ASTERWEB Blog

19Gen/110

Sicurezza: AST-2011-001 – Stack buffer overflow in SIP channel driver

logoasterisk

Ecco un estratto del documento sulla sicurezza AST-2011-001:

Description When forming an outgoing SIP request while in pedantic mode, a stack buffer can
be made to overflow if supplied with carefully crafted caller ID information. This
vulnerability also affects the URIENCODE dialplan function and in some versions
of asterisk, the AGI dialplan application as well. The ast_uri_encode function does
not properly respect the size of its output buffer and can write past the end of it
when encoding URIs.
Resolution The size of the output buffer passed to the ast_uri_encode function is now
properly respected.
In asterisk versions not containing the fix for this issue, limiting strings originating
from remote sources that will be URI encoded to a length of 40 characters will
protect against this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any strings passed
to the URIENCODE dialplan function should be limited in this manner.

Ast-2011-001

14Gen/110

Asterisk 1.8.2 Now Available

logoasterisk

Il giorno 14 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.2 (il post ufficiale titola "1.8.3" ma si tratta sicuramente di un errore "di battitura").

Dal post originale:
The following is a sample of the issues resolved in this release:

* 'sip notify clear-mwi' needs terminating CRLF.
(Closes issue #18275. Reported, patched by klaus3000)
* Patch for deadlock from ordering issue between channel/queue locks in
app_queue (set_queue_variables).
(Closes issue #18031. Reported by rain. Patched by bbryant)
* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Fix reloading of peer when a user is requested. Prevent peer reloading from
causing multiple MWI subscriptions to be created when using realtime.
(Closes issue #18342. Reported, patched by nivek.)
* Fix XMPP PubSub-based distributed device state. Initialize pubsubflags to 0
so res_jabber doesn't think there is already an XMPP connection sending
device state. Also clean up CLI commands a bit.
(Closes issue #18272. Reported by klaus3000. Patched by Marquis42)
* Don't crash after Set(CDR(userfield)=...) in ast_bridge_call. Instead of
setting peer->cdr = NULL, set it to not post.
(Closes issue #18415. Reported by macbrody. Patched, tested by jsolares)
* Fixes issue with outbound google voice calls not working. Thanks to az1234
and nevermind_quack for their input in helping debug the issue.
(Closes issue #18412. Reported by nevermind_quack. Patched by dvossel)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.2

Inserito in: Asterisk Nessun commento
14Gen/110

Asterisk 1.6.2.16 Now Available

logoasterisk

Il giorno 14 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.16

Dal post originale:
The following is a sample of the issues resolved in this release:

* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Linux and *BSD disagree on the elements within the ucred structure. Detect
which one is in use on the system.
(Closes issue #18384. Reported, patched, tested by bjm, tilghman)
* app_followme: Don't create a Local channel if the target extension does not
exist.
(Closes issue #18126. Reported, patched by junky)
* Revert code that changed SSRC for DTMF.
(Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686.
Tested by cmbaker82)
* Resolve issue where REGISTER request with a Call-ID matching an existing
transaction is received it was possible that the REGISTER request would
overwrite the initreq of the private structure.
(Closes issue #18051. Reported by eeman. Patched, tested by twilson)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16

Inserito in: Asterisk Nessun commento
17Dic/100

Asterisk 1.8.1.1 Now Available

logoasterisk

Il giorno 15 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.2-rc1

Dal post originale:
The release of Asterisk 1.8.1.1 resolves two issues reported by the community
since the release of Asterisk 1.8.1.

* Don't crash after Set(CDR(userfield)=...) in ast_bridge_call. Instead of
setting peer->cdr = NULL, set it to not post.
(Closes issue #18415. Reported by macbrody. Patched, tested by jsolares)
* Fixes issue with outbound google voice calls not working. Thanks to az1234
and nevermind_quack for their input in helping debug the issue.
(Closes issue #18412. Reported by nevermind_quack. Patched by dvossel)

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.1.1

Thank you for your continued support of Asterisk!

Inserito in: Asterisk Nessun commento
17Dic/100

Asterisk 1.8.2-rc1 Now Available

logoasterisk

Il giorno 15 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.2-rc1

Dal post originale:
The release of Asterisk 1.8.2-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* 'sip notify clear-mwi' needs terminating CRLF.
(Closes issue #18275. Reported, patched by klaus3000)
* Patch for deadlock from ordering issue between channel/queue locks in
app_queue (set_queue_variables).
(Closes issue #18031. Reported by rain. Patched by bbryant)
* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Fix reloading of peer when a user is requested. Prevent peer reloading from
causing multiple MWI subscriptions to be created when using realtime.
(Closes issue #18342. Reported, patched by nivek.)
* Fix XMPP PubSub-based distributed device state. Initialize pubsubflags to 0
so res_jabber doesn't think there is already an XMPP connection sending
device state. Also clean up CLI commands a bit.
(Closes issue #18272. Reported by klaus3000. Patched by Marquis42)
* Don't crash after Set(CDR(userfield)=...) in ast_bridge_call. Instead of
setting peer->cdr = NULL, set it to not post.
(Closes issue #18415. Reported by macbrody. Patched, tested by jsolares)
* Fixes issue with outbound google voice calls not working. Thanks to az1234
and nevermind_quack for their input in helping debug the issue.
(Closes issue #18412. Reported by nevermind_quack. Patched by dvossel)

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.2-rc1

Thank you for your continued support of Asterisk!

