ASTERWEB Blog

30Mag/16Off

Foto di gruppo a fine “Corso Asterisk 13 Avanzato”

Ringraziamo tutti i partecipanti al corso.

corso-24-26-05-2016

14Mag/16Off

Rilasciato Asterisk 13.9.1

Il giorno 13 maggio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk Asterisk 13.9.1.

Dal post originale:

The release of Asterisk 13.9.1 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-26007 - res_pjsip: Endpoints deleting early after
upgrade from 13.8.2 to 13.9 (Reported by Greg Siemon)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.9.1

12Mag/16Off

Funzionalità e servizi (non il prezzo) attirano le PMI verso il VoIP

Secondo la recente ricerca di Frost & Sullivan, nei prossimi cinque anni vedremo un importante numero di piccole e medie aziende adottare soluzioni di telefonia cloud-based o centralini hosted. “Le PMI e le start-up di norma sottoscrivono abbonamenti a piattaforme per le Unified Communications interamente cloud-based o hosted, per i benefici e la flessibilità che esse trasferiscono all’utente”, ha affermato l’analista Wonjae Shim. Secondo le valutazioni dei ricercatori, il mercato dei centralini IP hosted per le PMI nella sola america settentrionale raggiungerà i 350 milioni di dollari nei prossimi 5 anni per giungere al picco di un miliardo di dollari entro il 2021, anno in cui il volume totale del mercato in Europa si attesterà a 17.93 miliardi di dollari nel 2021.

Lo studio di Research and Markets indica che gli “early adopters” di servizi di telefonia IP hosted e UCC in Europa sono primariamente le PMI perché hanno tipicamente budget e staff IT più limitati o competenze non sempre sufficienti per installare e gestire in loco soluzioni avanzate per le telecomunicazioni.

Che il prezzo d’acquisto e il costo operativo totale contino è indubbio, ma secondo Frost & Sullivan non sono l’unico driver della scelta di migrare a centralini VoIP hosted. Secondo gli analisti infatti “le PMI desiderano avvalersi di soluzioni di telefonia ‘as a Service’ perché offrono funzionalità avanzate appositamente sviluppate per migliorare le comunicazioni aziendali e l’operatività interna”.

10Mag/16Off

Rilasciato Asterisk 13.9.0

Il giorno 09 maggio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk Asterisk 13.9.0.

Dal post originale:

