevin Harwell)
- [ASTERISK-26353 ] - res_musiconhold: musiconhold seems to think that the general section is a
class and issues warning
(Reported by Jonathan Harris)
- [ASTERISK-26685 ] - res_pjsip: Crash when using IPv6 and Transport ws,wss
(Reported by Michael Balen)
- [ASTERISK-24562 ] - app_voicemail: Cannot set fromstring on a per-mailbox basis
(Reported by Mark Scholten)
- [ASTERISK-26598 ] - Saynumber is trying to get "and" from "digits/" subfolder
(Reported by Jonathan Harris)
- [ASTERISK-17067 ] - Long lines in call files cause spurious syntax error
(Reported by Dave Olszewski)
- [ASTERISK-26796 ] - res_pjsip_transport_websocket: Via header is 'WS' when it should be 'WSS'
(Reported by Jørgen H)
- [ASTERISK-25628 ] - res_config_pgsql: should match the behavior of other drivers so that
queue_log can disable adaptive logging
(Reported by Dmitry Wagin)
- [ASTERISK-26774 ] - core: Playback URL fails after some time
(Reported by Igor Gamayunov)
- [ASTERISK-26825 ] - pjsip.conf.sample: user_agent: still refers to branch 12
(Reported by Tzafrir Cohen)
- [ASTERISK-26823 ] - PJSIP: Persistent subscriptions can cause FRACKs if endpoint does not
exist
(Reported by Mark Michelson)
- [ASTERISK-26623 ] - res_pjsip: Crash when calling PJSIPShowEndpoint
(Reported by Jørgen H)
- [ASTERISK-26808 ] - res_pjsip_outbound_registration doesn't know about network change events
(Reported by George Joseph)
- [ASTERISK-26781 ] - bridge: Passing the 'p' (play tone) flag to Bridge() application results
in garbled audio
(Reported by Sean Bright)
- [ASTERISK-26782 ] - res_pjsip: URI requirement for fields is not consistently documented and
error does not provide indication
(Reported by Peter Sokolov)
- [ASTERISK-26812 ] - [patch] Fix download_externals To Allow The Use Of curl Or wget
(Reported by Michael L. Young)
- [ASTERISK-18271 ] - Pattern matching with res_config_mysql extensions does not behave as
expected
(Reported by Charlie Smurthwaite)
- [ASTERISK-26669 ] - PJSIP Segfault 13.13.1 (Bundled PJSIP)
(Reported by Nic Colledge)
- [ASTERISK-18731 ] - [patch] DUNDi weight parameter not processed correctly
(Reported by Peter Racz)
- [ASTERISK-26799 ] - res_pjsip: Using an auth object for inbound and outbound authentication
fails.
(Reported by Richard Mudgett)
- [ASTERISK-26738 ] - Frequent segfaults since activation of DNS SRV, in
pjsip_auth_clt_reinit_req at /pjsip/sip_auth_client.c, and
pj_atomic_inc_and_get at pj/os_core_unix.c
(Reported by Michael Maier)
- [ASTERISK-25893 ] - Function vmauthenticate accesses uninitialized memory
(Reported by Filip Jenicek)
- [ASTERISK-26580 ] - [patch] Error during LDAP modify action when user unregisters
(Reported by Nicholas John Koch)
- [ASTERISK-26802 ] - [patch] Integrity Check Of PJSIP Download Fails
(Reported by Michael L. Young)
- [ASTERISK-15858 ] - [patch] Fix query with double backslash in string literals and stop log
warnings
(Reported by Humberto Figuera)
- [ASTERISK-26057 ] - res_config_sqlite3 uses incorrect query - unnecessary escape
(Reported by Stepan)
- [ASTERISK-23457 ] - SQlite3: Realtime queue loading fails after PRAGMA query result
(Reported by Scott Griepentrog)
- [ASTERISK-26794 ] - http: Crash on Reload Only in ast_tcptls_server_start
(Reported by Joshua Elson)
- [ASTERISK-26714 ] - Phone default have not ringing on ARM
(Reported by Igor Goncharovsky)
- [ASTERISK-26696 ] - pjsip_pubsub: PJSIP Subscription Persistence in AstDB Does not update on
subscription refresh
(Reported by Zach R)
- [ASTERISK-26756 ] - res_pjsip_mwi: Asterisk does not terminate MWI subscription
(Reported by Carl Fortin)
- [ASTERISK-26109 ] - Asterisk fails building with OpenSSL 1.1.0
(Reported by Tzafrir Cohen)
- [ASTERISK-26723 ] - VoiceMailPlayMsg not playing messages via realtime
(Reported by Ryan Rittgarn)
- [ASTERISK-18286 ] - [patch] 'Silence' is truncated in Record()
(Reported by var)
- [ASTERISK-26248 ] - chan_pjsip: Error when calling PJSIP client with domain specified
(Reported by Norbert Varga)
- [ASTERISK-26788 ] - core: Protect flags during ast_waitfor
(Reported by Joshua Colp)
- [ASTERISK-26115 ] - pbx: AMI Originate ignore "failed" extension on call failure
(Reported by Nasir Iqbal)
- [ASTERISK-26785 ] - configs/samples: The 'identify' entry is in the wrong section in
sorcery.conf.sample
(Reported by Torrey Searle)
- [ASTERISK-26772 ] - Crash in srv.c on startup with pjsip
(Reported by nappsoft)
- [ASTERISK-26770 ] - res_stasis_device_state: Duplicate subscriptions when multiple received
at same time
(Reported by Joshua Colp)

