ASTERWEB Blog

9Apr/15Off

AST-2015-003: TLS Certificate Common name NULL byte exploit

Il giorno 08 aprile 2015, l'Asterisk Security Team ha rilasciato l'annunciato di sicurezza visualizzabile da questo link:

http://lists.digium.com/pipermail/asterisk-announce/2015-April/000600.html

7Apr/15Off

Rilasciato Asterisk 13.3.1

Il giorno 06 aprile 2015, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.3.1.

Dal post originale:
The release of Asterisk 13.3.1 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

* --- pjsip: resolve compatibility problem with ast_sip_session
(Closes issue ASTERISK-24941. Reported by Matt Jordan)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.3.1

2Apr/15Off

Rilasciato Asterisk 13.3.0

Il giorno 01 aprile 2015, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.3.0.

Dal post originale:
The release of Asterisk 13.3.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

New Features made in this release:
-----------------------------------
* ASTERISK-24703 - ARI: Add the ability to "transfer" (redirect) a
channel (Reported by Matt Jordan)
* ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
(Reported by Dwayne Hubbard)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24616 - Crash in res_format_attr_h264 due to invalid
string copy (Reported by Yura Kocyuba)
* ASTERISK-24748 - res_pjsip: If wizards explicitly configured in
sorcery.conf false ERROR messages may occur (Reported by Joshua
Colp)
* ASTERISK-24769 - res_pjsip_sdp_rtp: Local ICE candidates leaked
(Reported by Matt Jordan)
* ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
res_odbc (Reported by ibercom)
* ASTERISK-24479 - Enable REF_DEBUG for module references
(Reported by Corey Farrell)
* ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
fully disconnect underlying socket, leading to events being
dropped with no additional information (Reported by Matt Jordan)
* ASTERISK-24772 - ODBC error in realtime sippeers when device
unregisters under MariaDB (Reported by Richard Miller)
* ASTERISK-24752 - Crash in bridge_manager_service_req when bridge
is destroyed by ARI during shutdown (Reported by Richard
Mudgett)
* ASTERISK-24741 - dtls_handler causes Asterisk to crash (Reported
by Zane Conkle)
* ASTERISK-24015 - app_transfer fails with PJSIP channels
(Reported by Private Name)
* ASTERISK-24727 - PJSIP: Crash experienced during multi-Asterisk
transfer scenario. (Reported by Mark Michelson)
* ASTERISK-24771 - ${CHANNEL(pjsip)} - segfault (Reported by
Niklas Larsson)
* ASTERISK-24716 - Improve pjsip log messages for presence
subscription failure (Reported by Rusty Newton)
* ASTERISK-24612 - res_pjsip: No information if a required sorcery
wizard is not loaded (Reported by Joshua Colp)
* ASTERISK-24768 - res_timing_pthread: file descriptor leak
(Reported by Matthias Urlichs)
* ASTERISK-24685 - "pjsip show version" CLI command (Reported by
Joshua Colp)
* ASTERISK-24632 - install_prereq script installs pjproject
without IPv6 support (Reported by Rusty Newton)
* ASTERISK-24085 - Documentation - We should remove or further
document the 'contact' section in pjsip.conf (Reported by Rusty
Newton)
* ASTERISK-24791 - Crash in ast_rtcp_write_report (Reported by
JoshE)
* ASTERISK-24700 - CRASH: NULL channel is being passed to
ast_bridge_transfer_attended() (Reported by Zane Conkle)
* ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
(Reported by Corey Farrell)
* ASTERISK-24799 - [patch] make fails with undefined reference to
SSLv3_client_method (Reported by Alexander Traud)
* ASTERISK-22670 - Asterisk crashes when processing ISDN AoC
Events (Reported by klaus3000)
* ASTERISK-24689 - Segfault on hangup after outgoing PRI-Euroisdn
call (Reported by Marcel Manz)
* ASTERISK-24740 - [patch]Segmentation fault on aoc-e event
(Reported by Panos Gkikakis)
* ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
for playing back messages stored in IMAP - play_message: No
origtime (Reported by Graham Barnett)
* ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
OSX with 64 bit integers (Reported by Corey Farrell)
* ASTERISK-24796 - Codecs and bucket schema's prevent module
unload (Reported by Corey Farrell)
* ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
(Reported by Ashley Sanders)
* ASTERISK-24499 - Need more explicit debug when PJSIP dialstring
is invalid (Reported by Rusty Newton)
* ASTERISK-24785 - 'Expires' header missing from 200 OK on
REGISTER (Reported by Ross Beer)
* ASTERISK-24677 - ARI GET variable on channel provides unhelpful
response on non-existent variable (Reported by Joshua Colp)
* ASTERISK-24797 - bridge_softmix: G.729 codec license held
(Reported by Kevin Harwell)
* ASTERISK-24812 - ARI: Creating channels through /channels
resource always uses SLIN, which results in unneeded transcoding
(Reported by Matt Jordan)
* ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
thread ID being passed to pthread_kill (Reported by JoshE)
* ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
fail (Reported by Terry Wilson)
* ASTERISK-23214 - chan_sip WARNING message 'We are requesting
SRTP for audio, but they responded without it' is ambiguous and
wrong in some cases (Reported by Rusty Newton)
* ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
error response and BYE are sent to the caller (Reported by
Makoto Dei)
* ASTERISK-18105 - most of asterisk modules are unbuildable in
cygwin environment (Reported by feyfre)
* ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
* ASTERISK-24751 - Integer values in json payload to ARI cause
asterisk to crash (Reported by jeffrey putnam)
* ASTERISK-24838 - chan_sip: Locking inversion occurs when
building a peer causes a peer poke during request handling
(Reported by Richard Mudgett)
* ASTERISK-24825 - Caller ID not recognized using
Centrex/Distinctive dialing (Reported by Richard Mudgett)
* ASTERISK-24830 - res_rtp_asterisk.c checks USE_PJPROJECT not
HAVE_PJPROJECT (Reported by Stefan Engström)
* ASTERISK-24840 - res_pjsip: conflicting endpoint identifiers
(Reported by Kevin Harwell)
* ASTERISK-24755 - Asterisk sends unexpected early BYE to
transferrer during attended transfer when using a Stasis bridge
(Reported by John Bigelow)
* ASTERISK-24739 - [patch] - Out of files -- call fails --
numerous files with inodes from under /usr/share/zoneinfo,
mostly posixrules (Reported by Ed Hynan)
* ASTERISK-23390 - NewExten Event with application AGI shows up
before and after AGI runs (Reported by Benjamin Keith Ford)
* ASTERISK-24786 - [patch] - Asterisk terminates when playing a
voicemail stored in LDAP (Reported by Graham Barnett)
* ASTERISK-24808 - res_config_odbc: Improper escaping of
backslashes occurs with MySQL (Reported by Javier Acosta)
* ASTERISK-24807 - Missing mandatory field Max-Forwards (Reported
by Anatoli)
* ASTERISK-20850 - [patch]Nested functions aren't portable.
Adapting RAII_VAR to use clang/llvm blocks to get the
same/similar functionality. (Reported by Diederik de Groot)
* ASTERISK-24872 - [patch] AMI PJSIPShowEndpoint closes AMI
connection on error (Reported by Dmitriy Serov)
* ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
by Frank DiGennaro)
* ASTERISK-21038 - Bad command completion of "core set debug
channel" (Reported by Richard Kenner)
* ASTERISK-18708 - func_curl hangs channel under load (Reported by
Dave Cabot)
* ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
Atis Lezdins)
* ASTERISK-24876 - Investigate reference leaks from
tests/channels/local/local_optimize_away (Reported by Corey
Farrell)
* ASTERISK-24882 - chan_sip: Improve usage of REF_DEBUG (Reported
by Corey Farrell)
* ASTERISK-24817 - init_logger_chain: unreachable code block
(Reported by Corey Farrell)
* ASTERISK-24880 - [patch]Compilation under OpenBSD (Reported by
snuffy)
* ASTERISK-24879 - [patch]Compilation fails due to 64bit time
under OpenBSD (Reported by snuffy)

