Rilasciato Asterisk 13.8.2
Il giorno 20 aprile 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.8.2.
Dal post originale:
The release of Asterisk 13.8.2 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25929 - res_pjsip_registrar: AOR_CONTACT_ADDED events not raised (Reported by Joshua Colp)
* ASTERISK-25928 - res_pjsip: URI validation done outside of PJSIP thread (Reported by Joshua Colp)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.8.2
AST-2016-005: TCP denial of service in PJProject
Asterisk Project Security Advisory - AST-2016-005Product Asterisk
Summary TCP denial of service in PJProject
Nature of Advisory Crash/Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On February 15, 2016
Reported By George Joseph
Posted On
Last Updated On March 3, 2016
Advisory Contact Mark Michelson <mark DOT michelson AT digium DOT
com>
CVE NameDescription PJProject has a limit on the number of TCP connections that
it can accept. Furthermore, PJProject does not close TCP
connections it accepts. By default, this value is
approximately 60.An attacker can deplete the number of allowed TCP
connections by opening TCP connections and sending no data
to Asterisk.If PJProject has been compiled in debug mode, then once the
number of allowed TCP connections has been depleted, the
next attempted TCP connection to Asterisk will crash due to
an assertion in PJProject.If PJProject has not been compiled in debug mode, then any
further TCP connection attempts will be rejected. This
makes Asterisk unable to process TCP SIP traffic.Note that this only affects TCP/TLS, since UDP is
connectionless. Also note that this does not affect
chan_sip.Resolution PJProject has a compile-time constant that controls the
maximum number of TCP connections that can be handled. Those
who compile PJProject on their own are encouraged to set
this to a value that is more amenable to the number of TCP
connections that Asterisk should be able to handle. In
PJProject's pjlib/include/pj/config_site.h, add the
following prior to compiling PJProject:# define PJ_IOQUEUE_MAX_HANDLES (FD_SETSIZE)
This is part of a larger set of recommended definitions to
place in config_site.h of PJProject. See the Asterisk
"Building and Installing PJProject" wiki page for other
recommended settings.Packagers of PJProject have updated their packages to have
these constants defined, so if your package is kept up to
date, you should already be fine.In addition, the Asterisk project has recently been modified
to be able to perform a static build of PJProject. By
running the Asterisk configure script with the
--with-pjproject-bundled option, the latest PJProject will
be downloaded and installed, and the compile-time constants
will be set to appropriate values.Asterisk has also been updated to monitor incoming TCP
connections. If a TCP connection is opened and no SIP
request is received on that connection within a certain
amount of time, then Asterisk will shut down the connection.Affected Versions
Product Release
Series
Asterisk Open Source 13.x All VersionsCorrected In
Product Release
Asterisk Open Source 13.8.1
Certified Asterisk 13.1-cert5Patches
SVN URL RevisionLinks
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/securityThis document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-005.pdf and
http://downloads.digium.com/pub/security/AST-2016-005.html
AST-2016-004: Long Contact URIs in REGISTER requests can crash Asterisk
Asterisk Project Security Advisory - AST-2016-004Product Asterisk
Summary Long Contact URIs in REGISTER requests can crash
Asterisk
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions
Severity Major
Exploits Known No
Reported On January 19, 2016
Reported By George Joseph
Posted On
Last Updated On February 10, 2016
Advisory Contact Mark Michelson <mmichelson AT digium DOT com>
CVE NameDescription Asterisk may crash when processing an incoming REGISTER
request if that REGISTER contains a Contact header with a
lengthy URI.This crash will only happen for requests that pass
authentication. Unauthenticated REGISTER requests will not
result in a crash occurring.This vulnerability only affects Asterisk when using PJSIP
as its SIP stack. The chan_sip module does not have this
problem.Resolution Measures have been put in place to ensure that REGISTER
requests with long Contact URIs are rejected instead of
causing a crash.Affected Versions
Product Release
Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x All versions
Certified Asterisk 11.6 Unaffected
Certified Asterisk 13.1 All versionsCorrected In
Product Release
Asterisk Open Source 13.8.1
Certified Asterisk 13.1-cert5Patches
SVN URL RevisionLinks
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/securityThis document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-004.pdf and
http://downloads.digium.com/pub/security/AST-2016-004.html
Rilasciato Kamailio versione 4.4.0
Dopo molti mesi di sviluppo, il team di sviluppo Kamailio ha rilasciato la nuova versione 4.4.0 Kamailio.
