ASTERWEB Blog

31Ago/120

SICUREZZA: AST-2012-012: Asterisk Manager User Unauthorized Shell Access

Questo il link per scaricare il PDF

19Mar/120

Rilasciate le Security Release di Asterisk 1.4.44, 16.2.23, 1.8.10.1, 10.2.1

Il giorno 15 marzo, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk: 1.4.44, 16.2.23, 1.8.10.1, 10.2.1 Now Available (Security Release)

Dal post originale:
The release of Asterisk 1.4.44 and 1.6.2.23 resolve an issue wherein app_milliwatt
can potentially overrun a buffer on the stack, causing Asterisk to crash. This
does not have the potential for remote code execution.

The release of Asterisk 1.8.10.1 and 10.2.1 resolve two issues. First, they
resolve the issue in app_milliwatt, wherein a buffer can potentially be overrun
on the stack, but no remote code execution is possible. Second, they resolve
an issue in HTTP AMI where digest authentication information can be used to
overrun a buffer on the stack, allowing for code injection and execution.

These issues and their resolution are described in the security advisory.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2012-002 and AST-2012-003, which were released at the same
time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

The security advisories are available at:

http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
http://downloads.asterisk.org/pub/security/AST-2012-003.pdf

29Gen/120

Rilasciati Asterisk 1.8.8.2, 10.0.1 (Security Release)

Il giorno 19 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk 1.8.8.2 e 10.0.1

Dal post originale:
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk versions 1.8.8.2 and 10.0.1 resolves an issue
wherein an attacker attempting to negotiate a secure video stream can crash
Asterisk if video support has not been enabled and the res_srtp Asterisk
module is loaded.

The issue and its resolution is described in the security advisory.

For more information about the details of these vulnerabilities, please read the
security advisory AST-2012-001, which were released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2012-001 is available at:

http://downloads.asterisk.org/pub/security/AST-2012-001.pdf

15Dic/110

Rilasciati Asterisk (Security Release) 1.4.43, 1.6.2.21 e 1.8.7.2

Il giorno 12 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk  (Security Release) 1.4.43, 1.6.2.21 e 1.8.7.2

Dal post originale:
hese releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk versions 1.4.43, 1.6.2.21, and 1.8.7.2 resolves an issue
with possible remote enumeration of SIP endpoints with differing NAT settings.

The release of Asterisk versions 1.6.2.21 and 1.8.7.2 resolves a remote crash
possibility with SIP when the "automon" feature is enabled.

The issues and resolutions are described in the AST-2011-013 and AST-2011-014
security advisories.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-013 and AST-2011-014, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-013 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-013.pdf
Security advisory AST-2011-014 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-014.pdf

2Nov/110

Rilasciato Asterisk 1.8.7.1 (Security Release)

Il giorno 17 ottobre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.7.1 (Security Release)

Dal post originale:
The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which can
lead to a remotely exploitable crash:

Remote Crash Vulnerability in SIP channel driver (AST-2011-012)

The issue and resolution is described in the AST-2011-012 security
advisory.

For more information about the details of this vulnerability, please read the
security advisory AST-2011-012, which was released at the same time as this
announcement.

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.1

Security advisory AST-2011-012 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-012.pdf

30Giu/110

Rilasciati Asterisk 1.4.41.2, 1.6.2.18.2 e 1.8.4.4 (Security Release)

logoasterisk

Il giorno 28 giugno, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk 1.4.41.2, 1.6.2.18.2 e 1.8.4.4 (Security Release)

Dal post originale:
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.4.41.2, 1.6.2.18.2, and 1.8.4.4 resolves the
following issue:

AST-2011-011: Asterisk may respond differently to SIP requests from an
invalid SIP user than it does to a user configured on the system, even when the
alwaysauthreject option is set in the configuration. This can leak information
about what SIP users are valid on the Asterisk system.

For more information about the details of this vulnerability, please read
the security advisory AST-2011-011, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-011 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-011.pdf

4Giu/110

Rilasciato Asterisk 1.8.4.2 (security release)

logoasterisk

Il giorno 2 giugno, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.4.2

Dal post originale:
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.8.4.2 resolves an issue with SIP URI parsing which
can lead to a remotely exploitable crash:

Remote Crash Vulnerability in SIP channel driver (AST-2011-007)

The issue and resolution is described in the AST-2011-007 security
advisory.