Improvements made in this release:
-----------------------------------
* ASTERISK-24745 - [patch]Add no_answer to ARI hangup causes
(Reported by Ben Merrills)
* ASTERISK-24811 - asterisk-publication sorcery object does not
use realtime (Reported by Matt Hoskins)
* ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
Couldn't find mailbox %s in context (Reported by Graham Barnett)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.3.0

2Apr/15Off

Rilasciato Asterisk 11.17.0

Il giorno 01 aprile 2015, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.17.0.

Dal post originale:
The release of Asterisk 11.17.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

New Features made in this release:
-----------------------------------
* ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
(Reported by Dwayne Hubbard)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
res_odbc (Reported by ibercom)
* ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
with replaces (Reported by Eelco Brolman)
* ASTERISK-24479 - Enable REF_DEBUG for module references
(Reported by Corey Farrell)
* ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
fully disconnect underlying socket, leading to events being
dropped with no additional information (Reported by Matt Jordan)
* ASTERISK-24772 - ODBC error in realtime sippeers when device
unregisters under MariaDB (Reported by Richard Miller)
* ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
(Reported by Corey Farrell)
* ASTERISK-24799 - [patch] make fails with undefined reference to
SSLv3_client_method (Reported by Alexander Traud)
* ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
for playing back messages stored in IMAP - play_message: No
origtime (Reported by Graham Barnett)
* ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
OSX with 64 bit integers (Reported by Corey Farrell)
* ASTERISK-24796 - Codecs and bucket schema's prevent module
unload (Reported by Corey Farrell)
* ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
(Reported by Ashley Sanders)
* ASTERISK-24797 - bridge_softmix: G.729 codec license held
(Reported by Kevin Harwell)
* ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
thread ID being passed to pthread_kill (Reported by JoshE)
* ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
fail (Reported by Terry Wilson)
* ASTERISK-23214 - chan_sip WARNING message 'We are requesting
SRTP for audio, but they responded without it' is ambiguous and
wrong in some cases (Reported by Rusty Newton)
* ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
error response and BYE are sent to the caller (Reported by
Makoto Dei)
* ASTERISK-18105 - most of asterisk modules are unbuildable in
cygwin environment (Reported by feyfre)
* ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
* ASTERISK-24838 - chan_sip: Locking inversion occurs when
building a peer causes a peer poke during request handling
(Reported by Richard Mudgett)
* ASTERISK-24825 - Caller ID not recognized using
Centrex/Distinctive dialing (Reported by Richard Mudgett)
* ASTERISK-24739 - [patch] - Out of files -- call fails --
numerous files with inodes from under /usr/share/zoneinfo,
mostly posixrules (Reported by Ed Hynan)
* ASTERISK-23390 - NewExten Event with application AGI shows up
before and after AGI runs (Reported by Benjamin Keith Ford)
* ASTERISK-24786 - [patch] - Asterisk terminates when playing a
voicemail stored in LDAP (Reported by Graham Barnett)
* ASTERISK-24808 - res_config_odbc: Improper escaping of
backslashes occurs with MySQL (Reported by Javier Acosta)
* ASTERISK-20850 - [patch]Nested functions aren't portable.
Adapting RAII_VAR to use clang/llvm blocks to get the
same/similar functionality. (Reported by Diederik de Groot)
* ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
by Frank DiGennaro)
* ASTERISK-21038 - Bad command completion of "core set debug
channel" (Reported by Richard Kenner)
* ASTERISK-18708 - func_curl hangs channel under load (Reported by
Dave Cabot)
* ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
Atis Lezdins)
* ASTERISK-24876 - Investigate reference leaks from
tests/channels/local/local_optimize_away (Reported by Corey
Farrell)
* ASTERISK-24817 - init_logger_chain: unreachable code block
(Reported by Corey Farrell)
* ASTERISK-24880 - [patch]Compilation under OpenBSD (Reported by
snuffy)
* ASTERISK-24879 - [patch]Compilation fails due to 64bit time
under OpenBSD (Reported by snuffy)

Improvements made in this release:
-----------------------------------
* ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
Couldn't find mailbox %s in context (Reported by Graham Barnett)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0

8Feb/15Off

Rilasciato Asterisk 13.2.0

Il giorno 06 febbraio 2015, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.2.0.