The release of Asterisk 13.9.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25963 - func_odbc requires reconnect checks for stale connections (Reported by Ross Beer)
* ASTERISK-25970 - Segfault in pjsip_url_compare (Reported by Dmitriy Serov)
* ASTERISK-25938 - res_odbc: MySQL/MariaDB statement LAST_INSERT_ID() always returns zero. (Reported by Edwin Vandamme)
* ASTERISK-25927 - Removed option "registertrying" is still documented in sip.conf.sample (Reported by Etienne Lessard)
* ASTERISK-25947 - Protocol transfers to stasis applications are missing the StasisStart with the replace_channel object. (Reported by Richard Mudgett)
* ASTERISK-24649 - Pushing of channel into bridge fails; Stasis fails to get app name (Reported by John Bigelow)
* ASTERISK-24782 - StasisEnd event not present for channel that was swapped out for another after completing attended transfer (Reported by John Bigelow)
* ASTERISK-25942 - res_pjsip_caller_id: Transfer results in mixed ConnectedLine information (Reported by George Joseph)
* ASTERISK-25928 - res_pjsip: URI validation done outside of PJSIP thread (Reported by Joshua Colp)
* ASTERISK-25929 - res_pjsip_registrar: AOR_CONTACT_ADDED events not raised (Reported by Joshua Colp)
* ASTERISK-25934 - chan_sip should not require sipregs or updateable sippeers table unless rt (Reported by Jaco Kroon)
* ASTERISK-25888 - Frequent segfaults in function can_ring_entry() of app_queue.c (Reported by Sébastien Couture)
* ASTERISK-25796 - res_pjsip: DOS/Crash when TCP/TLS sockets exceed pjproject PJ_IOQUEUE_MAX_HANDLES (Reported by George Joseph)
* ASTERISK-25707 - Long contact URIs or hostnames can crash pjproject/Asterisk under certain conditions (Reported by George Joseph)
* ASTERISK-25123 - Bracketed IPv6 Contact header parameter unparsable with Asterisk/PJSIP (Reported by Anthony Messina)
* ASTERISK-25874 - app_voicemail: Stack buffer overflow in test_voicemail_notify_endl (Reported by Badalian Vyacheslav)
* ASTERISK-25912 - chan_local passes AST_CONTROL_PVT_CAUSE_CODE without adding them to the local hangupcauses via ast_channel_hangupcause_hash_set (Reported by Jaco Kroon)
* ASTERISK-25885 - res_pjsip: Race condition between adding contact and automatic expiration (Reported by Joshua Colp)
* ASTERISK-25910 - pjproject: Via headers are not parsed when "received" contains an IPv6 address (Reported by George Joseph)
* ASTERISK-25890 - Asterisk 13.8.0 alembic database update fails (Reported by Harley Peters)
* ASTERISK-25894 - [patch] webrtc video broken due to missing marker bits in RTP streams (Reported by Jacek Konieczny)
* ASTERISK-25854 - No audio after HOLD/RESUME - incorrect a=recvonly in SDP from Asterisk (Reported by Robert McGilvray)
* ASTERISK-25873 - res_pjsip: Bundled pjproject: compile error, cannot find -lasteriskpj (Reported by Hans van Eijsden)
* ASTERISK-25882 - ARI: Crash can occur due to race condition when attempting to operate on a hung up channel (Part 2) (Reported by Richard Mudgett)
* ASTERISK-25867 - [patch] Video delay on app_echo (Reported by Jacek Konieczny)
* ASTERISK-24605 - res_parking option parkeddynamic does not work with the core Features 'parkcall' (DTMF initiated parking) (Reported by Philip Correia)
* ASTERISK-25826 - PJSIP / Sorcery slow load from realtime (Reported by Ross Beer)
* ASTERISK-24596 - Unclear how to use Park application with res_parking 'parkeddynamic' enabled. Documentation? (Reported by Philip Correia)
* ASTERISK-24543 - Asterisk 13 responds to SIP Invite with all possible codecs configured for peer as opposed to intersection of configured codecs and offered codecs (Reported by Taylor Hawkes)
* ASTERISK-25825 - Crashes during shutdown when running CLI commands (Reported by Mark Michelson)
* ASTERISK-25407 - Asterisk fails to log to multiple syslog destinations (Reported by Elazar Broad)
* ASTERISK-25510 - [patch]Log to syslog failing (Reported by Michael Newton)
* ASTERISK-25857 - func_aes: incorrect use of strlen() leads to data corruption (Reported by Gianluca Merlo)

Improvements made in this release:
-----------------------------------
* ASTERISK-25865 - Message-Account Missing From PJSIP MWI (Reported by Ross Beer)
* ASTERISK-25444 - [patch]Music On Hold Warning misleading (Reported by Conrad de Wet)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.9.0

22Apr/16Off

Rilasciato Asterisk 13.8.2

Il giorno 20 aprile 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.8.2.

Dal post originale:

The release of Asterisk 13.8.2 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25929 - res_pjsip_registrar: AOR_CONTACT_ADDED events not raised (Reported by Joshua Colp)
* ASTERISK-25928 - res_pjsip: URI validation done outside of PJSIP thread (Reported by Joshua Colp)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.8.2

15Apr/16Off

AST-2016-005: TCP denial of service in PJProject

               Asterisk Project Security Advisory - AST-2016-005

Product Asterisk
Summary TCP denial of service in PJProject
Nature of Advisory Crash/Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On February 15, 2016
Reported By George Joseph
Posted On
Last Updated On March 3, 2016
Advisory Contact Mark Michelson <mark DOT michelson AT digium DOT
com>
CVE Name

Description PJProject has a limit on the number of TCP connections that
it can accept. Furthermore, PJProject does not close TCP
connections it accepts. By default, this value is
approximately 60.

An attacker can deplete the number of allowed TCP
connections by opening TCP connections and sending no data
to Asterisk.