*Improvements made in this release:*
-----------------------------------
- [ASTERISK-26864 ] - res_pjsip_session: Add support for overlap dialling
(Reported by Richard Begg)
- [ASTERISK-26846 ] - chan_sip: Add rtcp-mux support
(Reported by Sean Bright)

For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-14.4.0

10Apr/17Off

Rilasciato Asterisk 13.15.0

Il giorno 7 aprile 2017, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.15.0.

Dal post originale:

The release of Asterisk 13.15.0 resolves several issues reported by the community and would have not been possible without your participation.

*Thank you!*

The following issues are resolved in this release:

*New Features made in this release:*
-----------------------------------
- [ASTERISK-26878 ] - func_channel: Add ability to get the callid so dialplan has access to it.
(Reported by Richard Mudgett)
- [ASTERISK-26863 ] - res_pjsip: Add endpoint identification scheme based on a configured SIP
header/value
(Reported by Matt Jordan)
- [ASTERISK-17428 ] - [patch] Allow "Comedian Mail" branding to be removed
(Reported by John Covert)

*Bugs fixed in this release:*
-----------------------------------
- [ASTERISK-26851 ] - res_pjsip_sdp_rtp: RTP instance does not use same IP as explicit transport
(Reported by Richard Begg)
- [ASTERISK-26897 ] - chan_sip: Security vulnerability with client code header
(Reported by Alex Villacís Lasso)
- [ASTERISK-26916 ] - res_pjsip: Excessive refcount reached on transport ao2 object
(Reported by Ross Beer)
- [ASTERISK-26705 ] - libasteriskssl.so not found when asterisk is installed for the 1st time
(Reported by George Joseph)
- [ASTERISK-26850 ] - res_hep_pjsip: Asterisk insert wrong protocol name in "Protocol ID" field
in HEP packets
(Reported by Max Norba)
- [ASTERISK-26484 ] - res_pjsip_messaging: Crash when using invalid URI in MessageSend 'from'
argument.
(Reported by Vinod Dharashive)
- [ASTERISK-26776 ] - res_pjsip_pubsub: Crash when generating xpidf content
(Reported by Andrew Green)
- [ASTERISK-26880 ] - Asterisk crashes when multiple speex users join confbridge with pp_vad
and dtx enabled
(Reported by Kirsty Tyerman)
- [ASTERISK-26862 ] - app_queue: Queue stops calling members with local interface after
forwarding in previous call
(Reported by Robert Mordec)
- [ASTERISK-26732 ] - res_rtp_asterisk: Implement RTCP Multiplexing - breaking WebRTC in Chrome
(Reported by Dan Jenkins)
- [ASTERISK-26879 ] - PJSIP external_media_address ignored if no local_net options are provided
(Reported by Matt Jordan)
- [ASTERISK-26867 ] - autochan: Locking in a function ast_autochan_destroy() on destroyed
channel (after masquerade).
(Reported by Krzysztof Trempala)
- [ASTERISK-26869 ] - res_pjsip_refer: blind call transfer w/o a user name doesn't go to the s
extension
(Reported by Torrey Searle)
- [ASTERISK-26668 ] - core: Malformed pattern matching extension (various factors) results in
crash
(Reported by xrobau)
- [ASTERISK-26865 ] - chan_iax2: Reload of iax peer results in loss of host address/port
(Reported by Richard Begg)
- [ASTERISK-26872 ] - Bundled pjproject fails to build when tarball downloaded with curl due to
md5 verification failure in Docker containers (or when there is no terminal)
(Reported by Matt Jordan)
- [ASTERISK-26717 ] - Document the fact that Asterisk HEP support only works with the PJSIP
channel driver
(Reported by Olivier Krief)
- [ASTERISK-26643 ] - Extra new line in Device field of DeviceStateChange AMI Event after
restart of Asterisk
(Reported by Roman Bedros)
- [ASTERISK-25237 ] - stasis_cache.c:845 caching_topic_exec: - misleading ERROR message
(Reported by Smirnov Aleksey)
- [ASTERISK-26857 ] - chan_pjsip: Dialplan function race condition
(Reported by Joshua Colp)
- [ASTERISK-26841 ] - chan_sip: Call not cancelled after receiving a 422 response
(Reported by Jean Aunis - Prescom)
- [ASTERISK-26822 ] - pjsip/cli_commands: pjsip show channelstats shows wrong codec
(Reported by Kevin Harwell)
- [ASTERISK-26685 ] - res_pjsip: Crash when using IPv6 and Transport ws,wss
(Reported by Michael Balen)
- [ASTERISK-24562 ] - app_voicemail: Cannot set fromstring on a per-mailbox basis
(Reported by Mark Scholten)