Dal post originale:
The release of Asterisk 13.2.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24342 - PJSIP: Qualifying endpoints attempts to do them
all at the same time. (Reported by Richard Mudgett)
* ASTERISK-24514 - res_pjsip_outbound_registration: stack overflow
when using non-default sorcery wizard (Reported by Kevin
Harwell)
* ASTERISK-24472 - Asterisk Crash in OpenSSL when calling over WSS
from JSSIP (Reported by Badalian Vyacheslav)
* ASTERISK-24607 - res_pjsip_session: re-INVITE with declined
media streams results in 488 (Reported by Matt Jordan)
* ASTERISK-24563 - Direct Media calls within private network
sometimes get one way audio (Reported by Kevin Harwell)
* ASTERISK-24604 - res_rtp_asterisk: Crash during restart due to
race condition in accessing codec in stored ast_frame and codec
core (Reported by Matt Jordan)
* ASTERISK-24614 - Deadlock when DEBUG_THREADS compiler flag
enabled (Reported by Richard Mudgett)
* ASTERISK-24449 - Reinvite for T.38 UDPTL fails if SRTP is
enabled (Reported by Andreas Steinmetz)
* ASTERISK-24619 - [patch]Gcc 4.10 fixes in r413589 (1.8) wrongly
casts char to unsigned int (Reported by Walter Doekes)
* ASTERISK-24536 - AMI redirect with PJSIP fails to move extra
channel (Reported by Niklas Larsson)
* ASTERISK-24459 - bridge_native_rtp: Native RTP bridging is
chosen for RTP compatible channels when the DTMF mode is not
compatible (Reported by Yaniv Simhi)
* ASTERISK-24337 - Spammy DEBUG message needs to be at a higher
level - 'Remote address is null, most likely RTP has been
stopped' (Reported by Rusty Newton)
* ASTERISK-24513 - Local channel apparently leaked in off-nominal
DTMF attended transfer (Reported by Mark Michelson)
* ASTERISK-23733 - 'reload acl' fails if acl.conf is not present
on startup (Reported by Richard Kenner)
* ASTERISK-24628 - [patch] chan_sip - CANCEL is sent to wrong
destination when 'sendrpid=yes' (in proxy environment) (Reported
by Karsten Wemheuer)
* ASTERISK-23841 - DTMF atxfer doesn't set CallerID for the recall
calls to the transferrer. (Reported by Richard Mudgett)
* ASTERISK-24376 - res_pjsip_refer: REFER request for remote
session attempts to direct channel to external_replaces
extension instead of context, without providing for the
Referred-To SIP URI (Reported by Matt Jordan)
* ASTERISK-24591 - Stasis() side of an ARI originated channel
cannot be Redirected (Reported by Kinsey Moore)
* ASTERISK-24049 - Asterisk Manager Interface: A number of list
type responses aren't using astman_send_listack (Reported by
Jonathan Rose)
* ASTERISK-24637 - Channel re-enters Stasis() when it should not
(Reported by John Bigelow)
* ASTERISK-24474 - sip_to_pjsip.py lacks documentation and does
not function (Reported by John Kiniston)
* ASTERISK-24672 - [PATCH] Memory leak in func_curl CURLOPT
(Reported by Kristian Høgh)
* ASTERISK-20744 - [patch] Security event logging does not work
over syslog (Reported by Michael Keuter)
* ASTERISK-24665 - Configure check required for
pjsip_get_dest_info() (Reported by Mark Michelson)
* ASTERISK-23850 - Park Application does not respect Return
Context Priority (Reported by Andrew Nagy)
* ASTERISK-23991 - [patch]asterisk.pc file contains a small error
in the CFlags returned (Reported by Diederik de Groot)
* ASTERISK-24655 - res_pjsip_outbound_publish: Hang on shutdown
while attempting to publish (Reported by Kevin Harwell)
* ASTERISK-24485 - res_pjsip cannot be unloaded or shutdown
(Reported by Corey Farrell)
* ASTERISK-24663 - [patch] Unnamed semaphore autoconf check fails
on cross compilation (Reported by abelbeck)
* ASTERISK-24624 - Transfer to invalid extension results in hung
channel. (Reported by Zane Conkle)
* ASTERISK-24615 - When Multiple Transports Exist in pjsip.conf,
Incorrect External Addresses is Used in SIP Packets When
Responding to INVITE (Reported by David Justl)
* ASTERISK-24288 - [patch] - ODBC usage with app_voicemail -
voicemail is not deleted after review, hangup (Reported by LEI
FU)
* ASTERISK-24048 - [patch] contrib/scripts/install_prereq selects
32-bit packages on 64-bit hosts (Reported by Ben Klang)
* ASTERISK-24600 - Stuck IAX channels, Asterisk stops responding
to most traffic, potential deadlock (Reported by Jeff Collell)
* ASTERISK-24560 - Creating a named ARI bridge twice causes a
crash (Reported by Kinsey Moore)
* ASTERISK-24682 - app_dial: Multiple DialEnd events emitted when
MACRO_RESULT or GOSUB_RESULT are an unexpected value (Reported
by Matt Jordan)
* ASTERISK-24640 - Registration pending stays forever after sip
reload (Reported by Max Man)
* ASTERISK-24673 - outgoing sip registers cannot be removed or
modified without doing restart (or doing module unload
chan_sip.so) (Reported by Stefan Engström)
* ASTERISK-24709 - [patch] msg_create_from_file used by MixMonitor
m() option does not queue an MWI event (Reported by Gareth
Palmer)
* ASTERISK-24649 - Pushing of channel into bridge fails; Stasis
fails to get app name (Reported by John Bigelow)
* ASTERISK-24355 - [patch] chan_sip realtime uses case sensitive
column comparison for 'defaultuser' (Reported by
HZMI8gkCvPpom0tM)
* ASTERISK-24693 - Investigate and fix memory leaks in Asterisk
(Reported by Kevin Harwell)
* ASTERISK-24626 - Voicemail passwords not being stored in ARA
(Reported by Paddy Grice)
* ASTERISK-24539 - Compile fails on OSX because of sem_timedwait
in bridge_channel.c (Reported by George Joseph)
* ASTERISK-24544 - Compile fails on OSX Yosemite because of
incorrect detection of htonll and ntohll (Reported by George
Joseph)
* ASTERISK-24723 - confbridge: CLI command 'confbridge list XXXX'
no longer displays user menus (Reported by Matt Jordan)
* ASTERISK-24721 - manager: ModuleLoad action incorrectly reports
'module not found' during a Reload operation (Reported by Matt
Jordan)
* ASTERISK-24719 - ConfBridge recording channels get stuck when
recording started/stopped more than once (Reported by Richard
Mudgett)
* ASTERISK-24715 - chan_sip: stale nonce causes failure (Reported
by Kevin Harwell)
* ASTERISK-24728 - tcptls: Bad file descriptor error when
reloading chan_sip (Reported by Kevin Harwell)
* ASTERISK-24729 - Outbound registration not occuring on new
registrations after reload. (Reported by Richard Mudgett)
* ASTERISK-24676 - Security Vulnerability: URL request injection
in libCURL (CVE-2014-8150) (Reported by Matt Jordan)
* ASTERISK-24666 - Security Vulnerability: RTP not closed after
sip call using unsupported codec (Reported by Y Ateya)
* ASTERISK-24711 - DTLS handshake broken with latest OpenSSL
versions (Reported by Jared Biel)
* ASTERISK-24646 - PJSIP changeset 4899 breaks TLS (Reported by
Stephan Eisvogel)
* ASTERISK-24736 - Memory Leak Fixes (Reported by Mark Michelson)
* ASTERISK-24635 - PJSIP outbound PUBLISH crashes when no response
is ever received (Reported by Marco Paland)
* ASTERISK-24737 - When agent not logged in, agent status shows
unavailable, queue status shows agent invalid (Reported by
Richard Mudgett)