Rilasciato Asterisk 13.8.0
Il giorno 29 marzo 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.8.0.
Dal post originale:
The release of Asterisk 13.8.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
New Features made in this release:
-----------------------------------
* ASTERISK-24919 - res_pjsip_config_wizard: Ability to write contents to file (Reported by Ray Crumrine)
* ASTERISK-25670 - Add regcontext to PJSIP (Reported by Daniel Journo)
* ASTERISK-25480 - [patch]Add field PauseReason on QueueMemberStatus (Reported by Rodrigo Ramirez Norambuena)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25849 - chan_pjsip: transfers with direct media sometimes drops audio (Reported by Kevin Harwell)
* ASTERISK-25113 - install_prereq in Debian 8 without "standard system utilities" (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25814 - Segfault at f ip in res_pjsip_refer.so (Reported by Sergio Medina Toledo)
* ASTERISK-25023 - Deadlock in chan_sip in update_provisional_keepalive (Reported by Arnd Schmitter)
* ASTERISK-25321 - [patch]DeadLock ChanSpy with call over Local channel (Reported by Filip Frank)
* ASTERISK-25829 - res_pjsip: PJSIP does not accept spaces when separating multiple AORs (Reported by Mateusz Kowalski)
* ASTERISK-25771 - ARI:Crash - Attended transfers of channels into Stasis application. (Reported by Javier Riveros )
* ASTERISK-25830 - Revision 2451d4e breaks NAT (Reported by Sean Bright)
* ASTERISK-25582 - Testsuite: Reactor timeout error in tests/fax/pjsip/directmedia_reinvite_t38 (Reported by Matt Jordan)
* ASTERISK-25811 - Unable to delete object from sorcery cache (Reported by Ross Beer)
* ASTERISK-25800 - [patch] Calculate talktime when is first call answered (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25727 - RPM build requires OPTIONAL_API cflag due to PJSIP requirement (Reported by Gergely Dömsödi)
* ASTERISK-25337 - Crash on PJSIP_HEADER Add P-Asserted-Identity when calling from Gosub (Reported by Jacques Peacock)
* ASTERISK-25738 - res_pjsip_pubsub: Crash while executing OutboundSubscriptionDetail ami action (Reported by Kevin Harwell)
* ASTERISK-25721 - [patch] res_phoneprov: memory leak and heap-use-after-free (Reported by Badalian Vyacheslav)
* ASTERISK-25272 - [patch]The ICONV dialplan function sometimes returns garbage (Reported by Etienne Lessard)
* ASTERISK-25751 - res_pjsip: Support pjsip_dlg_create_uas_and_inc_lock (Reported by Joshua Colp)
* ASTERISK-25606 - Core dump when using transports in sorcery (Reported by Martin MouÄka)
* ASTERISK-20987 - non-admin users, who join muted conference are not being muted (Reported by hristo)
* ASTERISK-25737 - res_pjsip_outbound_registration: line option not in Alembic (Reported by Joshua Colp)
* ASTERISK-25603 - [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash (Reported by Walter Doekes)
* ASTERISK-25742 - Secondary IFP Packets can result in accessing uninitialized pointers and a crash (Reported by Torrey Searle)
* ASTERISK-24972 - Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server (Reported by Alex A. Welzl)
* ASTERISK-25397 - [patch]chan_sip: File descriptor leak with non-default timert1 (Reported by Alexander Traud)
* ASTERISK-25702 - PjSip realtime DB and Cache Errors since upgrade to asterisk-13.7.0 from asterisk-13.7.0-rc2 (Reported by Nic Colledge)
* ASTERISK-25730 - build: make uninstall after make distclean tries to remove root (Reported by George Joseph)
* ASTERISK-25725 - core: Incorrect XML documentation may result in weird behavior (Reported by Joshua Colp)
* ASTERISK-25722 - ASAN & testsute: stack-buffer-overflow in sip_sipredirect (Reported by Badalian Vyacheslav)
* ASTERISK-25709 - ARI: Crash can occur due to race condition when attempting to operate on a hung up channel (Reported by Mark Michelson)
* ASTERISK-25714 - ASAN:heap-buffer-overflow in logger.c (Reported by Badalian Vyacheslav)
* ASTERISK-25685 - infrastructure: Run alembic in Jenkins build script (Reported by Joshua Colp)
* ASTERISK-25712 - Second call to already-on-call phone and Asterisk sends "Ready" (Reported by Richard Mudgett)
