ASTERWEB Blog

26Set/14Off

Rilasciato Asterisk 12.6.0

Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.6.0.

Dal post originale:
The release of Asterisk 12.6.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24027 - MixMonitor AMI action called during AGI
execution from bridge feature causes channel to leave AGI has
hung up (Reported by Matt Jordan)
* ASTERISK-24236 - res_hep_rtcp: Module incorrectly depends on
pjsip (Reported by Matt Jordan)
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24234 - app_meetme: Crash on conference shutdown due to
NULL channel passed to meetme_stasis_generate_msg() (Reported by
Shaun Ruffell)
* ASTERISK-24043 - ARI /continue fails to actually continue into
the dialplan (Reported by Krandon Bruse)
* ASTERISK-24245 - gcc 4.1.2 complains of files that do not end
with newlines (Reported by Shaun Ruffell)
* ASTERISK-24229 - ARI: playback of sounds implicitly answers
channel, preventing early media playback (Reported by Matt
Jordan)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23994 - res_pjsip_sdp_rtp: owner address in SDP may not
be fully qualified domainname (Reported by Private Name)
* ASTERISK-24147 - ARI: channel hangup crashes asterisk process
(Reported by Edvin Vidmar)
* ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24143 - pjsip: Outbound call to WebRTC UA fails to
transmit ACK on received 200 OK (Reported by Aleksei Kulakov)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24264 - ARI: Adding a channel to a holding bridge
automatically starts MOH (Reported by Samuel Galarneau)
* ASTERISK-24212 - testsuite: Sporadic crash due to assert on
stopping RTP engine (Reported by Matt Jordan)
* ASTERISK-24241 - crash: CDRs recursively attempt to update Party
B information in a multi-party bridge, overrunning the stack
(Reported by Deepak Singh Rawat)
* ASTERISK-24254 - CDRs: Application/args/dialplan CEP updated
during dial operation (Reported by Matt Jordan)
* ASTERISK-24231 - crash: CLI execution of realtime destroy
sippeers id 1 causes crash due to NULL name provided to
ast_variable (Reported by Niklas Larsson)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 - res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24161 - PJSIPShowEndpoint gives inaccurate count of
list items (Reported by Mark Michelson)
* ASTERISK-24331 - Unexpected Errors in Asterisk Manager Interface
Output (Reported by xrobau)
* ASTERISK-24136 - Security: Crash in Asterisk's PJSIP code when
subscribing to an event with an unexpected body type (Reported
by Mark Michelson)
* ASTERISK-24301 - Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
* ASTERISK-24290 - Endpoint identifier match value fails to parse
when CIDR network format is specified (Reported by Ray Crumrine)
* ASTERISK-24237 - CDR: FRACK With PJSIP blonde transfer.
(Reported by Richard Mudgett)

Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.6.0

26Set/14Off

Rilasciato Asterisk 11.13.0

Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.13.0.

Dal post originale:
The release of Asterisk 11.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 - res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24301 - Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)

Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0

26Set/14Off

Rilasciato Asterisk 1.8.31.0

Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.31.0.

Dal post originale:
The release of Asterisk 1.8.31.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)

Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.31.0

20Set/14Off

Remote crash when handling out of call message in certain dialplan configurations

Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.

Dal post originale:

Asterisk Project Security Advisory - AST-2014-010

Product Asterisk
Summary Remote crash when handling out of call message in
certain dialplan configurations
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Minor
Exploits Known No
Reported On 05 September 2014
Reported By Philippe Lindheimer
Posted On 18 September 2014
Last Updated On September 18, 2014
Advisory Contact Matt Jordan
CVE Name Pending

Description When an out of call message - delivered by either the SIP
or PJSIP channel driver or the XMPP stack - is handled in
Asterisk, a crash can occur if the channel servicing the
message is sent into the ReceiveFax dialplan application
while using the res_fax_spandsp module.

Note that this crash does not occur when using the
res_fax_digium module.