If PJProject has been compiled in debug mode, then once the
number of allowed TCP connections has been depleted, the
next attempted TCP connection to Asterisk will crash due to
an assertion in PJProject.

If PJProject has not been compiled in debug mode, then any
further TCP connection attempts will be rejected. This
makes Asterisk unable to process TCP SIP traffic.

Note that this only affects TCP/TLS, since UDP is
connectionless. Also note that this does not affect
chan_sip.

Resolution PJProject has a compile-time constant that controls the
maximum number of TCP connections that can be handled. Those
who compile PJProject on their own are encouraged to set
this to a value that is more amenable to the number of TCP
connections that Asterisk should be able to handle. In
PJProject's pjlib/include/pj/config_site.h, add the
following prior to compiling PJProject:

# define PJ_IOQUEUE_MAX_HANDLES (FD_SETSIZE)

This is part of a larger set of recommended definitions to
place in config_site.h of PJProject. See the Asterisk
"Building and Installing PJProject" wiki page for other
recommended settings.

Packagers of PJProject have updated their packages to have
these constants defined, so if your package is kept up to
date, you should already be fine.

In addition, the Asterisk project has recently been modified
to be able to perform a static build of PJProject. By
running the Asterisk configure script with the
--with-pjproject-bundled option, the latest PJProject will
be downloaded and installed, and the compile-time constants
will be set to appropriate values.

Asterisk has also been updated to monitor incoming TCP
connections. If a TCP connection is opened and no SIP
request is received on that connection within a certain
amount of time, then Asterisk will shut down the connection.

Affected Versions
Product Release
Series
Asterisk Open Source 13.x All Versions

Corrected In
Product Release
Asterisk Open Source 13.8.1
Certified Asterisk 13.1-cert5

Patches
SVN URL Revision

Links

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-005.pdf and
http://downloads.digium.com/pub/security/AST-2016-005.html

15Apr/16Off

AST-2016-004: Long Contact URIs in REGISTER requests can crash Asterisk

               Asterisk Project Security Advisory - AST-2016-004

Product Asterisk
Summary Long Contact URIs in REGISTER requests can crash
Asterisk
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions
Severity Major
Exploits Known No
Reported On January 19, 2016
Reported By George Joseph
Posted On
Last Updated On February 10, 2016
Advisory Contact Mark Michelson <mmichelson AT digium DOT com>
CVE Name

Description Asterisk may crash when processing an incoming REGISTER
request if that REGISTER contains a Contact header with a
lengthy URI.

This crash will only happen for requests that pass
authentication. Unauthenticated REGISTER requests will not
result in a crash occurring.

This vulnerability only affects Asterisk when using PJSIP
as its SIP stack. The chan_sip module does not have this
problem.

Resolution Measures have been put in place to ensure that REGISTER
requests with long Contact URIs are rejected instead of
causing a crash.

Affected Versions
Product Release
Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x All versions
Certified Asterisk 11.6 Unaffected
Certified Asterisk 13.1 All versions

Corrected In
Product Release
Asterisk Open Source 13.8.1
Certified Asterisk 13.1-cert5

Patches
SVN URL Revision

Links

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-004.pdf and
http://downloads.digium.com/pub/security/AST-2016-004.html

2Apr/16Off

Rilasciato Kamailio versione 4.4.0

kamailio-logo-nuovo

Dopo molti mesi di sviluppo, il team di sviluppo Kamailio ha rilasciato la nuova versione 4.4.0 Kamailio.

CHANGELOG

30Mar/16Off

Rilasciato Asterisk 13.8.0

Il giorno 29 marzo 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.8.0.