- [ASTERISK-26598 ] - Saynumber is trying to get "and" from "digits/" subfolder
(Reported by Jonathan Harris)
- [ASTERISK-17067 ] - Long lines in call files cause spurious syntax error
(Reported by Dave Olszewski)
- [ASTERISK-26796 ] - res_pjsip_transport_websocket: Via header is 'WS' when it should be 'WSS'
(Reported by Jørgen H)
- [ASTERISK-25628 ] - res_config_pgsql: should match the behavior of other drivers so that
queue_log can disable adaptive logging
(Reported by Dmitry Wagin)
- [ASTERISK-26825 ] - pjsip.conf.sample: user_agent: still refers to branch 12
(Reported by Tzafrir Cohen)
- [ASTERISK-26823 ] - PJSIP: Persistent subscriptions can cause FRACKs if endpoint does not
exist
(Reported by Mark Michelson)
- [ASTERISK-26623 ] - res_pjsip: Crash when calling PJSIPShowEndpoint
(Reported by Jørgen H)
- [ASTERISK-26808 ] - res_pjsip_outbound_registration doesn't know about network change events
(Reported by George Joseph)
- [ASTERISK-26313 ] - chan_sip : Asterisk restart seems to be required for changing encryption
option
(Reported by benasse)
- [ASTERISK-26781 ] - bridge: Passing the 'p' (play tone) flag to Bridge() application results
in garbled audio
(Reported by Sean Bright)
- [ASTERISK-26782 ] - res_pjsip: URI requirement for fields is not consistently documented and
error does not provide indication
(Reported by Peter Sokolov)
- [ASTERISK-26812 ] - [patch] Fix download_externals To Allow The Use Of curl Or wget
(Reported by Michael L. Young)
- [ASTERISK-18271 ] - Pattern matching with res_config_mysql extensions does not behave as
expected
(Reported by Charlie Smurthwaite)
- [ASTERISK-26669 ] - PJSIP Segfault 13.13.1 (Bundled PJSIP)
(Reported by Nic Colledge)
- [ASTERISK-18731 ] - [patch] DUNDi weight parameter not processed correctly
(Reported by Peter Racz)
- [ASTERISK-26580 ] - [patch] Error during LDAP modify action when user unregisters
(Reported by Nicholas John Koch)
- [ASTERISK-26799 ] - res_pjsip: Using an auth object for inbound and outbound authentication
fails.
(Reported by Richard Mudgett)
- [ASTERISK-26738 ] - Frequent segfaults since activation of DNS SRV, in
pjsip_auth_clt_reinit_req at /pjsip/sip_auth_client.c, and
pj_atomic_inc_and_get at pj/os_core_unix.c
(Reported by Michael Maier)
- [ASTERISK-25893 ] - Function vmauthenticate accesses uninitialized memory
(Reported by Filip Jenicek)
- [ASTERISK-26802 ] - [patch] Integrity Check Of PJSIP Download Fails
(Reported by Michael L. Young)
- [ASTERISK-15858 ] - [patch] Fix query with double backslash in string literals and stop log
warnings
(Reported by Humberto Figuera)
- [ASTERISK-26057 ] - res_config_sqlite3 uses incorrect query - unnecessary escape
(Reported by Stepan)
- [ASTERISK-23457 ] - SQlite3: Realtime queue loading fails after PRAGMA query result
(Reported by Scott Griepentrog)
- [ASTERISK-26794 ] - http: Crash on Reload Only in ast_tcptls_server_start
(Reported by Joshua Elson)
- [ASTERISK-26714 ] - Phone default have not ringing on ARM
(Reported by Igor Goncharovsky)
- [ASTERISK-26696 ] - pjsip_pubsub: PJSIP Subscription Persistence in AstDB Does not update on
subscription refresh
(Reported by Zach R)
- [ASTERISK-26756 ] - res_pjsip_mwi: Asterisk does not terminate MWI subscription
(Reported by Carl Fortin)
- [ASTERISK-26109 ] - Asterisk fails building with OpenSSL 1.1.0
(Reported by Tzafrir Cohen)
- [ASTERISK-26723 ] - VoiceMailPlayMsg not playing messages via realtime
(Reported by Ryan Rittgarn)
- [ASTERISK-18286 ] - [patch] 'Silence' is truncated in Record()
(Reported by var)
- [ASTERISK-26248 ] - chan_pjsip: Error when calling PJSIP client with domain specified
(Reported by Norbert Varga)
- [ASTERISK-26788 ] - core: Protect flags during ast_waitfor
(Reported by Joshua Colp)
- [ASTERISK-26115 ] - pbx: AMI Originate ignore "failed" extension on call failure
(Reported by Nasir Iqbal)
- [ASTERISK-26785 ] - configs/samples: The 'identify' entry is in the wrong section in
sorcery.conf.sample
(Reported by Torrey Searle)
- [ASTERISK-26772 ] - Crash in srv.c on startup with pjsip
(Reported by nappsoft)
- [ASTERISK-26770 ] - res_stasis_device_state: Duplicate subscriptions when multiple received
at same time
(Reported by Joshua Colp)