While this crash technically occurs due to a configuration
issue, as attempting to receive a fax from a channel driver
that only contains textual information will never succeed,
the likelihood of having it occur is sufficiently high as
to warrant this advisory.

Resolution The fax family of applications have been updated to handle
the Message channel driver correctly. Users using the fax
family of applications along with the out of call text
messaging features are encouraged to upgrade their versions
of Asterisk to the versions specified in this security
advisory.

Additionally, users of Asterisk are encouraged to use a
separate dialplan context to process text messages. This
avoids issues where the Message channel driver is passed to
dialplan applications that assume a media stream is
available. Note that the various channel drivers and stacks
provide such an option; an example being the SIP channel
driver's outofcall_message_context option.

Affected Versions
Product Release
Series
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 11.12.1, 12.5.1
Certified Asterisk 11.6-cert6

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-010-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-010-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-24301

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-010.pdf and
http://downloads.digium.com/pub/security/AST-2014-010.html

Revision History
Date Editor Revisions Made
September 18 Matt Jordan Initial Draft

20Set/14Off

AST-2014-009: Remote crash based on malformed SIP subscription requests

Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.

Dal post originale:

Asterisk Project Security Advisory - AST-2014-009

Product Asterisk
Summary Remote crash based on malformed SIP subscription
requests
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Major
Exploits Known No
Reported On 30 July, 2014
Reported By Mark Michelson
Posted On 18 September, 2014
Last Updated On September 18, 2014
Advisory Contact Mark Michelson
CVE Name Pending

Description It is possible to trigger a crash in Asterisk by sending a
SIP SUBSCRIBE request with unexpected mixes of headers for
a given event package. The crash occurs because Asterisk
allocates data of one type at one layer and then interprets
the data as a separate type at a different layer. The crash
requires that the SUBSCRIBE be sent from a configured
endpoint, and the SUBSCRIBE must pass any authentication
that has been configured.

Note that this crash is Asterisk's PJSIP-based
res_pjsip_pubsub module and not in the old chan_sip module.

Resolution Type-safety has been built into the pubsub API where it
previously was absent. A test has been added to the
testsuite that previously would have triggered the crash.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x Unaffected
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 12.x 12.1.0 and up
Certified Asterisk 1.8.15 Unaffected
Certified Asterisk 11.6 Unaffected

Corrected In
Product Release
Asterisk Open Source 12.5.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-009-12.diff Asterisk
12

Links https://issues.asterisk.org/jira/browse/ASTERISK-24136

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-009.pdf and
http://downloads.digium.com/pub/security/AST-2014-009.html

Revision History
Date Editor Revisions Made
19 August, 2014 Mark Michelson Initial version of document

20Set/14Off

Rilasciato Asterisk 13.0.0-beta2

Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.

Dal post originale:
All interested users of Asterisk are encouraged to participate in the
Asterisk 13 testing process. Please report any issues found to the issue
tracker, https://issues.asterisk.org/jira. All Asterisk users are invited to
participate in the #asterisk-bugs channel to help communicate issues found to
the Asterisk developers. It is also very useful to see successful test reports.
Please post those to the asterisk-dev mailing list (http://lists.digium.com).

Asterisk 13 is the next major release series of Asterisk. It will be a Long Term
Support (LTS) release, similar to Asterisk 11. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions

For important information regarding upgrading to Asterisk 13, please see the
Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13

A short list of new features includes:

* Asterisk security events are now provided via AMI, allowing end users to
monitor their Asterisk system in real time for security related issues.

* Both AMI and ARI now allow external systems to control the state of a mailbox.
Using AMI actions or ARI resources, external systems can programmatically
trigger Message Waiting Indicators (MWI) on subscribed phones. This is of
particular use to those who want to build their own VoiceMail application
using ARI.