* ASTERISK-24801 - ASAN: ast_el_read_char stack-buffer-overflow (Reported by Badalian Vyacheslav)
* ASTERISK-25179 - CDR(billsec,f) and CDR(duration,f) report incorrect values (Reported by Gianluca Merlo)
* ASTERISK-25611 - core: threadpool thread_timeout_thrash unit test sporadically failing (Reported by Joshua Colp)
* ASTERISK-24097 - Documentation - CHANNEL function help text missing 'linkedid' argument (Reported by Steven T. Wheeler)
* ASTERISK-25700 - main/config: Clean config maps on shutdown. (Reported by Corey Farrell)
* ASTERISK-25696 - bridge_basic: don't cache xferfailsound during a transfer (Reported by Kevin Harwell)
* ASTERISK-25697 - bridge_basic: don't play an attended transfer fail sound after target hangs up (Reported by Kevin Harwell)
* ASTERISK-25683 - res_ari: Asterisk fails to start if compiled with MALLOC_DEBUG (Reported by yaron nahum)
* ASTERISK-25686 - PJSIP: qualify_timeout is a double, database schema is an integer (Reported by Marcelo Terres)
* ASTERISK-25690 - Hanging up when executing connected line sub does not cause hangup (Reported by Joshua Colp)
* ASTERISK-25687 - res_musiconhold: Concurrent invocations of 'moh reload' cause a crash (Reported by Sean Bright)
* ASTERISK-25632 - res_pjsip_sdp_rtp: RTP is sent from wrong IP address when multihomed (Reported by Olivier Krief)
* ASTERISK-25637 - Multi homed server using wrong IP (Reported by Daniel Journo)
* ASTERISK-25394 - pbx: Incorrect device and presence state when changing hint details (Reported by Joshua Colp)
* ASTERISK-25640 - pbx: Deadlock on features reload and state change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25681 - devicestate: Engine thread is not shut down (Reported by Corey Farrell)
* ASTERISK-25680 - manager: manager_channelvars is not cleaned at shutdown (Reported by Corey Farrell)
* ASTERISK-25679 - res_calendar leaks scheduler. (Reported by Corey Farrell)
* ASTERISK-25675 - Endpoint not listed as Unreachable (Reported by Daniel Journo)
* ASTERISK-25677 - pbx_dundi: leaks during failed load. (Reported by Corey Farrell)
* ASTERISK-25673 - res_crypto leaks CLI entries (Reported by Corey Farrell)
* ASTERISK-25668 - res_pjsip: Deadlock in distributor (Reported by Mark Michelson)
* ASTERISK-25664 - ast_format_cap_append_by_type leaks a reference (Reported by Corey Farrell)
* ASTERISK-25647 - bug of cel_radius.c: wrong point of ADD_VENDOR_CODE (Reported by Aaron An)
* ASTERISK-25317 - asterisk sends too many stun requests (Reported by Stefan Engström)
* ASTERISK-25137 - endpoint stasis messages are delivered twice (Reported by Vitezslav Novy)
* ASTERISK-25116 - res_pjsip: Two PeerStatus AMI messages are sent for every status change (Reported by George Joseph)
* ASTERISK-25641 - bridge: GOTO_ON_BLINDXFR doesn't work on transfer initiated channel (Reported by Dmitry Melekhov)
* ASTERISK-25614 - DTLS negotiation delays (Reported by Dade Brandon)
* ASTERISK-25442 - using realtime (mysql) queue members are never updated in wait_our_turn function (app_queue.c) (Reported by Carlos Oliva)
* ASTERISK-25625 - res_sorcery_memory_cache: Add full backend caching (Reported by Joshua Colp)
* ASTERISK-25601 - json: Audit reference usage and thread safety (Reported by Joshua Colp)
* ASTERISK-25624 - AMI Event OriginateResponse bug (Reported by sungtae kim)
Improvements made in this release:
-----------------------------------
* ASTERISK-25495 - [patch] Prevent old-update packages on repository Debian systems (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25846 - Gracefully deal with Absent Stasis Apps (Reported by Andrew Nagy)
* ASTERISK-25791 - res_pjsip_caller_id: Lack of support for Anonymous
* ASTERISK-24813 - asterisk.c: #if statement in listener() confuses code folding editors (Reported by Corey Farrell)
* ASTERISK-25767 - [patch] Add check to configure for sanitizes (Reported by Badalian Vyacheslav)
* ASTERISK-25068 - Move commonly used FreePBX extra sounds to the core set (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.8.0
Rilasciato Asterisk 11.22.0
Il giorno 29 marzo 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.22.0.