Improvements made in this release:
-----------------------------------
* ASTERISK-24552 - ARI: Allow associating a channel as an
initiator of an Origination for record keeping purposes
(Reported by Matt Jordan)
* ASTERISK-24553 - ARI/AMI: Include language in standard channel
snapshot output (Reported by Matt Jordan)
* ASTERISK-24643 - res_pjsip: Add user=phone option (Reported by
Matt Jordan)
* ASTERISK-24644 - res_pjsip_keepalive: Add keepalive module for
connection-oriented transports. (Reported by Matt Jordan)
* ASTERISK-24412 - [patch]Incomplete channel originate/continue
handling with ARI (Reported by Nir Simionovich (GreenfieldTech -
Israel))
* ASTERISK-24678 - [PATCH] Added atxfer* settings to
features.conf.sample (Reported by Niklas Larsson)
* ASTERISK-24575 - [patch]Make capath work for res_pjsip (Reported
by cloos)
* ASTERISK-24671 - Missing docs for the CDR AMI Event (Reported by
Dan Jenkins)
* ASTERISK-24316 - For httpd server, need option to define server
name for security purposes (Reported by Andrew Nagy)

For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.2.0

8Feb/15Off

Rilasciato Asterisk 11.16.0

Il giorno 06 febbraio 2015, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.16.0.

Dal post originale:
The release of Asterisk 11.16.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24472 - Asterisk Crash in OpenSSL when calling over WSS
from JSSIP (Reported by Badalian Vyacheslav)
* ASTERISK-24614 - Deadlock when DEBUG_THREADS compiler flag
enabled (Reported by Richard Mudgett)
* ASTERISK-24449 - Reinvite for T.38 UDPTL fails if SRTP is
enabled (Reported by Andreas Steinmetz)
* ASTERISK-24619 - [patch]Gcc 4.10 fixes in r413589 (1.8) wrongly
casts char to unsigned int (Reported by Walter Doekes)
* ASTERISK-24337 - Spammy DEBUG message needs to be at a higher
level - 'Remote address is null, most likely RTP has been
stopped' (Reported by Rusty Newton)
* ASTERISK-23733 - 'reload acl' fails if acl.conf is not present
on startup (Reported by Richard Kenner)
* ASTERISK-24628 - [patch] chan_sip - CANCEL is sent to wrong
destination when 'sendrpid=yes' (in proxy environment) (Reported
by Karsten Wemheuer)
* ASTERISK-24672 - [PATCH] Memory leak in func_curl CURLOPT
(Reported by Kristian Høgh)
* ASTERISK-20744 - [patch] Security event logging does not work
over syslog (Reported by Michael Keuter)
* ASTERISK-23850 - Park Application does not respect Return
Context Priority (Reported by Andrew Nagy)
* ASTERISK-23991 - [patch]asterisk.pc file contains a small error
in the CFlags returned (Reported by Diederik de Groot)
* ASTERISK-24288 - [patch] - ODBC usage with app_voicemail -
voicemail is not deleted after review, hangup (Reported by LEI
FU)
* ASTERISK-24048 - [patch] contrib/scripts/install_prereq selects
32-bit packages on 64-bit hosts (Reported by Ben Klang)
* ASTERISK-24709 - [patch] msg_create_from_file used by MixMonitor
m() option does not queue an MWI event (Reported by Gareth
Palmer)
* ASTERISK-24355 - [patch] chan_sip realtime uses case sensitive
column comparison for 'defaultuser' (Reported by
HZMI8gkCvPpom0tM)
* ASTERISK-24719 - ConfBridge recording channels get stuck when
recording started/stopped more than once (Reported by Richard
Mudgett)
* ASTERISK-24715 - chan_sip: stale nonce causes failure (Reported
by Kevin Harwell)
* ASTERISK-24728 - tcptls: Bad file descriptor error when
reloading chan_sip (Reported by Kevin Harwell)
* ASTERISK-24676 - Security Vulnerability: URL request injection
in libCURL (CVE-2014-8150) (Reported by Matt Jordan)
* ASTERISK-24711 - DTLS handshake broken with latest OpenSSL
versions (Reported by Jared Biel)
* ASTERISK-24646 - PJSIP changeset 4899 breaks TLS (Reported by
Stephan Eisvogel)

For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.16.0

6Gen/15Off

Sangoma compra Schmooze e quindi FreePBX

Il giorno 1 gennaio 2015 Sangoma ha annunciato l'acquisto di Schmooze Com Inc. che è il principale sviluppatore e manager/sponsor del progetto Open Source FreePBX.

Per l'acquisizione di Schmooze Com Inc. Sangoma ha pagato cash 4 milioni di dollari.

Tony Lewis cofondatore e CEO di Schmooze ha dichiarato:

The FreePBX community should benefit from the project being backed by a larger, mature public company with much broader resources and over 30 years of experience in telecom and a long pedigree in open source. We are excited about the stability and credibility this adds to the project and I expect that FreePBX users will really appreciate it.

Speriamo in bene!

18Dic/14Off

Rilasciato Asterisk 11.15.0

Il giorno 15 dicembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.8.0.