Dal post originale:

The release of Asterisk 13.8.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

New Features made in this release:
-----------------------------------
* ASTERISK-24919 - res_pjsip_config_wizard: Ability to write contents to file (Reported by Ray Crumrine)
* ASTERISK-25670 - Add regcontext to PJSIP (Reported by Daniel Journo)
* ASTERISK-25480 - [patch]Add field PauseReason on QueueMemberStatus (Reported by Rodrigo Ramirez Norambuena)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25849 - chan_pjsip: transfers with direct media sometimes drops audio (Reported by Kevin Harwell)
* ASTERISK-25113 - install_prereq in Debian 8 without "standard system utilities" (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25814 - Segfault at f ip in res_pjsip_refer.so (Reported by Sergio Medina Toledo)
* ASTERISK-25023 - Deadlock in chan_sip in update_provisional_keepalive (Reported by Arnd Schmitter)
* ASTERISK-25321 - [patch]DeadLock ChanSpy with call over Local channel (Reported by Filip Frank)
* ASTERISK-25829 - res_pjsip: PJSIP does not accept spaces when separating multiple AORs (Reported by Mateusz Kowalski)
* ASTERISK-25771 - ARI:Crash - Attended transfers of channels into Stasis application. (Reported by Javier Riveros )
* ASTERISK-25830 - Revision 2451d4e breaks NAT (Reported by Sean Bright)
* ASTERISK-25582 - Testsuite: Reactor timeout error in tests/fax/pjsip/directmedia_reinvite_t38 (Reported by Matt Jordan)
* ASTERISK-25811 - Unable to delete object from sorcery cache (Reported by Ross Beer)
* ASTERISK-25800 - [patch] Calculate talktime when is first call answered (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25727 - RPM build requires OPTIONAL_API cflag due to PJSIP requirement (Reported by Gergely Dömsödi)
* ASTERISK-25337 - Crash on PJSIP_HEADER Add P-Asserted-Identity when calling from Gosub (Reported by Jacques Peacock)
* ASTERISK-25738 - res_pjsip_pubsub: Crash while executing OutboundSubscriptionDetail ami action (Reported by Kevin Harwell)
* ASTERISK-25721 - [patch] res_phoneprov: memory leak and heap-use-after-free (Reported by Badalian Vyacheslav)
* ASTERISK-25272 - [patch]The ICONV dialplan function sometimes returns garbage (Reported by Etienne Lessard)
* ASTERISK-25751 - res_pjsip: Support pjsip_dlg_create_uas_and_inc_lock (Reported by Joshua Colp)
* ASTERISK-25606 - Core dump when using transports in sorcery (Reported by Martin Moučka)
* ASTERISK-20987 - non-admin users, who join muted conference are not being muted (Reported by hristo)
* ASTERISK-25737 - res_pjsip_outbound_registration: line option not in Alembic (Reported by Joshua Colp)
* ASTERISK-25603 - [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash (Reported by Walter Doekes)
* ASTERISK-25742 - Secondary IFP Packets can result in accessing uninitialized pointers and a crash (Reported by Torrey Searle)
* ASTERISK-24972 - Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server (Reported by Alex A. Welzl)
* ASTERISK-25397 - [patch]chan_sip: File descriptor leak with non-default timert1 (Reported by Alexander Traud)
* ASTERISK-25702 - PjSip realtime DB and Cache Errors since upgrade to asterisk-13.7.0 from asterisk-13.7.0-rc2 (Reported by Nic Colledge)
* ASTERISK-25730 - build: make uninstall after make distclean tries to remove root (Reported by George Joseph)
* ASTERISK-25725 - core: Incorrect XML documentation may result in weird behavior (Reported by Joshua Colp)
* ASTERISK-25722 - ASAN & testsute: stack-buffer-overflow in sip_sipredirect (Reported by Badalian Vyacheslav)
* ASTERISK-25709 - ARI: Crash can occur due to race condition when attempting to operate on a hung up channel (Reported by Mark Michelson)