* ARI now supports the reception/transmission of out of call text messages using
any supported channel driver/protocol stack through ARI. Users receive out of
call text messages as JSON events over the ARI websocket connection, and can
send out of call text messages using HTTP requests.

* The PJSIP stack now supports RFC 4662 Resource Lists, allowing Asterisk to act
as a Resource List Server. This includes defining lists of presence state,
mailbox state, or lists of presence state/mailbox state; managing
subscriptions to lists; and batched delivery of NOTIFY requests to
subscribers.

* The PJSIP stack can now be used as a means of distributing device state or
mailbox state via PUBLISH requests to other Asterisk instances. This is
analogous to Asterisk's clustering support using XMPP or Corosync; unlike
existing clustering mechanisms, using the PJSIP stack to perform the
distribution of state does not rely on another daemon or server to perform the
work.

And much more!

More information about the new features can be found on the Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Documentation

A full list of all new features can also be found in the CHANGES file:

http://svnview.digium.com/svn/asterisk/branches/13/CHANGES

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta2

21Ago/14Off

Rilasciato Asterisk 12.5.0

Il giorno 19 agosto 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.5.0.

Dal post originale:
The release of Asterisk 12.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Improvements made in this release:
-----------------------------------
* ASTERISK-24036 - ARI: Recording resource should allow copying a
recording (Reported by Samuel Galarneau)
* ASTERISK-24037 - ARI: RecordingFinished event should return
duration of recording (Reported by Samuel Galarneau)
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
* ASTERISK-23692 - ARI: Add a Messaging Capability (Reported by
Matt Jordan)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23852 - ARI mixing bridges should propagate linkedids.
(Reported by Richard Mudgett)
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 - PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23987 - BridgeWait: channel entering into holding
bridge that is being destroyed fails to successfully join the
newly created holding bridge (Reported by Matt Jordan)
* ASTERISK-23969 - SendMessage AMI action Cant Send Text Message
Over PJSIP (Reported by Andrew Nagy)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23847 - Alembic voicemail script - 'recording' column
should be longblob on MySQL (Reported by Stephen More)
* ASTERISK-23825 - Alembic scripts - table queue_members missing
unique index on column uniqueid (Reported by Stephen More)
* ASTERISK-23909 - Alembic scripts - table sippeers could use a
longer useragent column (Reported by Stephen More)
* ASTERISK-23941 - ARI: Attended transfers of channels into Stasis
application lose information (Reported by Matt Jordan)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)

New Features made in this release:
-----------------------------------
* ASTERISK-24000 - chan_pjsip: Add accountcode setting (Reported
by Matt Jordan)
* ASTERISK-24119 - HEP: Add module that exports RTCP information
to a Homer Capture Server (Reported by Matt Jordan)

For a full list of changes in this release, please see the ChangeLog:

The release of Asterisk 12.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Improvements made in this release:
-----------------------------------
* ASTERISK-24036 - ARI: Recording resource should allow copying a
recording (Reported by Samuel Galarneau)
* ASTERISK-24037 - ARI: RecordingFinished event should return
duration of recording (Reported by Samuel Galarneau)
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
* ASTERISK-23692 - ARI: Add a Messaging Capability (Reported by
Matt Jordan)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23852 - ARI mixing bridges should propagate linkedids.
(Reported by Richard Mudgett)
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 - PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23987 - BridgeWait: channel entering into holding
bridge that is being destroyed fails to successfully join the
newly created holding bridge (Reported by Matt Jordan)
* ASTERISK-23969 - SendMessage AMI action Cant Send Text Message
Over PJSIP (Reported by Andrew Nagy)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23847 - Alembic voicemail script - 'recording' column
should be longblob on MySQL (Reported by Stephen More)
* ASTERISK-23825 - Alembic scripts - table queue_members missing
unique index on column uniqueid (Reported by Stephen More)
* ASTERISK-23909 - Alembic scripts - table sippeers could use a
longer useragent column (Reported by Stephen More)
* ASTERISK-23941 - ARI: Attended transfers of channels into Stasis
application lose information (Reported by Matt Jordan)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)

New Features made in this release:
-----------------------------------
* ASTERISK-24000 - chan_pjsip: Add accountcode setting (Reported
by Matt Jordan)
* ASTERISK-24119 - HEP: Add module that exports RTCP information
to a Homer Capture Server (Reported by Matt Jordan)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.5.0

21Ago/14Off

Rilasciato Asterisk 11.12.0

Il giorno 19 agosto 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.12.0.