Dal post originale:
The Asterisk Development Team has announced the release of Asterisk 11.15.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.15.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-20127 - [Regression] Config.c config_text_file_load()
unescapes semicolons ("\;" -> ";") turning them into comments
(corruption) on rewrite of a config file (Reported by George
Joseph)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
* ASTERISK-24492 - main/file.c: ast_filestream sometimes causes
extra calls to ast_module_unref (Reported by Corey Farrell)
* ASTERISK-24504 - chan_console: Fix reference leaks to pvt
(Reported by Corey Farrell)
* ASTERISK-24468 - Incoming UCS2 encoded SMS truncated if SMS
length exceeds 50 (roughly) national symbols (Reported by
Dmitriy Bubnov)
* ASTERISK-24500 - Regression introduced in chan_mgcp by SVN
revision r227276 (Reported by Xavier Hienne)
* ASTERISK-20402 - Unable to cancel (features.conf) attended
transfer (Reported by Matt Riddell)
* ASTERISK-24505 - manager: http connections leak references
(Reported by Corey Farrell)
* ASTERISK-24502 - Build fails when dev-mode, dont optimize and
coverage are enabled (Reported by Corey Farrell)
* ASTERISK-24444 - PBX: Crash when generating extension for
pattern matching hint (Reported by Leandro Dardini)
* ASTERISK-24522 - ConfBridge: delay occurs between kicking all
endmarked users when last marked user leaves (Reported by Matt
Jordan)
* ASTERISK-15242 - transmit_refer leaks sip_refer structures
(Reported by David Woolley)
* ASTERISK-24440 - Call leak in Confbridge (Reported by Ben Klang)
* ASTERISK-24469 - Security Vulnerability: Mixed IPv4/IPv6 ACLs
allow blocked addresses through (Reported by Matt Jordan)
* ASTERISK-24516 - [patch]Asterisk segfaults when playing back
voicemail under high concurrency with an IMAP backend (Reported
by David Duncan Ross Palmer)
* ASTERISK-24572 - [patch]App_meetme is loaded without its
defaults when the configuration file is missing (Reported by
Nuno Borges)
* ASTERISK-24573 - [patch]Out of sync conversation recording when
divided in multiple recordings (Reported by Nuno Borges)

Improvements made in this release:
-----------------------------------
* ASTERISK-24283 - [patch]Microseconds precision in the eventtime
column in the cel_odbc module (Reported by Etienne Lessard)
* ASTERISK-24530 - [patch] app_record stripping 1/4 second from
recordings (Reported by Ben Smithurst)
* ASTERISK-24577 - Speed up loopback switches by avoiding unneeded
lookups (Reported by Birger "WIMPy" Harzenetter)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.15.0

18Dic/14Off

Rilasciato Asterisk 12.8.0

Il giorno 15 dicembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.8.0.

Dal post originale:
The Asterisk Development Team has announced the release of Asterisk 12.8.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 12.8.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24480 - res_http_websockets: Module reference decrease
below zero (Reported by Corey Farrell)
* ASTERISK-24482 - func_talkdetect: Fix stasis message leak in
audiohook callback (Reported by Corey Farrell)
* ASTERISK-24487 - configuration: sections should be loadable as
template even when not marked (Reported by Scott Griepentrog)
* ASTERISK-20127 - [Regression] Config.c config_text_file_load()
unescapes semicolons ("\;" -> ";") turning them into comments
(corruption) on rewrite of a config file (Reported by George
Joseph)
* ASTERISK-24438 - res_pjsip_multihomed.so blocks Asterisk reload
when DNS settings invalid (Reported by Melissa Shepherd)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
* ASTERISK-24491 - Memory leak in res_hep (Reported by Zane
Conkle)
* ASTERISK-24492 - main/file.c: ast_filestream sometimes causes
extra calls to ast_module_unref (Reported by Corey Farrell)
* ASTERISK-24447 - Bridge DTMF hooks: Audio doesn't pass when
waiting for more matching digits. (Reported by Richard Mudgett)
* ASTERISK-24257 - agent must dial acceptdtmf twice to bridge to
queue caller (Reported by Steve Pitts)
* ASTERISK-24504 - chan_console: Fix reference leaks to pvt
(Reported by Corey Farrell)
* ASTERISK-24468 - Incoming UCS2 encoded SMS truncated if SMS
length exceeds 50 (roughly) national symbols (Reported by
Dmitriy Bubnov)
* ASTERISK-24500 - Regression introduced in chan_mgcp by SVN
revision r227276 (Reported by Xavier Hienne)
* ASTERISK-24505 - manager: http connections leak references
(Reported by Corey Farrell)
* ASTERISK-24502 - Build fails when dev-mode, dont optimize and
coverage are enabled (Reported by Corey Farrell)
* ASTERISK-24444 - PBX: Crash when generating extension for
pattern matching hint (Reported by Leandro Dardini)
* ASTERISK-24489 - Crash: Asterisk crashes when converting RTCP
packet to JSON for res_hep_rtcp and report blocks are greater
than 1 (Reported by Gregory Malsack)
* ASTERISK-24498 - Segmentation fault in res_hep_rtcp on attended
transfer (Reported by Beppo Mazzucato)
* ASTERISK-24501 - ARI: Moving a channel between bridges followed
by a hangup can cause an ARI client to not receive an expected
ChannelLeftBridge event before StasisEnd (Reported by Matt
Jordan)
* ASTERISK-24336 - PJSIP timer_min_se value under 90 causes crash
(Reported by Leon Rowland)
* ASTERISK-23651 - Reloading some modules that are loaded already,
results in 'No such module' before a successful reload (Reported
by Rusty Newton)
* ASTERISK-24522 - ConfBridge: delay occurs between kicking all
endmarked users when last marked user leaves (Reported by Matt
Jordan)
* ASTERISK-15242 - transmit_refer leaks sip_refer structures
(Reported by David Woolley)
* ASTERISK-24508 - pjsip - REFER request from SNOM is rejected
with "400 bad request" - DEBUG shows "Received a REFER without a
parseable Refer-To" (Reported by Beppo Mazzucato)
* ASTERISK-24535 - stringfields: Fix regression from fix for
unintentional memory retention and another issue exposed by the
fix (Reported by Corey Farrell)
* ASTERISK-24471 - Crash - assert_fail in libc in
pjmedia_sdp_neg_negotiate from /usr/local/lib/libpjmedia.so.2
(Reported by yaron nahum)
* ASTERISK-24528 - res_pjsip_refer: Sending INVITE with Replaces
in-dialog with invalid target causes crash (Reported by Joshua
Colp)
* ASTERISK-24531 - res_pjsip_acl: ACLs not applied on initial
module load (Reported by Matt Jordan)
* ASTERISK-24469 - Security Vulnerability: Mixed IPv4/IPv6 ACLs
allow blocked addresses through (Reported by Matt Jordan)
* ASTERISK-24533 - 2 threads created per chan_sip entry (Reported
by xrobau)
* ASTERISK-24516 - [patch]Asterisk segfaults when playing back
voicemail under high concurrency with an IMAP backend (Reported
by David Duncan Ross Palmer)
* ASTERISK-24572 - [patch]App_meetme is loaded without its
defaults when the configuration file is missing (Reported by
Nuno Borges)
* ASTERISK-24573 - [patch]Out of sync conversation recording when
divided in multiple recordings (Reported by Nuno Borges)
* ASTERISK-24537 - Stasis: StasisStart/StasisEnd events are not
reliably transmitted during transfers (Reported by Matt Jordan)