* ASTERISK-25714 - ASAN:heap-buffer-overflow in logger.c (Reported by Badalian Vyacheslav)
* ASTERISK-25685 - infrastructure: Run alembic in Jenkins build script (Reported by Joshua Colp)
* ASTERISK-25712 - Second call to already-on-call phone and Asterisk sends "Ready" (Reported by Richard Mudgett)
* ASTERISK-24801 - ASAN: ast_el_read_char stack-buffer-overflow (Reported by Badalian Vyacheslav)
* ASTERISK-25179 - CDR(billsec,f) and CDR(duration,f) report incorrect values (Reported by Gianluca Merlo)
* ASTERISK-25611 - core: threadpool thread_timeout_thrash unit test sporadically failing (Reported by Joshua Colp)
* ASTERISK-24097 - Documentation - CHANNEL function help text missing 'linkedid' argument (Reported by Steven T. Wheeler)
* ASTERISK-25700 - main/config: Clean config maps on shutdown. (Reported by Corey Farrell)
* ASTERISK-25696 - bridge_basic: don't cache xferfailsound during a transfer (Reported by Kevin Harwell)
* ASTERISK-25697 - bridge_basic: don't play an attended transfer fail sound after target hangs up (Reported by Kevin Harwell)
* ASTERISK-25683 - res_ari: Asterisk fails to start if compiled with MALLOC_DEBUG (Reported by yaron nahum)
* ASTERISK-25686 - PJSIP: qualify_timeout is a double, database schema is an integer (Reported by Marcelo Terres)
* ASTERISK-25690 - Hanging up when executing connected line sub does not cause hangup (Reported by Joshua Colp)
* ASTERISK-25687 - res_musiconhold: Concurrent invocations of 'moh reload' cause a crash (Reported by Sean Bright)
* ASTERISK-25632 - res_pjsip_sdp_rtp: RTP is sent from wrong IP address when multihomed (Reported by Olivier Krief)
* ASTERISK-25637 - Multi homed server using wrong IP (Reported by Daniel Journo)
* ASTERISK-25394 - pbx: Incorrect device and presence state when changing hint details (Reported by Joshua Colp)
* ASTERISK-25640 - pbx: Deadlock on features reload and state change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25681 - devicestate: Engine thread is not shut down (Reported by Corey Farrell)
* ASTERISK-25680 - manager: manager_channelvars is not cleaned at shutdown (Reported by Corey Farrell)
* ASTERISK-25679 - res_calendar leaks scheduler. (Reported by Corey Farrell)
* ASTERISK-25675 - Endpoint not listed as Unreachable (Reported by Daniel Journo)
* ASTERISK-25677 - pbx_dundi: leaks during failed load. (Reported by Corey Farrell)
* ASTERISK-25673 - res_crypto leaks CLI entries (Reported by Corey Farrell)
* ASTERISK-25668 - res_pjsip: Deadlock in distributor (Reported by Mark Michelson)
* ASTERISK-25664 - ast_format_cap_append_by_type leaks a reference (Reported by Corey Farrell)
* ASTERISK-25647 - bug of cel_radius.c: wrong point of ADD_VENDOR_CODE (Reported by Aaron An)
* ASTERISK-25317 - asterisk sends too many stun requests (Reported by Stefan Engström)
* ASTERISK-25137 - endpoint stasis messages are delivered twice (Reported by Vitezslav Novy)
* ASTERISK-25116 - res_pjsip: Two PeerStatus AMI messages are sent for every status change (Reported by George Joseph)
* ASTERISK-25641 - bridge: GOTO_ON_BLINDXFR doesn't work on transfer initiated channel (Reported by Dmitry Melekhov)
* ASTERISK-25614 - DTLS negotiation delays (Reported by Dade Brandon)
* ASTERISK-25442 - using realtime (mysql) queue members are never updated in wait_our_turn function (app_queue.c) (Reported by Carlos Oliva)
* ASTERISK-25625 - res_sorcery_memory_cache: Add full backend caching (Reported by Joshua Colp)
* ASTERISK-25601 - json: Audit reference usage and thread safety (Reported by Joshua Colp)
* ASTERISK-25624 - AMI Event OriginateResponse bug (Reported by sungtae kim)

