Rilasciate le versioni Asterisk: 1.4.39.2, 1.6.1.22, 1.6.2.16.2 e 1.8.2.4.
Il giorno 21 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
Dal post originale:
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems doing T.38 pass
through or termination are vulnerable. The issue and resolution are described in
the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
Security advisory AST-2011-002 is available at:
Asterisk sicurezza – AST-2011-002: Multiple array overflow and crash vulnerabilities in UDPTL code
Questo il link per scaricare il documento in PDF:
Rilasciato Asterisk 1.8.3-rc3
Il giorno 16 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.3-rc3.
Dal post originale:
The release of Asterisk 1.8.3-rc3 resolves the following issues in addition to
those included in 1.8.3-rc1 and 1.8.3-rc2:
- Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.) - Resolve deadlock involving REFER.
(Closes issue #18403. Reported, tested by jthurman. Patched by jpeeler.)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.3-rc3
Rilasciato Asterisk 1.6.2.17-rc3
Il giorno 16 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.17-rc3.
Dal post originale:
The release of Asterisk 1.6.2.17-rc3 resolves the following issues in addition
to those included in 1.6.2.17-rc1 and 1.6.2.17-rc2:
- Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17-rc3
Rilasciato Asterisk 1.4.40-rc3
Il giorno 16 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.40-rc3.
Dal post originale:
The release of Asterisk 1.4.40-rc3 resolves the following issues in addition to
those included in 1.4.40-rc1 and 1.4.40-rc2:
- Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.40-rc3
Asterisk 1.8 e fail2ban
www.asterweb.org
Per la corretta protezione di Asterisk 1.8 da parte di iptables/fail2ban è necessario utilizzare un "nuovo" file asterisk.conf. Questa la procedura di installazione:
# cd /etc/fail2ban/filter.d# wget http://pbxinaflash.net/source/fail2ban/asterisk18.conf# mv asterisk.conf asterisk14.conf# mv asterisk18.conf asterisk.conf# service fail2ban restart
Rilasciato Asterisk 1.8.2.3
Il giorno 26 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.2.3.
Dal post originale:
The release of Asterisk 1.8.2.3 resolves the following issue:
- Reimplemented fax session reservation to reverse the ABI breakage introduced
in r297486.
(Reported by Jeremy Kister on the asterisk-users mailing list. Patched by
mnicholson)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.2.3
Thank you for your continued support of Asterisk!
Rilasciato Asterisk 1.8.3-rc2
Il giorno 26 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.3-rc2.
Dal post originale:
The release of Asterisk 1.8.3-rc2 resolves the following issues in addition to
those included in 1.8.3-rc1:
- Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
(Closes issues #18262. Reported by francesco_r. Patched by cjacobson. Tested
by francesco_r, rfrantik, one47) - Resolve a memory leak when the Asterisk Manager Interface is disabled.
(Reported internally by kmorgan. Patched by russellb) - Reimplemented fax session reservation to reverse the ABI breakage introduced
in r297486.
(Reported internally. Patched by mnicholson)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.3-rc2
Thank you for your continued support of Asterisk!
Rilasciato Asterisk 1.6.2.17-rc2
Il giorno 26 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.17-rc2.
Dal post originale:
The release of Asterisk 1.6.2.17-rc2 resolves the following issues in addition
to those included in 1.6.2.17-rc1:
- Resolve several issues with DTMF based attended transfers.
(Closes issues #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchaun, grecco. Patched by rmudgett).
NOTE: Be sure to read the ChangeLog for more information about these changes. - Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
(Closes issues #18262. Reported by francesco_r. Patched by cjacobson. Tested
by francesco_r, rfrantik, one47)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17-rc2
Thank you for your continued support of Asterisk!
Rilasciato Asterisk 1.4.40-rc2
Il giorno 26 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.40-rc2.
Dal post originale:
The release of Asterisk 1.4.40-rc2 resolves the following issues in addition to
those included in 1.4.40-rc1:
- Resolve several issues with DTMF based attended transfers.
(Closes issues #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchaun, grecco. Patched by rmudgett).
NOTE: Be sure to read the ChangeLog for more information about these changes.
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.40-rc2
Thank you for your continued support of Asterisk!
Rilasciato Asterisk 1.8.2.2 (Security Release)
Il giorno 20 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.2.2.