Inserito in: Asterisk Nessun commento
17Dic/100

Asterisk 1.6.2.16-rc1 Now Available

logoasterisk

Il giorno 15 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.16-rc1

Dal post originale:
The release of Asterisk 1.6.2.16-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Linux and *BSD disagree on the elements within the ucred structure. Detect
which one is in use on the system.
(Closes issue #18384. Reported, patched, tested by bjm, tilghman)
* app_followme: Don't create a Local channel if the target extension does not
exist.
(Closes issue #18126. Reported, patched by junky)
* Revert code that changed SSRC for DTMF.
(Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686.
Tested by cmbaker82)
* Resolve issue where REGISTER request with a Call-ID matching an existing
transaction is received it was possible that the REGISTER request would
overwrite the initreq of the private structure.
(Closes issue #18051. Reported by eeman. Patched, tested by twilson)

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16-rc1

Thank you for your continued support of Asterisk!

Inserito in: Asterisk Nessun commento
17Dic/100

Asterisk 1.4.39-rc1 Now Available

logoasterisk

Il giorno 15 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.39-rc1

Dal post originale:

The release of Asterisk 1.4.39-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Fix bugs in saying numbers using the Swedish language syntax
(Closes issue #18355. Reported, patched by oej)
* Fix not stopping MOH when transfered local channel queue member is answered.
The problem here is only present when local channels are used with the MOH
passthru option as well as no optimization (/nm).
Patched by jpeeler.
* Improve handling of REGISTER requests with multiple contact headers.
Patched by jpeeler.
* app_followme: Don't create a Local channel if the target extension does not
exist.
(Closes issue #18126. Reported, patched by junky)
* Revert code that changed SSRC for DTMF.
(Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686.
Tested by cmbaker82)
* Resolve issue where REGISTER request with a Call-ID matching an existing
transaction is received it was possible that the REGISTER request would
overwrite the initreq of the private structure.
(Closes issue #18051. Reported by eeman. Patched, tested by twilson)

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.39-rc1

Thank you for your continued support of Asterisk!

Inserito in: Asterisk Nessun commento
13Dic/100

CryptoPhone IP 19: da Snom e GSMK un telefono a prova di intercettazioni

CPIP19-photo_small

Lo snom 870 Cryptophone nasce dalla collaborazione tra Snom technology AG e la GSMK ed è in grado di soddissfare le esigenza di sicurezza, di che ne farà uso, grazie all'utilizzo di algoritmi cifrati integrati nel telefono (AES 256 e Twofish) che sono tra i più sicuri e complessi.

Il telefono Snom 870 Cryptophone edition è facile da installare ed usare; ha un ampio display touch screen a colori ed è integrabile in qualsiasi impianto telefonico basato sullo standard aperto SIP.

Per quanto concerne il prezzo, non ho trovato riferimenti nelle fonti ufficiali ma ho trovato altri post "in giro", che parlano di un prezzo raccomandato tra i 2.300 e i 2.900 € (bisogna proprio tenerci alla sicurezza!).

13Dic/100

Asterisk 1.8.1 Now Available

logoasterisk

Il giorno 8 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della beta Asterisk 1.8.1

Dal post originale:

The release of Asterisk 1.8.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* Fix issue when using directmedia. Asterisk needs to limit the codecs offered
to just the ones that both sides recognize, otherwise they may end up sending
audio that the other side doesn't understand.
(Closes issue #17403. Reported, patched by one47. Tested by one47, falves11)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix playback failure when using IAX with the timerfd module.
(Closes issue #18110. Reported, tested by tpanton. Patched by jpeeler)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Fix issue where it is possible to crash Asterisk by feeding the curl engine
invalid data.
(Closes issue #18161. Reported by wdoekes. Patched by tilghman)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.1

Inserito in: Asterisk Nessun commento
13Dic/100

Asterisk 1.4.38 Now Available

logoasterisk

Il giorno 8 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della beta Asterisk 1.4.38.

Dal post originale:
The release of Asterisk 1.4.38 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* Add ability for Asterisk to try both the encoded and unencoded subscription
URI for a match in hints.
(Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman)
* Set the caller id on CDRs when it is set on the parent channel.
(Closes issue #17569. Reported, patched by tbelder)
* Ensure user portion of SIP URI matches dialplan when using encoded characters
(Closes issue #17892. Reported by wdoekes. Patched by jpeeler)
* Fix a crash in res_jabber by ensuring that we don't alter memory after it's
freed.
(Closes issue #17387. Reported, tested by jmls. Patched by tilghman)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Multiple fixes related to Local channels.