Dal post originale:
The release of Asterisk 11.22.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25857 - func_aes: incorrect use of strlen() leads to data corruption (Reported by Gianluca Merlo)
* ASTERISK-25321 - [patch]DeadLock ChanSpy with call over Local channel (Reported by Filip Frank)
* ASTERISK-25800 - [patch] Calculate talktime when is first call answered (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25272 - [patch]The ICONV dialplan function sometimes returns garbage (Reported by Etienne Lessard)
* ASTERISK-20987 - non-admin users, who join muted conference are not being muted (Reported by hristo)
* ASTERISK-24972 - Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server (Reported by Alex A. Welzl)
* ASTERISK-25603 - [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash (Reported by Walter Doekes)
* ASTERISK-25742 - Secondary IFP Packets can result in accessing uninitialized pointers and a crash (Reported by Torrey Searle)
* ASTERISK-25397 - [patch]chan_sip: File descriptor leak with non-default timert1 (Reported by Alexander Traud)
* ASTERISK-25730 - build: make uninstall after make distclean tries to remove root (Reported by George Joseph)
* ASTERISK-25722 - ASAN & testsute: stack-buffer-overflow in sip_sipredirect (Reported by Badalian Vyacheslav)
* ASTERISK-25714 - ASAN:heap-buffer-overflow in logger.c (Reported by Badalian Vyacheslav)
* ASTERISK-24801 - ASAN: ast_el_read_char stack-buffer-overflow (Reported by Badalian Vyacheslav)
* ASTERISK-25701 - core: Endless loop in "core show taskprocessors" (Reported by ibercom)
* ASTERISK-25700 - main/config: Clean config maps on shutdown. (Reported by Corey Farrell)
* ASTERISK-25690 - Hanging up when executing connected line sub does not cause hangup (Reported by Joshua Colp)
* ASTERISK-25687 - res_musiconhold: Concurrent invocations of 'moh reload' cause a crash (Reported by Sean Bright)
* ASTERISK-25394 - pbx: Incorrect device and presence state when changing hint details (Reported by Joshua Colp)
* ASTERISK-25640 - pbx: Deadlock on features reload and state change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25681 - devicestate: Engine thread is not shut down (Reported by Corey Farrell)
* ASTERISK-25680 - manager: manager_channelvars is not cleaned at shutdown (Reported by Corey Farrell)
* ASTERISK-25679 - res_calendar leaks scheduler. (Reported by Corey Farrell)
* ASTERISK-25677 - pbx_dundi: leaks during failed load. (Reported by Corey Farrell)
* ASTERISK-25673 - res_crypto leaks CLI entries (Reported by Corey Farrell)
* ASTERISK-25647 - bug of cel_radius.c: wrong point of ADD_VENDOR_CODE (Reported by Aaron An)
* ASTERISK-25614 - DTLS negotiation delays (Reported by Dade Brandon)
* ASTERISK-25442 - using realtime (mysql) queue members are never updated in wait_our_turn function (app_queue.c) (Reported by Carlos Oliva)
* ASTERISK-25624 - AMI Event OriginateResponse bug (Reported by sungtae kim)
Improvements made in this release:
-----------------------------------
* ASTERISK-24813 - asterisk.c: #if statement in listener() confuses code folding editors (Reported by Corey Farrell)
* ASTERISK-25767 - [patch] Add check to configure for sanitizes (Reported by Badalian Vyacheslav)
* ASTERISK-25068 - Move commonly used FreePBX extra sounds to the core set (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.22.0
Rilasciato Asterisk 11.21.2
Il giorno 11 febbraio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.21.2.
Dal post originale:
The Asterisk Development Team has announced the release of Asterisk 11.21.2.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.21.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!
The following is the issue resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25770 - Check for OpenSSL defines before trying to use
them. (Reported by Kevin Harwell)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.21.2
Rilasciato Asterisk 13.7.2
Il giorno 5 febbraio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.7.2.
Dal post originale:
The release of Asterisk 13.7.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!
The following is the issue resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25702 - PjSip realtime DB and Cache Errors since
upgrade to asterisk-13.7.0 from asterisk-13.7.0-rc2 (Reported by
Nic Colledge)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.7.2
AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data
Asterisk Project Security Advisory - AST-2016-003Product Asterisk
Summary Remote crash vulnerability when receiving UDPTL FAX
data.