Improvements made in this release:
-----------------------------------
* ASTERISK-25495 - [patch] Prevent old-update packages on repository Debian systems (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25846 - Gracefully deal with Absent Stasis Apps (Reported by Andrew Nagy)
* ASTERISK-25791 - res_pjsip_caller_id: Lack of support for Anonymous (Reported by Anthony Messina)
* ASTERISK-24813 - asterisk.c: #if statement in listener() confuses code folding editors (Reported by Corey Farrell)
* ASTERISK-25767 - [patch] Add check to configure for sanitizes (Reported by Badalian Vyacheslav)
* ASTERISK-25068 - Move commonly used FreePBX extra sounds to the core set (Reported by Rusty Newton)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.8.0

30Mar/16Off

Rilasciato Asterisk 11.22.0

Il giorno 29 marzo 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.22.0.

Dal post originale:

The release of Asterisk 11.22.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25857 - func_aes: incorrect use of strlen() leads to data corruption (Reported by Gianluca Merlo)
* ASTERISK-25321 - [patch]DeadLock ChanSpy with call over Local channel (Reported by Filip Frank)
* ASTERISK-25800 - [patch] Calculate talktime when is first call answered (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25272 - [patch]The ICONV dialplan function sometimes returns garbage (Reported by Etienne Lessard)
* ASTERISK-20987 - non-admin users, who join muted conference are not being muted (Reported by hristo)
* ASTERISK-24972 - Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server (Reported by Alex A. Welzl)
* ASTERISK-25603 - [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash (Reported by Walter Doekes)
* ASTERISK-25742 - Secondary IFP Packets can result in accessing uninitialized pointers and a crash (Reported by Torrey Searle)
* ASTERISK-25397 - [patch]chan_sip: File descriptor leak with non-default timert1 (Reported by Alexander Traud)
* ASTERISK-25730 - build: make uninstall after make distclean tries to remove root (Reported by George Joseph)
* ASTERISK-25722 - ASAN & testsute: stack-buffer-overflow in sip_sipredirect (Reported by Badalian Vyacheslav)
* ASTERISK-25714 - ASAN:heap-buffer-overflow in logger.c (Reported by Badalian Vyacheslav)
* ASTERISK-24801 - ASAN: ast_el_read_char stack-buffer-overflow (Reported by Badalian Vyacheslav)
* ASTERISK-25701 - core: Endless loop in "core show taskprocessors" (Reported by ibercom)
* ASTERISK-25700 - main/config: Clean config maps on shutdown. (Reported by Corey Farrell)
* ASTERISK-25690 - Hanging up when executing connected line sub does not cause hangup (Reported by Joshua Colp)
* ASTERISK-25687 - res_musiconhold: Concurrent invocations of 'moh reload' cause a crash (Reported by Sean Bright)
* ASTERISK-25394 - pbx: Incorrect device and presence state when changing hint details (Reported by Joshua Colp)
* ASTERISK-25640 - pbx: Deadlock on features reload and state change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25681 - devicestate: Engine thread is not shut down (Reported by Corey Farrell)
* ASTERISK-25680 - manager: manager_channelvars is not cleaned at shutdown (Reported by Corey Farrell)
* ASTERISK-25679 - res_calendar leaks scheduler. (Reported by Corey Farrell)
* ASTERISK-25677 - pbx_dundi: leaks during failed load. (Reported by Corey Farrell)
* ASTERISK-25673 - res_crypto leaks CLI entries (Reported by Corey Farrell)
* ASTERISK-25647 - bug of cel_radius.c: wrong point of ADD_VENDOR_CODE (Reported by Aaron An)
* ASTERISK-25614 - DTLS negotiation delays (Reported by Dade Brandon)
* ASTERISK-25442 - using realtime (mysql) queue members are never updated in wait_our_turn function (app_queue.c) (Reported by Carlos Oliva)
* ASTERISK-25624 - AMI Event OriginateResponse bug (Reported by sungtae kim)

Improvements made in this release:
-----------------------------------
* ASTERISK-24813 - asterisk.c: #if statement in listener() confuses code folding editors (Reported by Corey Farrell)
* ASTERISK-25767 - [patch] Add check to configure for sanitizes (Reported by Badalian Vyacheslav)
* ASTERISK-25068 - Move commonly used FreePBX extra sounds to the core set (Reported by Rusty Newton)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.22.0

13Feb/16Off

Rilasciato Asterisk 11.21.2

Il giorno 11 febbraio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.21.2.

Dal post originale:

The Asterisk Development Team has announced the release of Asterisk 11.21.2.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.21.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25770 - Check for OpenSSL defines before trying to use
them. (Reported by Kevin Harwell)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.21.2

7Feb/16Off

Rilasciato Asterisk 13.7.2

Il giorno 5 febbraio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.7.2.