Dal post originale:
The release of Asterisk 11.12.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 - PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)

Improvements made in this release:
-----------------------------------
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.12.0

21Ago/14Off

Rilasciato Asterisk 1.8.30.0

Il giorno 19 agosto 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.30.0.

Dal post originale:
The release of Asterisk 1.8.30.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)

Improvements made in this release:
-----------------------------------
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.30.0

12Lug/14Off

Rilasciato Asterisk 12.4.0

Il giorno 10 luglio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.4.0.

Dal post originale:
The release of Asterisk 12.4.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-22551 - Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23792 - Mutex left locked in chan_unistim.c (Reported
by Peter Whisker)
* ASTERISK-23582 - [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23499 - app_agent_pool: Interval hook prevents channel
from being hung up (Reported by Matt Jordan)
* ASTERISK-23721 - Calls to PJSIP endpoints with video enabled
result in leaked RTP ports (Reported by cervajs)
* ASTERISK-23803 - AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23718 - res_pjsip_incoming_blind_request: crash with
NULL session channel (Reported by Jonathan Rose)
* ASTERISK-23541 - Asterisk 12.1.0 Not respecting directmedia=no
and issuing REINVITE (Reported by Justin E)
* ASTERISK-23035 - ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki Cívico)
* ASTERISK-23824 - ConfBridge: Users cannot be muted via CLI or
AMI when waiting to enter a conference (Reported by Matt Jordan)
* ASTERISK-23683 - #includes - wildcard character in a path more
than one directory deep - results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 - autoservice thread doesn't exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-21965 - [patch] Bug-fixed version of safe_asterisk not
installed over old version (Reported by Jeremy Kister)
* ASTERISK-23802 - Security: Deadlock in res_pjsip_pubsub on
transaction timeout (Reported by Mark Michelson)
* ASTERISK-23489 - Vulnerability in res_pjsip_pubsub:
unauthenticated remote crash in during MWI unsubscribe without
being subscribed (Reported by John Bigelow)
* ASTERISK-23609 - Security: AMI action MixMonitor allows
arbitrary programs to be run (Reported by Corey Farrell)
* ASTERISK-23673 - Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23766 - [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23844 - Load of pbx_lua fails on sample extensions.lua
with Lua 5.2 or greater due to addition of goto statement
(Reported by Rusty Newton)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23834 - res_rtp_asterisk debug message gives wrong
length if ICE (Reported by Richard Kenner)
* ASTERISK-23922 - ao2_container nodes are inconsistent REF_DEBUG
(Reported by Corey Farrell)
* ASTERISK-23790 - [patch] - SIP From headers longer than 256
characters result in dropped call and 'No closing bracket'
warnings. (Reported by uniken1)
* ASTERISK-23917 - res_http_websocket: Delay in client processing
large streams of data causes disconnect and stuck socket
(Reported by Matt Jordan)
* ASTERISK-23908 - [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23947 - ActionID missing from AMI PJSIP events
(PJSIPShowEndpoints, etc.) (Reported by Mark Michelson)
* ASTERISK-23921 - refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 - REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23916 - [patch]SIP/SDP fmtp line may include whitespace
between attributes (Reported by Alexander Traud)
* ASTERISK-23984 - Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 - [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)
* ASTERISK-24001 - res_rtp_asterisk fails to load module due to
undefined symbol 'dtls_perform_handshake' when PJPROJECT is not
installed (Reported by Don Fanning)