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known Yes
Reported On December 2, 2015
Reported By Walter Dokes, Torrey Searle
Posted On February 3, 2016
Last Updated On February 3, 2016
Advisory Contact Richard Mudgett <rmudgett AT digium DOT com>
CVE Name PendingDescription If no UDPTL packets are lost there is no problem. However,
a lost packet causes Asterisk to use the available error
correcting redundancy packets. If those redundancy packets
have zero length then Asterisk uses an uninitialized buffer
pointer and length value which can cause invalid memory
accesses later when the packet is copied.Resolution Upgrade to a released version with the fix incorporated or
apply patch.Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Asterisk Open Source 13.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Certified Asterisk 13.1 All versionsCorrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-003-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-003-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2016-003-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-003-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-003-13.diff Asterisk
13Links https://issues.asterisk.org/jira/browse/ASTERISK-25603
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/securityThis document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-003.pdf and
http://downloads.digium.com/pub/security/AST-2016-003.html
AST-2016-002: File descriptor exhaustion in chan_sip
Asterisk Project Security Advisory - AST-2016-002Product Asterisk
Summary File descriptor exhaustion in chan_sip
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known Yes
Reported On September 17, 2015
Reported By Alexander Traud
Posted On February 3, 2016
Last Updated On February 3, 2016
Advisory Contact Richard Mudgett <rmudgett AT digium DOT com>
CVE Name PendingDescription Setting the sip.conf timert1 value to a value higher than
1245 can cause an integer overflow and result in large
retransmit timeout times. These large timeout values hold
system file descriptors hostage and can cause the system to
run out of file descriptors.Resolution Setting the sip.conf timert1 value to 1245 or lower will not
exhibit the vulnerability. The default timert1 value is 500.
Asterisk has been patched to detect the integer overflow and
calculate the previous retransmission timer value.Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Asterisk Open Source 13.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Certified Asterisk 13.1 All versionsCorrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff Asterisk
13Links https://issues.asterisk.org/jira/browse/ASTERISK-25397
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/securityThis document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-002.pdf and
http://downloads.digium.com/pub/security/AST-2016-002.html
AST-2016-001: BEAST vulnerability in HTTP server
Asterisk Project Security Advisory - AST-2016-001Product Asterisk
Summary BEAST vulnerability in HTTP server
Nature of Advisory Unauthorized data disclosure due to
man-in-the-middle attack
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 04/15/15
Reported By Alex A. Welzl
Posted On 02/03/16
Last Updated On February 3, 2016
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name PendingDescription The Asterisk HTTP server currently has a default
configuration which allows the BEAST vulnerability to be
exploited if the TLS functionality is enabled. This can
allow a man-in-the-middle attack to decrypt data passing
through it.Resolution Additional configuration options have been added to Asterisk
which allow configuration of the HTTP server to not be
susceptible to the BEAST vulnerability. These include
options to confirm the permitted ciphers, to control what
TLS protocols are allowed, and to use server cipher
preference order instead of client preference order. The
default configuration has also been changed for the HTTP
server to use a configuration which is not susceptible to
the BEAST vulnerability.Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 11.x All Versions
Asterisk Open Source 12.x All Versions
Asterisk Open Source 13.x All Versions
Certified Asterisk 1.8.28 All Versions
Certified Asterisk 11.6 All Versions
Certified Asterisk 13.1 All VersionsCorrected In
Product Release
Asterisk Open Source 11.21.1, 13.7.1
Certified Asterisk 11.6-cert12, 13.1-cert3Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2016-001-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2016-001-13.1.diff Certified
Asterisk
13.1
http://downloads.asterisk.org/pub/security/AST-2016-001-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2016-001-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2016-001-13.diff Asterisk
13Links https://issues.asterisk.org/jira/browse/ASTERISK-24972
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/securityThis document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-001.pdf and
http://downloads.digium.com/pub/security/AST-2016-001.html
Rilasciati Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1 (Security Release)
Il giorno 15 gennaio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1.
Dal post originale:
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security releases
are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2016-001: BEAST vulnerability in HTTP server
The Asterisk HTTP server currently has a default configuration which allows
the BEAST vulnerability to be exploited if the TLS functionality is enabled.
This can allow a man-in-the-middle attack to decrypt data passing through it.
* AST-2016-002: File descriptor exhaustion in chan_sip
Setting the sip.conf timert1 value to a value higher than 1245 can cause an
integer overflow and result in large retransmit timeout times. These large
timeout values hold system file descriptors hostage and can cause the system
to run out of file descriptors.
* AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data.
