1.2.36 fixed AST-2009-008, and 1.2.37 fixed AST-2009-010. The
problem in AST-2009-008 is:
-----
It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of "403 Authentication user name does not
match account name". If the peer does not exist the response will
be "404 Not Found" if alwaysauthreject is disabled and "401
Unauthorized" if alwaysauthreject is enabled.
-----
And, the problem in AST-2009-010 is:
-----
An attacker sending a valid RTP comfort noise payload containing
a data length of 24 bytes or greater can remotely crash Asterisk.
-----
* channels/chan_sip.c: Copy the From header into a variable so that
pedantic SIP handling does not try to mess with a NULL pointer.
(AST-2008-008)
* channels/chan_iax2.c: When we receive a full frame that is
supposed to contain our call number, ensure that it has the
correct one. (closes issue #10078) (AST-2008-006)
Update for several critical security issues:
* astobj.h: Fix character string being treated as format string
* chan_sip.c: Do not return with a successful
authentication if the From header ends up empty. (AST-2008-003)
* chan_iax2.c: Fix another potential seg fault (closes issue #11606)
* chan_iax2.c: Fix a couple of places where it's possible
to dereference a NULL pointer.
* chan_sip.c, channels/chan_iax2.c: Fixing AST-2007-027
* cdr_pgsql.c: Properly escape src and dst fields (Fixes AST-2007-026)
Version 1.2.24 is the final 1.2 release that contains normal bug fixes.
The 1.2 branch will only be maintained with security fix releases from
now until it is completely deprecated.
* channels/chan_iax2.c: Don't create the Asterisk channel until we
are starting the PBX on it. (ASA-2007-018)
* channels/chan_agent.c: (closes issue #5866) Reported by: tyler Do
not force channel format changes when a generator is present. The
generator may have changed the formats itself and changing them
back would cause issues.
* channels/chan_sip.c: (closes issue #10236) Reported by: homesick
Patches: rpid_1.4_75840.patch uploaded by homesick (license 91)
Accept Remote Party ID on guest calls.
* include/asterisk/app.h: We should not use C++ reserved words in
API headers (closes issue #10266)
* channels/chan_sip.c: Backport a fix for a memory leak that was
fixed in trunk in reivision 76221 by rizzo. The memory used for
the localaddr list was not freed during a configuration reload.
* channels/chan_sip.c: (closes issue #10247) Reported by:
fkasumovic Patches: chan_sip.patch uploaded by fkasumovic
(license #101) Drop any peer realm authentication entries when
reloading so multiple entries do not get added to the peer.
* channels/chan_iax2.c: When processing full frames, take sequence
number wraparound into account when deciding whether or not we
need to request retransmissions by sending a VNAK. This code
could cause VNAKs to be sent erroneously in some cases, and to
not be sent in other cases when it should have been. (closes
issue #10237, reported and patched by mihai)
* channels/chan_iax2.c: When traversing the queue of frames for
possible retransmission after receiving a VNAK, handle sequence
number wraparound so that all frames that should be retransmitted
actually do get retransmitted. (issue #10227, reported and
patched by mihai)
* apps/app_voicemail.c: Store prior to copy (closes issue #10193)
* apps/app_queue.c: removed the word 'pissed' from ast_log(...)
* channels/chan_skinny.c: Properly check for the length in the
skinny packet to prevent an invalid memcpy. (ASA-2007-016)
* channels/iax2-parser.h, channels/chan_iax2.c,
channels/iax2-parser.c: Ensure that when encoding the contents of
an ast_frame into an iax_frame, that the size of the destination
buffer is known in the iax_frame so that code won't write past
the end of the allocated buffer when sending outgoing frames.
(ASA-2007-014)
* channels/chan_iax2.c: After parsing information elements in IAX
frames, set the data length to zero, so that code later on does
not think it has data to copy. (ASA-2007-015)
* res/res_musiconhold.c: Fix a couple potential minor memory leaks.
load_moh_classes() could return without destroying the loaded
configuration.
* apps/app_chanspy.c: Fixed an issue where chanspy flags were
uninitialized if no options were passed.
* res/res_musiconhold.c: Ensure that adding a user to the list of
users of a specific music on hold class is not done at the same
time as any of the other operations on this list to prevent list
corruption.
* channels/chan_iax2.c: The function make_trunk() can fail and
return -1 instead of a valid new call number. Fix the uses of
this function to handle this instead of treating it as the new
call number. This would cause a deadlock and memory corruption.
* channels/chan_agent.c: The cli command "agent logoff Agent/x
soft" did not work...at all. Now it does.
* res/res_config_odbc.c: Make sure that the ESCAPE immediately
follows the condition that uses LIKE. This fixes realtime
extensions with ODBC.
* apps/app_queue.c: Fix an issue where it was possible to have a
service level of over 100% Between the time recalc_holdtime and
update_queue was called, it was possible that the call could have
been hungup.
* dns.c: Use res_ndestroy on systems that have it. Otherwise, use
res_nclose. This prevents a memleak on NetBSD - and possibly
others.
This release is a regular maintenance release. It has been made just
a couple of weeks after the previous set of releases because the
development team has been working especially hard on fixing bugs
lately. There has been a large volume of issues fixed in just two weeks.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
This release contains a large number of fixes, including:
- A recently published security vulnerability in the manager
interface (ASA-2007-012)
- Another recently published security vulnerability in the
SIP channel driver (ASA-2007-011)
Along with minor bug fixes, this release incorporates a fix for the
SIP DoS vulnerability recently discovered by INRIA Lorraine.
All users of Asterisk 1.2 with the SIP channel driver loaded and
connected to an untrusted network are urged to update to this release
to avoid the possibility of experiencing this problem.
Note that the option "zaptel" won't compile any more since version 1.2.16.
This needs an upgrade of the netbsd zaptel driver.
changes:
1.2.15: This release contains a significant Astribank (XPP) driver update,
support for Digium's TE120P card, and various bug fixes.
1.2.16: This release contains a number of bug fixes, including a fix for
a recently discovered security vulnerability. All Asterisk 1.2 users are
urged to update to this release as soon as possible.
This is in response to PR pkg/35924 by David Wetzel. The PR suggests
to update to 1.4.1, but since I'm not using Asterisk myself I prefer
to do just the minor update (which also fixes the security vulnerability)
for now.
This release contains a fix for a security vulnerability recently
found in the chan_skinny channel driver (for Cisco SCCP phones).
This vulnerability would enable an attacker to remotely execute
code as the system user running Asterisk (frequently 'root').
The exploit does not require that the skinny.conf contain any
valid phone entries, only that chan_skinny is loaded and operational.
This release also contains a number of bug fixes, and some improvements
to the chan_sip channel driver (for SIP devices) to mitigate the impacts
of a certain class of denial-of-service attacks that have recently been
published.
All Asterisk 1.2 users are urged to update to this release if they use
the chan_skinny channel driver, or to stop loading it if it is not
needed ('noload=>chan_skinny.so' in modules.conf will cause this behavior).