Improvements made in this release:
-----------------------------------
* ASTERISK-24279 - Documentation: Clarify the behaviour of the CDR
property 'unanswered' (Reported by Matt Jordan)
* ASTERISK-24283 - [patch]Microseconds precision in the eventtime
column in the cel_odbc module (Reported by Etienne Lessard)
* ASTERISK-24530 - [patch] app_record stripping 1/4 second from
recordings (Reported by Ben Smithurst)
* ASTERISK-24577 - Speed up loopback switches by avoiding unneeded
lookups (Reported by Birger "WIMPy" Harzenetter)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.8.0

18Dic/14Off

Rilasciato Asterisk 13.1.0

Il giorno 15 dicembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.1.0.

Dal post originale:
he Asterisk Development Team has announced the release of Asterisk 13.1.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 13.1.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

New Features made in this release:
-----------------------------------
* ASTERISK-24554 - AMI/ARI: Generate events on connected line
changes (Reported by Matt Jordan)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-24455 - func_cdr: CDR_PROP leaks payload (Reported by
Corey Farrell)
* ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
leak (Reported by Corey Farrell)
* ASTERISK-24430 - missing letter "p" in word response in
OriginateResponse event documentation (Reported by Dafi Ni)
* ASTERISK-24437 - Review implementation of ast_bridge_impart for
leaks and document proper usage (Reported by Scott Griepentrog)
* ASTERISK-24453 - manager: acl_change_sub leaks (Reported by
Corey Farrell)
* ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
Corey Farrell)
* ASTERISK-24458 - chan_phone fails to build on big endian systems
(Reported by Tzafrir Cohen)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24304 - asterisk crashing randomly because of unistim
channel (Reported by dhanapathy sathya)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24462 - res_pjsip: Stale qualify statistics after
disablementation (Reported by Kevin Harwell)
* ASTERISK-24465 - audiohooks list leaks reference to formats
(Reported by Corey Farrell)
* ASTERISK-24466 - app_queue: fix a couple leaks to struct
call_queue (Reported by Corey Farrell)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24411 - [patch] Status of outbound registration is not
changed upon unregistering. (Reported by John Bigelow)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24480 - res_http_websockets: Module reference decrease
below zero (Reported by Corey Farrell)
* ASTERISK-24482 - func_talkdetect: Fix stasis message leak in
audiohook callback (Reported by Corey Farrell)
* ASTERISK-24487 - configuration: sections should be loadable as
template even when not marked (Reported by Scott Griepentrog)
* ASTERISK-20127 - [Regression] Config.c config_text_file_load()
unescapes semicolons ("\;" -> ";") turning them into comments
(corruption) on rewrite of a config file (Reported by George
Joseph)
* ASTERISK-24438 - res_pjsip_multihomed.so blocks Asterisk reload
when DNS settings invalid (Reported by Melissa Shepherd)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
* ASTERISK-24491 - Memory leak in res_hep (Reported by Zane
Conkle)
* ASTERISK-24492 - main/file.c: ast_filestream sometimes causes
extra calls to ast_module_unref (Reported by Corey Farrell)
* ASTERISK-24447 - Bridge DTMF hooks: Audio doesn't pass when
waiting for more matching digits. (Reported by Richard Mudgett)
* ASTERISK-24257 - agent must dial acceptdtmf twice to bridge to
queue caller (Reported by Steve Pitts)
* ASTERISK-24504 - chan_console: Fix reference leaks to pvt
(Reported by Corey Farrell)
* ASTERISK-24250 - [patch] Voicemail with multi-recipients To:
header fix (Reported by abelbeck)
* ASTERISK-24468 - Incoming UCS2 encoded SMS truncated if SMS
length exceeds 50 (roughly) national symbols (Reported by
Dmitriy Bubnov)
* ASTERISK-24500 - Regression introduced in chan_mgcp by SVN
revision r227276 (Reported by Xavier Hienne)
* ASTERISK-24505 - manager: http connections leak references
(Reported by Corey Farrell)
* ASTERISK-24502 - Build fails when dev-mode, dont optimize and
coverage are enabled (Reported by Corey Farrell)
* ASTERISK-24444 - PBX: Crash when generating extension for
pattern matching hint (Reported by Leandro Dardini)
* ASTERISK-24489 - Crash: Asterisk crashes when converting RTCP
packet to JSON for res_hep_rtcp and report blocks are greater
than 1 (Reported by Gregory Malsack)
* ASTERISK-24498 - Segmentation fault in res_hep_rtcp on attended
transfer (Reported by Beppo Mazzucato)
* ASTERISK-24501 - ARI: Moving a channel between bridges followed
by a hangup can cause an ARI client to not receive an expected
ChannelLeftBridge event before StasisEnd (Reported by Matt
Jordan)
* ASTERISK-24336 - PJSIP timer_min_se value under 90 causes crash
(Reported by Leon Rowland)
* ASTERISK-23651 - Reloading some modules that are loaded already,
results in 'No such module' before a successful reload (Reported
by Rusty Newton)
* ASTERISK-24522 - ConfBridge: delay occurs between kicking all
endmarked users when last marked user leaves (Reported by Matt
Jordan)
* ASTERISK-15242 - transmit_refer leaks sip_refer structures
(Reported by David Woolley)
* ASTERISK-24508 - pjsip - REFER request from SNOM is rejected
with "400 bad request" - DEBUG shows "Received a REFER without a
parseable Refer-To" (Reported by Beppo Mazzucato)
* ASTERISK-24535 - stringfields: Fix regression from fix for
unintentional memory retention and another issue exposed by the
fix (Reported by Corey Farrell)
* ASTERISK-24471 - Crash - assert_fail in libc in
pjmedia_sdp_neg_negotiate from /usr/local/lib/libpjmedia.so.2
(Reported by yaron nahum)
* ASTERISK-24528 - res_pjsip_refer: Sending INVITE with Replaces
in-dialog with invalid target causes crash (Reported by Joshua
Colp)
* ASTERISK-24531 - res_pjsip_acl: ACLs not applied on initial
module load (Reported by Matt Jordan)
* ASTERISK-24469 - Security Vulnerability: Mixed IPv4/IPv6 ACLs
allow blocked addresses through (Reported by Matt Jordan)
* ASTERISK-24542 - [patch]Failure showing codecs via 'core show
channeltype ' (Reported by snuffy)
* ASTERISK-24533 - 2 threads created per chan_sip entry (Reported
by xrobau)
* ASTERISK-24516 - [patch]Asterisk segfaults when playing back
voicemail under high concurrency with an IMAP backend (Reported
by David Duncan Ross Palmer)
* ASTERISK-24572 - [patch]App_meetme is loaded without its
defaults when the configuration file is missing (Reported by
Nuno Borges)
* ASTERISK-24573 - [patch]Out of sync conversation recording when
divided in multiple recordings (Reported by Nuno Borges)
* ASTERISK-24537 - Stasis: StasisStart/StasisEnd events are not
reliably transmitted during transfers (Reported by Matt Jordan)
* ASTERISK-24556 - Asterisk 13 core dumps when calling from pjsip
extension to another pjsip extension (Reported by Abhay Gupta)