*Improvements made in this release:*
-----------------------------------
- [ASTERISK-26864 ] - res_pjsip_session: Add support for overlap dialling
(Reported by Richard Begg)
- [ASTERISK-26846 ] - chan_sip: Add rtcp-mux support
(Reported by Sean Bright)

For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.15.0

7Apr/17Off

AST-2017-001: Buffer overflow in CDR’s set user

               Asterisk Project Security Advisory - AST-2017-001

         Product        Asterisk                                              
         Summary        Buffer overflow in CDR's set user                     
    Nature of Advisory  Buffer Overflow                                       
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      March 27, 2017                                        
       Reported By      Alex Villacis Lasso                                   
        Posted On       
     Last Updated On    April 4, 2017                                         
     Advisory Contact   kharwell AT digium DOT com                            
         CVE Name       

    Description  No size checking is done when setting the user field on a    
                 CDR. Thus, it is possible for someone to use an arbitrarily  
                 large string and write past the end of the user field        
                 storage buffer. This allows the possibility of remote code   
                 injection.                                                   
                                                                              
                 This currently affects any system using CDR's that also      
                 make use of the following:                                   
                                                                              
                 * The 'X-ClientCode' header within a SIP INFO message when   
                 using chan_sip and                                           
                                                                              
                 the 'useclientcode' option is enabled (note, it's disabled   
                 by default).                                                 
                                                                              
                 * The CDR dialplan function executed from AMI when setting   
                 the user field.                                              
                                                                              
                 * The AMI Monitor action when using a long file name/path.   

    Resolution  The CDR engine now only copies up to the maximum allowed      
                characters into the user field. Any characters outside the    
                maximum are truncated.                                        

                               Affected Versions       
                         Product                       Release  
                                                       Series   
                  Asterisk Open Source                  13.x    All Releases  
                  Asterisk Open Source                  14.x    All Releases  
                   Certified Asterisk                   13.13   All Releases  

                                  Corrected In                
                            Product                              Release      
                      Asterisk Open Source                    13.14.1,14.3.1  
                       Certified Asterisk                      13.13-cert3    

                                     Patches                          
                                SVN URL                               Revision  
   http://downloads.asterisk.org/pub/security/AST-2017-001-13.diff    Asterisk  
                                                                      13        
   http://downloads.asterisk.org/pub/security/AST-2017-001-14.diff    Asterisk  
                                                                      14        
   http://downloads.asterisk.org/pub/security/AST-2017-001-13.13.diff Certified 
                                                                      Asterisk  
                                                                      13.13     

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-26897             

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2017-001.pdf and             
    http://downloads.digium.com/pub/security/AST-2017-001.html                

                                Revision History
         Date           Editor                   Revisions Made               
    March, 27, 2017  Kevin Harwell  Initial Revision                          

               Asterisk Project Security Advisory - AST-2017-001
               Copyright © 2017 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.