Dal post originale:
The Asterisk Development Team has announced a release for the security issue
described in AST-2011-001.
Due to a failed merge, Asterisk 1.8.2.1 which should have included the security
fix did not. Asterisk 1.8.2.2 contains the the changes which should have been
included in Asterisk 1.8.2.1.
This releases is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2,
1.8.1.2, and 1.8.2.2 resolve an issue when forming an outgoing SIP request while
in pedantic mode, which can cause a stack buffer to be made to overflow if
supplied with carefully crafted caller ID information. The issue and resolution
are described in the AST-2011-001 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-001, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
Security advisory AST-2011-001 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-001.pdf
Rilasciato Asterisk 1.8.3-rc1
Il giorno 19 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.3-rc1.
Dal post originale:
The release of Asterisk 1.8.3-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release candidate:
- Resolve duplicated data in the AstDB when using DIALGROUP()
(Closes issue #18091. Reported by bunny. Patched by tilghman) - Ensure the ipaddr field in realtime is large enough to handle IPv6 addresses.
(Closes issue #18464. Reported, patched by IgorG) - Reworking parsing of mwi => lines to resolve a segfault. Also add a set of
unit tests for the function that does the parsing.
(Closes issue #18350. Reported by gbour. Patched by Marquis) - When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
(Closes issue #18406. Reported by joscas. Patched by tilghman) - Resolve memory leak in iCalendar and Exchange calendaring modules.
(Closes issue #18521. Reported, patched by pitel. Tested by cervajs) - This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
(Patched by tilghman)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.3-rc1
Rilasciato Asterisk 1.6.2.17-rc1
Il giorno 19 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.17-rc1.
Dal post originale:
The release of Asterisk 1.6.2.17-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release candidate:
- Resolve duplicated data in the AstDB when using DIALGROUP()
(Closes issue #18091. Reported by bunny. Patched by tilghman) - Correct issue where res_config_odbc could populate fields with invalid data.
(Closes issue #18251, #18279. Reported by bcnit, zerohalo. Tested by trev,
jthurman, elguero, zerohalo. Patched by tilghman) - When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
(Closes issue #18406. Reported by joscas. Patched by tilghman) - Resolve issue where re-transmissions of SUBSCRIBE could break presence.
(Closes issue #18075. Reported by mdu113. Patched by twilson) - Fix regression causing forwarding voicemails to not work with file storage.
(Closes issue #18358. Reported by cabal95. Patched by jpeeler) - This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
(Patched by tilghman)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17-rc1
Rilasciato Asterisk 1.4.40-rc1
Il giorno 19 gennaio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.40-rc1.
Dal post originale:
The release of Asterisk 1.4.40-rc1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release candidate:
- Correct issue where res_config_odbc could populate fields with invalid data.
(Closes issue #18251, #18279. Reported by bcnit, zerohalo. Tested by trev,
jthurman, elguero, zerohalo. Patched by tilghman) - Resolve issue where re-transmissions of SUBSCRIBE could break presence.
(Closes issue #18075. Reported by mdu113. Patched by twilson) - Resolve issue in res_odbc where it may crash when a query fails.
(Closes issue #18243. Reported, patched by ks3) - Fix CPU spike when pressing DTMF after agent login.
(Closes issue #18130. Reported by rgj. Patched by jpeeler) - Fix cross-compiling issue.
(Closes issue #18301. Reported, patched by abelbeck) - This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
(Patched by tilghman)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.40-rc1
Sicurezza: AST-2011-001 – Stack buffer overflow in SIP channel driver
Ecco un estratto del documento sulla sicurezza AST-2011-001:
Description When forming an outgoing SIP request while in pedantic mode, a stack buffer can
be made to overflow if supplied with carefully crafted caller ID information. This
vulnerability also affects the URIENCODE dialplan function and in some versions
of asterisk, the AGI dialplan application as well. The ast_uri_encode function does
not properly respect the size of its output buffer and can write past the end of it
when encoding URIs.
Resolution The size of the output buffer passed to the ast_uri_encode function is now
properly respected.
In asterisk versions not containing the fix for this issue, limiting strings originating
from remote sources that will be URI encoded to a length of 40 characters will
protect against this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any strings passed
to the URIENCODE dialplan function should be limited in this manner.