Improvements made in this release:
-----------------------------------
* ASTERISK-24279 - Documentation: Clarify the behaviour of the CDR
property 'unanswered' (Reported by Matt Jordan)
* ASTERISK-24283 - [patch]Microseconds precision in the eventtime
column in the cel_odbc module (Reported by Etienne Lessard)
* ASTERISK-24530 - [patch] app_record stripping 1/4 second from
recordings (Reported by Ben Smithurst)
* ASTERISK-24577 - Speed up loopback switches by avoiding unneeded
lookups (Reported by Birger "WIMPy" Harzenetter)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.1.0

12Nov/14Off

Rilasciato Asterisk 12.7.0

Il giorno 10 novembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.7.0.

Dal post originale:
The release of Asterisk 12.7.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24339 - Swagger API Docs have incorrect basePath
(Reported by Bradley Watkins)
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-24295 - crash: creating out of dialog OPTIONS request
crashes (Reported by Rogger Padilla)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
Cohen)
* ASTERISK-24350 - PJSIP shows commands prints unneeded headers
(Reported by snuffy)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24362 - res_hep leaks reference to configuration
(Reported by Corey Farrell)
* ASTERISK-23781 - outgoing missing as enum from
contrib/ast-db-manage/config (Reported by Stephen More)
* ASTERISK-24199 - 'ALL' is specified in pjsip.conf.sample for TLS
cipher but it is not valid (Reported by Joshua Colp)
* ASTERISK-24262 - AMI CoreShowChannel missing several output
fields and event documentation (Reported by Mitch Claborn)
* ASTERISK-24356 - PJSIP: Directed pickup causes deadlock
(Reported by Richard Mudgett)
* ASTERISK-24195 - bridge_native_rtp: Removing mixmonitor from a
native RTP capable smart bridge doesn't cause the bridge to
resume being a native rtp bridge (Reported by Jonathan Rose)
* ASTERISK-24384 - chan_motif: format capabilities leak on module
load error (Reported by Corey Farrell)
* ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
(Reported by Corey Farrell)
* ASTERISK-24378 - Release AMI connections on shutdown (Reported
by Corey Farrell)
* ASTERISK-24369 - res_pjsip: Large message on reliable transport
can cause empty messages to be passed from the PJSIP stack up,
causing crashes in multiple locations (Reported by Matt Jordan)
* ASTERISK-24382 - chan_pjsip: Calling PJSIP_MEDIA_OFFER on a
non-PJSIP channel results in an invalid reference of a channel
pvt and a FRACK (Reported by Matt Jordan)
* ASTERISK-24370 - res_pjsip/pjsip_options: OPTIONS request sent
to Asterisk with no user in request is always 404'd (Reported by
Matt Jordan)
* ASTERISK-24224 - When using Bridge() dialplan application,
surrogate channel appears in list and call count is inflated.
(Reported by Mark Michelson)
* ASTERISK-24354 - AMI sendMessage closes AMI connection on error
(Reported by Peter Katzmann)
* ASTERISK-24398 - Initialize auth_rejection_permanent on client
state to the configuration parameter value (Reported by Matt
Jordan)
* ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
incorrectly attempted (Reported by Joshua Colp)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
received for component (Reported by Kevin Harwell)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24387 - res_pjsip: rport sent from UAS MUST include the
port that the UAC sent the request on (Reported by Matt Jordan)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24394 - CDR: FRACK with PJSIP directed pickup.
(Reported by Richard Mudgett)
* ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
Corey Farrell)
* ASTERISK-24321 - SIP deadlock when running automated queues
tests (Reported by Steve Pitts)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-23846 - Unistim multilines. Loss of voice after second
call drops (on a second line). (Reported by Rustam Khankishyiev)
* ASTERISK-24312 - SIGABRT when improperly configured realtime
pjsip (Reported by Dafi Ni)
* ASTERISK-24426 - CDR Batch mode: size used as time value after
first expire (Reported by Shane Blaser)
* ASTERISK-24327 - bridge_native_rtp: Smart bridge operation to
softmix sometimes fails to properly re-INVITE remotely bridged
participants (Reported by Matt Jordan)
* ASTERISK-24415 - Missing AMI VarSet events when channels inherit
variables. (Reported by Richard Mudgett)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24122 - Documentaton for res_pjsip option use_avpf
needs to be fixed (Reported by James Van Vleet)
* ASTERISK-24381 - res_pjsip_sdp_rtp: Declined media streams are
interpreted, leading to erroneous 488 rejections (Reported by
Matt Jordan)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
leak (Reported by Corey Farrell)
* ASTERISK-24430 - missing letter "p" in word response in
OriginateResponse event documentation (Reported by Dafi Ni)
* ASTERISK-24437 - Review implementation of ast_bridge_impart for
leaks and document proper usage (Reported by Scott Griepentrog)
* ASTERISK-24453 - manager: acl_change_sub leaks (Reported by
Corey Farrell)
* ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
Corey Farrell)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24304 - asterisk crashing randomly because of unistim
channel (Reported by dhanapathy sathya)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24462 - res_pjsip: Stale qualify statistics after
disablementation (Reported by Kevin Harwell)
* ASTERISK-24466 - app_queue: fix a couple leaks to struct
call_queue (Reported by Corey Farrell)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24411 - [patch] Status of outbound registration is not
changed upon unregistering. (Reported by John Bigelow)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24487 - configuration: sections should be loadable as
template even when not marked (Reported by Scott Griepentrog)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.7.0