If no UDPTL packets are lost there is no problem. However, a lost packet
causes Asterisk to use the available error correcting redundancy packets. If
those redundancy packets have zero length then Asterisk uses an uninitialized
buffer pointer and length value which can cause invalid memory accesses later
when the packet is copied.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert12
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.7.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2016-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-003.pdf
Sangoma presenta tre modelli di telefoni VoIP
Sangoma ha presentato tre modelli di telefoni VoIP che ha mio parere hanno una estetica molto simile a quella dei telefoni Yealink.
Rilasciato Asterisk 13.7.0
Il giorno 15 gennaio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.7.0.
Dal post originale:
The release of Asterisk 13.7.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
New Features made in this release:
-----------------------------------
* ASTERISK-25419 - Dialplan Application for Integration of StatsD
(Reported by Ashley Sanders)
* ASTERISK-25549 - Confbridge: Add participant timeout option
(Reported by Mark Michelson)
* ASTERISK-24922 - ARI: Add the ability to intercept hold and
raise an event (Reported by Matt Jordan)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25689 - pjsip show contacts not working in Asterisk
13.7rc2 (Reported by Marcelo Terres)
* ASTERISK-25640 - pbx: Deadlock on features reload and state
change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25664 - ast_format_cap_append_by_type leaks a reference
(Reported by Corey Farrell)
* ASTERISK-25601 - json: Audit reference usage and thread safety
(Reported by Joshua Colp)
* ASTERISK-25625 - res_sorcery_memory_cache: Add full backend
caching (Reported by Joshua Colp)
* ASTERISK-25615 - res_pjsip: Setting transport async_operations >
1 causes segfault on tls transports (Reported by George Joseph)
* ASTERISK-25364 - [patch]Issue a TCP connection(kernel) and
thread of asterisk is not released (Reported by Hiroaki Komatsu)
* ASTERISK-25619 - res_chan_stats not sending the correct
information to StatsD (Reported by Tyler Cambron)
* ASTERISK-25569 - app_meetme: Audio quality issues (Reported by
Corey Farrell)
* ASTERISK-25609 - [patch]Asterisk may crash when calling
ast_channel_get_t38_state(c) (Reported by Filip Jenicek)
* ASTERISK-24146 - [patch]No audio on WebRtc caller side when
answer waiting time is more than ~7sec (Reported by Aleksei
Kulakov)
* ASTERISK-25599 - [patch] SLIN Resampling Codec only 80 msec
(Reported by Alexander Traud)
* ASTERISK-25616 - Warning with a Codec Module which supports PLC
with FEC (Reported by Alexander Traud)
* ASTERISK-25610 - Asterisk crash during "sip reload" (Reported by
Dudás József)
* ASTERISK-25608 - res_pjsip/contacts/statsd: Lifecycle events
aren't consistent (Reported by George Joseph)
* ASTERISK-25584 - [patch] format-attribute module: VP8 missing
(Reported by Alexander Traud)
* ASTERISK-25583 - [patch] format-attribute module: RFC 7587 (Opus
Codec) (Reported by Alexander Traud)
* ASTERISK-25498 - Asterisk crashes when negotiating g729 without
that module installed (Reported by Ben Langfeld)
* ASTERISK-25595 - Unescaped : in messge sent to statsd (Reported
by Niklas Larsson)
* ASTERISK-25476 - chan_sip loses registrations after a while
(Reported by Michael Keuter)
* ASTERISK-25598 - res_pjsip: Contact status messages are
printing a hash instead of the uri (Reported by George Joseph)
* ASTERISK-25600 - bridging: Inconsistency in BRIDGEPEER (Reported
by Jonathan Rose)
* ASTERISK-25582 - Testsuite: Reactor timeout error in
tests/fax/pjsip/directmedia_reinvite_t38 (Reported by Matt
Jordan)
* ASTERISK-25593 - fastagi: record file closed after sending
result (Reported by Kevin Harwell)
* ASTERISK-25585 - [patch]rasterisk never hits most of main(), but
it's assumed to (Reported by Walter Doekes)
* ASTERISK-25590 - CLI Usage info for 'pjsip send notify'
references incorrect config (Reported by Corey Farrell)
* ASTERISK-25165 - Testsuite - Sorcery memory cache leaks
(Reported by Corey Farrell)
* ASTERISK-25575 - res_pjsip: Dynamic outbound registrations
created via ARI are not loaded into memory on Asterisk
start/restart (Reported by Matt Jordan)
* ASTERISK-25545 - [patch] translation module gets cached not
joint format (Reported by Alexander Traud)
* ASTERISK-25573 - [patch] H.264 format attribute module: resets
whole SDP (Reported by Alexander Traud)