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.38

Inserito in: Asterisk Nessun commento
13Dic/100

Asterisk 1.6.2.15 Now Available

logoasterisk

Il giorno 8 dicembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della beta Asterisk 1.6.2.15.

Dal post originale:

he release of Asterisk 1.6.2.15 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* When using chan_skinny, don't crash when parking a non-bridged call.
(Closes issue #17680. Reported, tested by jmhunter. Patched, tested by DEA)
* Add ability for Asterisk to try both the encoded and unencoded subscription
URI for a match in hints.
(Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman)
* Set the caller id on CDRs when it is set on the parent channel.
(Closes issue #17569. Reported, patched by tbelder)
* Ensure user portion of SIP URI matches dialplan when using encoded characters
(Closes issue #17892. Reported by wdoekes. Patched by jpeeler)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Multiple fixes related to Local channels.

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.15

2Dic/100

Asterisk 1.4.38-rc1 Now Available

logoasterisk

Il giorno 23 novembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della beta Asterisk 1.4.35-rc1.

Dal post originale:
The release of Asterisk 1.4.38-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* Add ability for Asterisk to try both the encoded and unencoded subscription
URI for a match in hints.
(Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman)
* Set the caller id on CDRs when it is set on the parent channel.
(Closes issue #17569. Reported, patched by tbelder)
* Ensure user portion of SIP URI matches dialplan when using encoded characters
(Closes issue #17892. Reported by wdoekes. Patched by jpeeler)
* Fix a crash in res_jabber by ensuring that we don't alter memory after it's
freed.
(Closes issue #17387. Reported, tested by jmls. Patched by tilghman)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Multiple fixes related to Local channels.

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.38-rc1

Thank you for your continued support of Asterisk!

Inserito in: Asterisk Nessun commento
2Dic/100

libpri 1.4.11.5 Now Available

logoasterisk

Il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione 14.11.5 di LIBPRI.

Questo il contenuto del post originale:

The release of libpri 1.4.11.5 resolves several issues reported by the
community and would not have been possible without your participation.
Thank you!

The following are some of the issues resolved in this release:

* Prevent a CONNECT message from sending a CONNECT ACKNOWLEDGE in the
wrong state.
(issue #17360. Reported by: shawkris. Patched by rmudgett)
* Made Q.921 delay events to Q.931 if the event could immediately
generate response frames.
(closes issue #17360. Reported by: shawkris. Patched by rmudgett)
* BRI PTMP: Active channels not cleared when the interface goes down.
(closes issue #17865. Reported by: wimpy. Patched by rmudgett)
* Segfault in pri_schedule_del() - ctrl value is invalid.
(closes issue #17522)
(closes issue #18032. Reported by: schmoozecom. Patched by rmudgett)
* Crash when receiving an unknown/unsupported message type.
(closes issue #17968. Reported by: gelo. Patched by rmudgett)
* B410P gets incoming call packets on ISDN but Asterisk doesn't see the
call.
(closes issue #18232. Reported by: lelio. Patched by rmudgett)

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/libpri/ChangeLog-1.4.11.5

Thank you for your continued support of Asterisk!

Inserito in: Asterisk Nessun commento
2Dic/100

Asterisk 1.8.1-rc1 Now Available

logoasterisk

Il giorno 23 novembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della beta Asterisk 1.8.1-rc1.

The release of Asterisk 1.8.1-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* Fix issue when using directmedia. Asterisk needs to limit the codecs offered
to just the ones that both sides recognize, otherwise they may end up sending
audio that the other side doesn't understand.
(Closes issue #17403. Reported, patched by one47. Tested by one47, falves11)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix playback failure when using IAX with the timerfd module.
(Closes issue #18110. Reported, tested by tpanton. Patched by jpeeler)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Fix issue where it is possible to crash Asterisk by feeding the curl engine
invalid data.
(Closes issue #18161. Reported by wdoekes. Patched by tilghman)

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.1-rc1

Thank you for your continued support of Asterisk!

2Dic/100

Asterisk 1.6.2.15-rc1 Now Available

logoasterisk

Il giorno 23 novembre, il Team di Sviluppo di Asterisk ha annunciato il rilascio della beta Asterisk 1.6.2.15-rc1.

Dal post originale:
The release of Asterisk 1.6.2.15-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* When using chan_skinny, don't crash when parking a non-bridged call.
(Closes issue #17680. Reported, tested by jmhunter. Patched, tested by DEA)
* Add ability for Asterisk to try both the encoded and unencoded subscription
URI for a match in hints.
(Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman)
* Set the caller id on CDRs when it is set on the parent channel.
(Closes issue #17569. Reported, patched by tbelder)
* Ensure user portion of SIP URI matches dialplan when using encoded characters
(Closes issue #17892. Reported by wdoekes. Patched by jpeeler)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Multiple fixes related to Local channels.

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.15-rc1

Thank you for your continued support of Asterisk!