For more information about the details of this vulnerability, please read the
security advisory AST-2011-007, which was released at the same time as this
announcement.

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-007 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-007.pdf

6Mag/110

Rilasciato Asterisk 1.8.4-rc3

logoasterisk

Il giorno 26 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.4-rc3

Dal post originale:
The release of Asterisk 1.8.4-rc3 resolves a couple of issues since the last
release candidate, including two security related issues (AST-2011-005 and
AST-2011-006).

Use SSLv23_client_method instead of old SSLv2 only.
(Closes issue #19095, #19138. Reported, patched by tzafrir. Tested by russell
and chazzam.
Resolve crash in ast_mutex_init()
(Patched by twilson)
Includes changes per AST-2011-005 and AST-2011-006

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4-rc3

Information about the security releases are available at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

6Mag/110

Rilasciato Asterisk 1.6.2.18

logoasterisk

Il giorno 26 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.18

Dal post originale:
The release of Asterisk 1.6.2.18 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

Only offer codecs both sides support for directmedia.
(Closes issue #17403. Reported, patched by one47)
Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)
NOTE: Be sure to read the ChangeLog for more information about these changes.
Resolve deadlocks related to device states in chan_sip
(Closes issue #18310. Reported, patched by one47. Patched by jpeeler)
Fix channel redirect out of MeetMe() and other issues with channel softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb)
Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler)
Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
(Review: https://reviewboard.asterisk.org/r/1077/)

In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18

6Mag/110

Rilasciato Asterisk 1.4.41

logoasterisk

Il giorno 26 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.41

Dal post originale:
The release of Asterisk 1.4.41 resolves several issues reported by the community
and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

Only offer codecs both sides support for directmedia.
(Closes issue #17403. Reported, patched by one47)
Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)
NOTE: Be sure to read the ChangeLog for more information about these changes.
Fix channel redirect out of MeetMe() and other issues with channel softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb)
Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler)
Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
(Review: https://reviewboard.asterisk.org/r/1077/)

In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

After the initial release of AST-2011-006, a regression was found and then
resolved. This release contains the correct change.

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.41

22Apr/110

Nuove Security Release di Asterisk: 1.4.40.1, 1.6.1.25, 1.6.2.17.3 e 1.8.3.3

logoasterisk

Il giorno 21 aprile, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3 e 1.8.3.3 (Security Releases)

Dal post originale:
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:

* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)

The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-005 and AST-2011-006 are available at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

18Mar/110

Asterisk: Rilasciate le Security Releases 1.6.1.24, 1.6.2.17.2 e 1.8.3.2

logoasterisk

Il giorno 17 marzo, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk  1.6.1.24, 1.6.2.17.2 e 1.8.3.2 (Security Releases)

Dal post originale:

This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).

The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:

  • Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
  • Remote crash vulnerability in TCP/TLS server (AST-2011-004)

The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-003 and AST-2011-004 are available at:

http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
http://downloads.asterisk.org/pub/security/AST-2011-004.pdf

17Mar/110

Asterisk: Rilasciate le Security Releases 1.6.1.23, 1.6.2.17.1 e 1.8.3.1

logoasterisk

Il giorno 17 marzo, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk  1.6.1.23, 1.6.2.17.1 e 1.8.3.1 (Security Releases)

Dal post originale:

The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:

  • Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
  • Remote crash vulnerability in TCP/TLS server (AST-2011-004)

The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.

For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...

Security advisory AST-2011-003 and AST-2011-004 are available at:

http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
http://downloads.asterisk.org/pub/security/AST-2011-004.pdf

17Mar/110

Asterisk sicurezza – AST-2011-004: Remote crash vulnerability in TCP/TLS server

logoasterisk

Questo il link per scaricare il documento in PDF:

http://downloads.asterisk.org/pub/security/AST-2011-004.pdf

17Mar/110

Asterisk sicurezza – AST-2011-003: Resource exhaustion in Asterisk Manager Interface

logoasterisk

Questo il link per scaricare il documento in PDF:

http://downloads.asterisk.org/pub/security/AST-2011-003.pdf