* ASTERISK-24958 - Forwarding loop detection inhibits certain
desirable scenarios (Reported by Mark Michelson)
* ASTERISK-25561 - app_queue.c line 6503 (try_calling): mutex
'qe->chan' freed more times than we've locked! (Reported by Alec
Davis)
* ASTERISK-25552 - hashtab: Improve NULL tolerance (Reported by
Joshua Colp)
* ASTERISK-25160 - [patch] Opus Codec: SIP/SDP line fmtp missing
when called internally (Reported by Alexander Traud)
* ASTERISK-25535 - [patch] format creation on module load instead
of cache (Reported by Alexander Traud)
* ASTERISK-25449 - main/sched: Regression introduced by
5c713fdf18f causes erroneous duplicate RTCP messages; other
potential scheduling issues in chan_sip/chan_skinny (Reported by
Matt Jordan)
* ASTERISK-25546 - threadpool: Race condition between idle timeout
and activation (Reported by Joshua Colp)
* ASTERISK-25537 - [patch] format-attribute module: RFC or
internal defaults? (Reported by Alexander Traud)
* ASTERISK-25533 - [patch] buffer for ast_format_cap_get_names
only 64 bytes (Reported by Alexander Traud)
* ASTERISK-25373 - add documentation for CALLERID(pres) and also
the CONNECTEDLINE and REDIRECTING variants (Reported by Walter
Doekes)
* ASTERISK-25527 - Quirky xmldoc description wrapping (Reported by
Walter Doekes)
* ASTERISK-24779 - Passthrough OPUS codec not working with
chan_pjsip (Reported by PowerPBX)
* ASTERISK-25522 - ARI: Crash when creating channel via ARI
originate with requesting channel (Reported by Matt Jordan)
* ASTERISK-25434 - Compiler flags not reported in 'core show
settings' despite usage during compilation (Reported by Rusty
Newton)
* ASTERISK-24106 - WebSockets Automatically decides what driver it
will use (Reported by Andrew Nagy)
* ASTERISK-25513 - Crash: malloc failed with high load of
subscriptions. (Reported by John Bigelow)
* ASTERISK-25505 - res_pjsip_pubsub: Crash on off-nominal when UAS
dialog can't be created (Reported by Joshua Colp)
* ASTERISK-24543 - Asterisk 13 responds to SIP Invite with all
possible codecs configured for peer as opposed to intersection
of configured codecs and offered codecs (Reported by Taylor
Hawkes)
* ASTERISK-25494 - build: GCC 5.1.x catches some new const, array
bounds and missing paren issues (Reported by George Joseph)
* ASTERISK-25485 - res_pjsip_outbound_registration: registration
stops due to 400 response (Reported by Kevin Harwell)
* ASTERISK-25486 - res_pjsip: Fix deadlock when validating URIs
(Reported by Joshua Colp)
* ASTERISK-7803 - [patch] Update the maximum packetization values
in frame.c (Reported by dea)
* ASTERISK-25484 - [patch] autoframing=yes has no effect (Reported
by Alexander Traud)
* ASTERISK-25461 - Nested dialplan #includes don't work as
expected. (Reported by Richard Mudgett)
* ASTERISK-25455 - Deadlock of PJSIP realtime over
res_config_pgsql (Reported by mdu113)
* ASTERISK-25135 - [patch]RTP Timeout hangup cause code missing
(Reported by Olle Johansson)
* ASTERISK-25435 - Asterisk periodically hangs. UDP Recv-Q greatly
exceeds zero. (Reported by Dmitriy Serov)
* ASTERISK-25451 - Broken video - erased rtp marker bit (Reported
by Stefan Engström)
* ASTERISK-25400 - Hints broken when "CustomPresence" doesn't
exist in AstDB (Reported by Andrew Nagy)
* ASTERISK-25443 - [patch]IPv6 - Potential issue in via header
parsing (Reported by ffs)
* ASTERISK-25404 - segfault/crash in chan_pjsip_hangup ... at
chan_pjsip.c (Reported by Chet Stevens)
* ASTERISK-25391 - AMI GetConfigJSON returns invalid JSON
(Reported by Bojan NemÄić)
* ASTERISK-25441 - Deadlock in res_sorcery_memory_cache. (Reported
by Richard Mudgett)
* ASTERISK-25438 - res_rtp_asterisk: ICE role message even when
ICE is not enabled (Reported by Joshua Colp)
Improvements made in this release:
-----------------------------------
* ASTERISK-25618 - res_pjsip: Check for readability of TLS files
at startup (Reported by George Joseph)
* ASTERISK-25572 - Endpoints: Add StatsD stats for Asterisk
endpoints (Reported by Matt Jordan)
* ASTERISK-25571 - PJSIP: Add StatsD stats for some common PJSIP
objects (Reported by Matt Jordan)
* ASTERISK-25518 - taskprocessor: Add high water mark (Reported by
Jonathan Rose)
* ASTERISK-25477 - pjsip show "command" like [criteria] (Reported
by Bryant Zimmerman)
* ASTERISK-24718 - [patch]Add inital support of "sanitize" to
configure (Reported by Badalian Vyacheslav)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.7.0
Rilasciato Asterisk 11.21.0
Il giorno 15 gennaio 2016, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.21.0.