Improvements made in this release:
-----------------------------------
* ASTERISK-23492 - Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
* ASTERISK-23654 - Add 'pjsip reload' to default cli_aliases.conf
(Reported by Rusty Newton)
* ASTERISK-23811 - Improve performance of Asterisk by reducing the
number of channel snapshots created (Reported by Matt Jordan)
* ASTERISK-22961 - [patch] DTLS-SRTP not working with SHA-256
(Reported by Jay Jideliov)
* ASTERISK-23975 - Description of variables field for userEvent
operation missing details. (Reported by Samuel Galarneau)
* ASTERISK-23552 - http: support persistent connections (Reported
by Scott Griepentrog)
* ASTERISK-23939 - ARI: Allow for channel subscriptions on
originate (Reported by Matt Jordan)

New Features made in this release:
-----------------------------------
* ASTERISK-23786 - TALK_DETECT: A dialplan function that emits
talking start/stop events for AMI/ARI (Reported by Matt Jordan)
* ASTERISK-21443 - New SIP Channel Driver - Create a state
provider for dialog-info+xml (Reported by Matt Jordan)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.4.0

12Lug/14Off

Rilasciato Asterisk 11.11.0

Il giorno 10 luglio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.11.0.

Dal post originale:
The release of Asterisk 11.11.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-22551 - Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23792 - Mutex left locked in chan_unistim.c (Reported
by Peter Whisker)
* ASTERISK-23582 - [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 - AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 - ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki Cívico)
* ASTERISK-23824 - ConfBridge: Users cannot be muted via CLI or
AMI when waiting to enter a conference (Reported by Matt Jordan)
* ASTERISK-23683 - #includes - wildcard character in a path more
than one directory deep - results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 - autoservice thread doesn't exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23609 - Security: AMI action MixMonitor allows
arbitrary programs to be run (Reported by Corey Farrell)
* ASTERISK-23673 - Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 - DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 - [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23844 - Load of pbx_lua fails on sample extensions.lua
with Lua 5.2 or greater due to addition of goto statement
(Reported by Rusty Newton)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23834 - res_rtp_asterisk debug message gives wrong
length if ICE (Reported by Richard Kenner)
* ASTERISK-23790 - [patch] - SIP From headers longer than 256
characters result in dropped call and 'No closing bracket'
warnings. (Reported by uniken1)
* ASTERISK-23917 - res_http_websocket: Delay in client processing
large streams of data causes disconnect and stuck socket
(Reported by Matt Jordan)
* ASTERISK-23908 - [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 - refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 - REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23916 - [patch]SIP/SDP fmtp line may include whitespace
between attributes (Reported by Alexander Traud)
* ASTERISK-23984 - Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 - [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)

Improvements made in this release:
-----------------------------------
* ASTERISK-23492 - Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
* ASTERISK-22961 - [patch] DTLS-SRTP not working with SHA-256
(Reported by Jay Jideliov)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.11.0

12Lug/14Off

Rilasciato Asterisk 1.8.29.0

Il giorno 10 luglio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.29.0.

Dal post originale:
The release of Asterisk 1.8.29.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-22551 - Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23582 - [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 - AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 - ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki Cívico)
* ASTERISK-23683 - #includes - wildcard character in a path more
than one directory deep - results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 - autoservice thread doesn't exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-23673 - Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 - DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 - [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23667 - features.conf.sample is unclear as to which
options can or cannot be set in the general section (Reported by
David Brillert)
* ASTERISK-23790 - [patch] - SIP From headers longer than 256
characters result in dropped call and 'No closing bracket'
warnings. (Reported by uniken1)
* ASTERISK-23908 - [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 - refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 - REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23984 - Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 - [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)

Improvements made in this release:
-----------------------------------
* ASTERISK-23564 - [patch]TLS/SRTP status of channel not currently
available in a CLI command (Reported by Patrick Laimbock)
* ASTERISK-23492 - Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.29.0