12Nov/14Off

Rilasciato Asterisk 11.14.0

Il giorno 10 novembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.14.0.

Dal post originale:
The release of Asterisk 11.14.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
Cohen)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24384 - chan_motif: format capabilities leak on module
load error (Reported by Corey Farrell)
* ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
(Reported by Corey Farrell)
* ASTERISK-24378 - Release AMI connections on shutdown (Reported
by Corey Farrell)
* ASTERISK-24354 - AMI sendMessage closes AMI connection on error
(Reported by Peter Katzmann)
* ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
* ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
incorrectly attempted (Reported by Joshua Colp)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
received for component (Reported by Kevin Harwell)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
Corey Farrell)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-23846 - Unistim multilines. Loss of voice after second
call drops (on a second line). (Reported by Rustam Khankishyiev)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
leak (Reported by Corey Farrell)
* ASTERISK-24430 - missing letter "p" in word response in
OriginateResponse event documentation (Reported by Dafi Ni)
* ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
Corey Farrell)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24304 - asterisk crashing randomly because of unistim
channel (Reported by dhanapathy sathya)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24466 - app_queue: fix a couple leaks to struct
call_queue (Reported by Corey Farrell)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0

12Nov/14Off

Rilasciato Asterisk 1.8.32.0

Il giorno 10 novembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.32.0.

Dal post originale:
The release of Asterisk 1.8.32.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.32.0

26Ott/14Off

Rilasciato Asterisk 13.0.0

Il giorno 25 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0.

Dal post originale:
Asterisk 13 is the next major release series of Asterisk. It is a Long Term
Support (LTS) release, similar to Asterisk 11. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions

For important information regarding upgrading to Asterisk 13, please see the
Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13

A short list of new features includes:

* Asterisk security events are now provided via AMI, allowing end users to
monitor their Asterisk system in real time for security related issues.

* Both AMI and ARI now allow external systems to control the state of a mailbox.
Using AMI actions or ARI resources, external systems can programmatically
trigger Message Waiting Indicators (MWI) on subscribed phones. This is of
particular use to those who want to build their own VoiceMail application
using ARI.

* ARI now supports the reception/transmission of out of call text messages using
any supported channel driver/protocol stack through ARI. Users receive out of
call text messages as JSON events over the ARI websocket connection, and can
send out of call text messages using HTTP requests.

* The PJSIP stack now supports RFC 4662 Resource Lists, allowing Asterisk to act
as a Resource List Server. This includes defining lists of presence state,
mailbox state, or lists of presence state/mailbox state; managing
subscriptions to lists; and batched delivery of NOTIFY requests to
subscribers.

* The PJSIP stack can now be used as a means of distributing device state or
mailbox state via PUBLISH requests to other Asterisk instances. This is
analogous to Asterisk's clustering support using XMPP or Corosync; unlike
existing clustering mechanisms, using the PJSIP stack to perform the
distribution of state does not rely on another daemon or server to perform the
work.

And much more!

More information about the new features can be found on the Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Documentation

A full list of all new features can also be found in the CHANGES file:

http://svnview.digium.com/svn/asterisk/branches/13/CHANGES

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0

21Ott/14Off

AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability

Il giorno 20 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability.

Dal post originale:
Asterisk Project Security Advisory - AST-2014-011

Product Asterisk
Summary Asterisk Susceptibility to POODLE Vulnerability
Nature of Advisory Unauthorized Data Disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Medium
Exploits Known No
Reported On 16 October 2014
Reported By abelbeck
Posted On 20 October 2014
Last Updated On October 20, 2014
Advisory Contact Matt Jordan
CVE Name CVE-2014-3566

Description The POODLE vulnerability - described under CVE-2014-3566 - is
described at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.

The POODLE vulnerability consists of two issues:

1) A vulnerability in the SSL protocol version 3.0. This
vulnerability has no known solution.

2) The ability to force a fallback to SSLv3 when a TLS
connection is negotiated.

Asterisk is susceptible to both portions of the vulnerability
in different places.

1) The res_jabber and res_xmpp module both use SSLv3
exclusively, and are hence susceptible to POODLE.

2) The core TLS handling, used by the chan_sip channel driver,
Asterisk Manager Interface (AMI), and the Asterisk HTTP
server, defaults to allowing SSLv3/SSLv2 fallback. This allows
a MITM to potentially force a connection to fallback to SSLv3,
exposing it to the POODLE vulnerability.

Resolution Asterisk has been patched such that it no longer uses SSLv3
for the res_jabber/res_xmpp modules. Additionally, when the
encryption method is not specified, the default handling in
the TLS core no longer allows for a fallback to SSLv3 or
SSLv2.

1) Users of Asterisk's res_jabber or res_xmpp modules should
upgrade to the versions of Asterisk specified in this
advisory.

2) Users of Asterisk's chan_sip channel driver, AMI, and
HTTP server may set the "tlsclientmethod" or
"sslclientmethod" to "tlsv1" to force TLSv1 as the only
allowed encryption method. Alternatively, they may also
upgrade to the versions of Asterisk specified in this
advisory. Users of Asterisk are encouraged to NOT specify
"sslv2" or "sslv3". Doing so will now emit a WARNING.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 1.8.31.1, 11.13.1, 12.6.1
Certified Asterisk 1.8.28-cert2, 11.6-cert7

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-011-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2014-011-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-24425

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-011.pdf and
http://downloads.digium.com/pub/security/AST-2014-011.html

Revision History
Date Editor Revisions Made
October 19 Matt Jordan Initial Revision