Dal post originale:
The release of Asterisk 11.21.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25640 - pbx: Deadlock on features reload and state
change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25364 - [patch]Issue a TCP connection(kernel) and
thread of asterisk is not released (Reported by Hiroaki Komatsu)
* ASTERISK-25569 - app_meetme: Audio quality issues (Reported by
Corey Farrell)
* ASTERISK-25609 - [patch]Asterisk may crash when calling
ast_channel_get_t38_state(c) (Reported by Filip Jenicek)
* ASTERISK-24146 - [patch]No audio on WebRtc caller side when
answer waiting time is more than ~7sec (Reported by Aleksei
Kulakov)
* ASTERISK-25599 - [patch] SLIN Resampling Codec only 80 msec
(Reported by Alexander Traud)
* ASTERISK-25616 - Warning with a Codec Module which supports PLC
with FEC (Reported by Alexander Traud)
* ASTERISK-25610 - Asterisk crash during "sip reload" (Reported by
Dudás József)
* ASTERISK-25498 - Asterisk crashes when negotiating g729 without
that module installed (Reported by Ben Langfeld)
* ASTERISK-25476 - chan_sip loses registrations after a while
(Reported by Michael Keuter)
* ASTERISK-25593 - fastagi: record file closed after sending
result (Reported by Kevin Harwell)
* ASTERISK-25585 - [patch]rasterisk never hits most of main(), but
it's assumed to (Reported by Walter Doekes)
* ASTERISK-25552 - hashtab: Improve NULL tolerance (Reported by
Joshua Colp)
* ASTERISK-25449 - main/sched: Regression introduced by
5c713fdf18f causes erroneous duplicate RTCP messages; other
potential scheduling issues in chan_sip/chan_skinny (Reported by
Matt Jordan)
* ASTERISK-25537 - [patch] format-attribute module: RFC or
internal defaults? (Reported by Alexander Traud)
* ASTERISK-25373 - add documentation for CALLERID(pres) and also
the CONNECTEDLINE and REDIRECTING variants (Reported by Walter
Doekes)
* ASTERISK-25527 - Quirky xmldoc description wrapping (Reported by
Walter Doekes)
* ASTERISK-25434 - Compiler flags not reported in 'core show
settings' despite usage during compilation (Reported by Rusty
Newton)
* ASTERISK-25494 - build: GCC 5.1.x catches some new const, array
bounds and missing paren issues (Reported by George Joseph)
* ASTERISK-7803 - [patch] Update the maximum packetization values
in frame.c (Reported by dea)
* ASTERISK-25461 - Nested dialplan #includes don't work as
expected. (Reported by Richard Mudgett)
* ASTERISK-25455 - Deadlock of PJSIP realtime over
res_config_pgsql (Reported by mdu113)
* ASTERISK-25135 - [patch]RTP Timeout hangup cause code missing
(Reported by Olle Johansson)
* ASTERISK-25400 - Hints broken when "CustomPresence" doesn't
exist in AstDB (Reported by Andrew Nagy)
* ASTERISK-25443 - [patch]IPv6 - Potential issue in via header
parsing (Reported by ffs)
* ASTERISK-25391 - AMI GetConfigJSON returns invalid JSON
(Reported by Bojan NemÄić)
* ASTERISK-25438 - res_rtp_asterisk: ICE role message even when
ICE is not enabled (Reported by Joshua Colp)
Improvements made in this release:
-----------------------------------
* ASTERISK-24718 - [patch]Add inital support of "sanitize" to
configure (Reported by Badalian Vyacheslav)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.21.0