13Giu/14Off

Asterisk Project Security Advisory – AST-2014-008

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:

Asterisk Project Security Advisory - AST-2014-008

Product Asterisk
Summary Denial of Service in PJSIP Channel Driver
Subscriptions
Nature of Advisory Denial of Service
Susceptibility Remote authenticated sessions
Severity Moderate
Exploits Known No
Reported On 28 May, 2014
Reported By Mark Michelson
Posted On June 12, 2014
Last Updated On June 12, 2014
Advisory Contact Mark Michelson
CVE Name CVE-2014-4048

Description When a SIP transaction timeout caused a subscription to be
terminated, the action taken by Asterisk was guaranteed to
deadlock the thread on which SIP requests are serviced.

Note that this behavior could only happen on established
subscriptions, meaning that this could only be exploited if
an attacker bypassed authentication and successfully
subscribed to a real resource on the Asterisk server.

Resolution The socket-servicing thread is now no longer capable of
dispatching synchronous tasks to other threads since that
may result in deadlocks.

Affected Versions
Product Release Series
Asterisk Open Source 12.x All versions

Corrected In
Product Release
Asterisk Open Source 12.3.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-008-12.diff Asterisk
12

Links https://issues.asterisk.org/jira/browse/ASTERISK-23802

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-008.pdf and
http://downloads.digium.com/pub/security/AST-2014-008.html

13Giu/14Off

Asterisk Project Security Advisory – AST-2014-007

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:

Asterisk Project Security Advisory - AST-2014-007

Product Asterisk
Summary Exhaustion of Allowed Concurrent HTTP Connections
Nature of Advisory Denial Of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On May 25, 2014
Reported By Richard Mudgett
Posted On May 9, 2014
Last Updated On June 12, 2014
Advisory Contact Richard Mudgett
CVE Name CVE-2014-4047

Description Establishing a TCP or TLS connection to the configured HTTP
or HTTPS port respectively in http.conf and then not
sending or completing a HTTP request will tie up a HTTP
session. By doing this repeatedly until the maximum number
of open HTTP sessions is reached, legitimate requests are
blocked.

Resolution The patched versions now have a session_inactivity timeout
option in http.conf that defaults to 30000 ms. Users should
upgrade to a corrected version, apply the released patches,
or disable HTTP support.

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.15 All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 1.8.28.1, 11.10.1, 12.3.1
Certified Asterisk 1.8.15-cert6, 11.6-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified
Asterisk
1.8.15
http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-23673

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-007.pdf and
http://downloads.digium.com/pub/security/AST-2014-007.html

13Giu/14Off

Asterisk Project Security Advisory – AST-2014-006

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:

Asterisk Project Security Advisory - AST-2014-006

Product Asterisk
Summary Asterisk Manager User Unauthorized Shell Access
Nature of Advisory Permission Escalation
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On April 9, 2014
Reported By Corey Farrell
Posted On June 12, 2014
Last Updated On June 12, 2014
Advisory Contact Jonathan Rose < jrose AT digium DOT com >
CVE Name CVE-2014-4046

Description Manager users can execute arbitrary shell commands with the
MixMonitor manager action. Asterisk does not require system
class authorization for a manager user to use the
MixMonitor action, so any manager user who is permitted to
use manager commands can potentially execute shell commands
as the user executing the Asterisk process.

Resolution Upgrade to a version with the patch integrated, apply the
patch, or do not allow users who should not have permission
to run shell commands to use AMI.

Affected Versions
Product Release Series
Asterisk Open Source 11.x All
Asterisk Open Source 12.x All
Certified Asterisk 11.6 All

Corrected In
Product Release
Asterisk Open Source 11.10.1, 12.3.1
Certified Asterisk 11.6-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-23609

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-006.pdf and
http://downloads.digium.com/pub/security/AST-2014-006.html