Dal post originale:

The release of Asterisk 13.7.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-25702 - PjSip realtime DB and Cache Errors since
upgrade to asterisk-13.7.0 from asterisk-13.7.0-rc2 (Reported by
Nic Colledge)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.7.2

5Feb/16Off

AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data

               Asterisk Project Security Advisory - AST-2016-003

Product Asterisk
Summary Remote crash vulnerability when receiving UDPTL FAX
data.
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known Yes
Reported On December 2, 2015
Reported By Walter Dokes, Torrey Searle
Posted On February 3, 2016
Last Updated On February 3, 2016
Advisory Contact Richard Mudgett <rmudgett AT digium DOT com>
CVE Name Pending

Description If no UDPTL packets are lost there is no problem. However,
a lost packet causes Asterisk to use the available error
correcting redundancy packets. If those redundancy packets
have zero length then Asterisk uses an uninitialized buffer
pointer and length value which can cause invalid memory
accesses later when the packet is copied.

Resolution Upgrade to a released version with the fix incorporated or
apply patch.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Asterisk Open Source 13.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Certified Asterisk 13.1 All versions

Corrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-003-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-003-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2016-003-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-003-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-003-13.diff Asterisk
13

Links https://issues.asterisk.org/jira/browse/ASTERISK-25603

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-003.pdf and
http://downloads.digium.com/pub/security/AST-2016-003.html

5Feb/16Off

AST-2016-002: File descriptor exhaustion in chan_sip

               Asterisk Project Security Advisory - AST-2016-002

Product Asterisk
Summary File descriptor exhaustion in chan_sip
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known Yes
Reported On September 17, 2015
Reported By Alexander Traud
Posted On February 3, 2016
Last Updated On February 3, 2016
Advisory Contact Richard Mudgett <rmudgett AT digium DOT com>
CVE Name Pending

Description Setting the sip.conf timert1 value to a value higher than
1245 can cause an integer overflow and result in large
retransmit timeout times. These large timeout values hold
system file descriptors hostage and can cause the system to
run out of file descriptors.

Resolution Setting the sip.conf timert1 value to 1245 or lower will not
exhibit the vulnerability. The default timert1 value is 500.
Asterisk has been patched to detect the integer overflow and
calculate the previous retransmission timer value.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Asterisk Open Source 13.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Certified Asterisk 13.1 All versions

Corrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff Asterisk
13

Links https://issues.asterisk.org/jira/browse/ASTERISK-25397

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-002.pdf and
http://downloads.digium.com/pub/security/AST-2016-002.html

5Feb/16Off

AST-2016-001: BEAST vulnerability in HTTP server

               Asterisk Project Security Advisory - AST-2016-001

Product Asterisk
Summary BEAST vulnerability in HTTP server
Nature of Advisory Unauthorized data disclosure due to
man-in-the-middle attack
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 04/15/15
Reported By Alex A. Welzl
Posted On 02/03/16
Last Updated On February 3, 2016
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name Pending

Description The Asterisk HTTP server currently has a default
configuration which allows the BEAST vulnerability to be
exploited if the TLS functionality is enabled. This can
allow a man-in-the-middle attack to decrypt data passing
through it.

Resolution Additional configuration options have been added to Asterisk
which allow configuration of the HTTP server to not be
susceptible to the BEAST vulnerability. These include
options to confirm the permitted ciphers, to control what
TLS protocols are allowed, and to use server cipher
preference order instead of client preference order. The
default configuration has also been changed for the HTTP
server to use a configuration which is not susceptible to
the BEAST vulnerability.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 11.x All Versions
Asterisk Open Source 12.x All Versions
Asterisk Open Source 13.x All Versions
Certified Asterisk 1.8.28 All Versions
Certified Asterisk 11.6 All Versions
Certified Asterisk 13.1 All Versions

Corrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-001-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-001-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-001-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-001-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-001-13.diff Asterisk
13

Links https://issues.asterisk.org/jira/browse/ASTERISK-24972

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-001.pdf and
http://downloads.digium.com/pub/security/AST-2016-001.html