AST-2010-003. AST-2010-002 was just a warning about dialplan
scripting errors that could lead to security issues.
Asterisk 1.6.1.13: general bug fixes
Asterisk 1.6.1.14: fix AST-2010-001
Asterisk 1.6.1.15: not released, skipped for security releases
Asterisk 1.6.1.16: fix AST-2010-002
Asterisk 1.6.1.17: fix AST-2010-003
Note that the only change in Asterisk 1.6.1.16 was the addtion of
a README file. However, the package doesn't install random docs.
That is planned for a future update seperate from the upstream
updates.
-----
Asterisk 1.6.1.13:
The release of Asterisk 1.6.1.13 resolved several issues reported
by the community, and would have not been possible without your
participation. Thank you!
* Restarts busydetector (if enabled) when DTMF is received after
call is bridged
(Closes issue #16389. Reported, Tested, Patched by alecdavis.)
* Send parking lot announcement to the channel which parked the
call, not the park-ee.
(Closes issue #16234. Reported, Tested by yeshuawatso. Patched
by tilghman.)
* When the field is blank, don't warn about the field being unable
to be coerced just skip the column.
(Closes
http://lists.digium.com/pipermail/asterisk-dev/2009-December/041362.html)
Reported by Nic Colledge on the -dev list.)
* Don't queue frames to channels that have no means to process
them.
(Closes issue #15609. Reported, Tested by aragon. Patched by
tilghman.)
* Fixes holdtime playback issue in app_queue.
(Closes issue #16168. Reported, Patched by nickilo. Tested by
wonderg, nickilo.)
A summary of changes in this release can be found in the release
summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.1.13-summary.t
xt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.13
-----
Asterisk 1.6.1.14:
The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include
the fix described in security advisory AST-2010-001.
The issue is that an attacker attempting to negotiate T.38 over
SIP can remotely crash Asterisk by modifying the FaxMaxDatagram
field of the SDP to contain either a negative or exceptionally
large value. The same crash will occur when the FaxMaxDatagram
field is omitted from the SDP, as well.
For more information about the details of this vulnerability, please
read the security advisory AST-2009-009, which was released at the
same time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14
Security advisory AST-2010-001 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-001.pdf
-----
Asterisk 1.6.1.16:
The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and
1.6.2.4 include documention describing a possible dialplan string
injection with common usage of the ${EXTEN} (and other expansion
variables). The issue and resolution are described in the AST-2010-002
security advisory.
If you have a channel technology which can accept characters other
than numbers and letters (such as SIP) it may be possible to craft
an INVITE which sends data such as 300&Zap/g1/4165551212 which
would create an additional outgoing channel leg that was not
originally intended by the dialplan programmer.
Please note that this is not limited to an specific protocol or
the Dial() application.
The expansion of variables into programmatically-interpreted strings
is a common behavior in many script or script-like languages,
Asterisk included. The ability for a variable to directly replace
components of a command is a feature, not a bug - that is the entire
point of string expansion.
However, it is often the case due to expediency or design
misunderstanding that a developer will not examine and filter string
data from external sources before passing it into potentially
harmful areas of their dialplan.
With the flexibility of the design of Asterisk come these risks if
the dialplan designer is not suitably cautious as to how foreign
data is allowed to enter the system unchecked.
This security release is intended to raise awareness of how it is
possible to insert malicious strings into dialplans, and to advise
developers to read the best practices documents so that they may
easily avoid these dangers.
For more information about the details of this vulnerability, please
read the security advisory AST-2010-002, which was released at the
same time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16
Security advisory AST-2010-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-002.pdf
The README-SERIOUSLY.bestpractices.txt document is available in
the top-level directory of your Asterisk sources, or available in
all Asterisk branches from 1.2 and up.
http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
-----
Asterisk 1.6.1.17:
The releases of Asterisk 1.6.0.25, 1.6.1.17, and 1.6.2.5 resolve
an issue with invalid parsing of ACL (Access Control List) rules
leading to a possible compromise in security. The issue and resolution
are described in the AST-2010-003 security advisory.
For more information about the details of this vulnerability, please
read the security advisory AST-2010-003, which was released at the
same time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.17
Security advisory AST-2010-003 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-003.pdf
-----
- obexapp does not now require GNU libiconv (this was in pkgsrc already)
- compiler errors fixed
- no longer tries to provide username/groupname in file listings (info
not available in chroot)
1.2.36 fixed AST-2009-008, and 1.2.37 fixed AST-2009-010. The
problem in AST-2009-008 is:
-----
It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of "403 Authentication user name does not
match account name". If the peer does not exist the response will
be "404 Not Found" if alwaysauthreject is disabled and "401
Unauthorized" if alwaysauthreject is enabled.
-----
And, the problem in AST-2009-010 is:
-----
An attacker sending a valid RTP comfort noise payload containing
a data length of 24 bytes or greater can remotely crash Asterisk.
-----
and update PLIST for new Music On Hold files.
1.6.1.8 fixes AST-2009-007.
-----
A missing ACL check for handling SIP INVITEs allows a device to
make calls on networks intended to be prohibited as defined by the
"deny" and "permit" lines in sip.conf. The ACL check for handling
SIP registrations was not affected.
-----
1.6.1.9 fixes AST-2009-008 and AST-2009-009.
-----
It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of 403 Authentication user name does not
match account name. If the peer does not exist the response will
be 404 Not Found if alwaysauthreject is disabled and 401 Unauthorized
if alwaysauthreject is enabled.
-----
Asterisk includes a demonstration AJAX based manager interface,
ajamdemo.html which uses the prototype.js framework. An issue was
uncovered in this framework which could allow someone to execute
a cross-site AJAX request exploit.
mktemp(1) to avoid symlink vulnerabilities in tmp file/directory
creation/removal (mitre.org CVE-2008-4936). Named 1.1.36nb1 to
emphasize difference from upstream.
Commit ok'd by agc@.
pkgsrc changes:
- Adjusting dependencies
- Adding license definition
Upstream changes:
1.54 Sun Sep 6 10:44:53 CEST 2009
- Fixed RT #31565, incorrect decoding of outgoing messages
due to incorrect removal of zero-length octet in PDU.
Thanks to Svami Dhyan Nataraj.
1.53 Fri Aug 14 21:43:37 CEST 2009
- Fixed RT #48700, deleting SMS message with index 0 didn't work.
Thanks to Vytas M. for reporting the bug.
- 1.6.1.6 fixes AST-2009-006 which is an IAX2 DOS vulnerability
- 1.6.1.5 contains a variety of bug fixes:
Category: Applications/app_chanspy
#15660: ChanSpy "whisper" is broken in 1.4.26
Category: Applications/app_fax
#15606: app_fax.c is not compiling under OpenBSD
#15610: T.38 re-INVITE received after T.38 already negotiated fails
Category: Applications/app_milliwatt
#15386: [patch] Milliwatt() is off by -11dbm
Category: Applications/app_mixmonitor
#15699: [patch] using ast_free instead of mixmonitor_free
Category: Applications/app_queue
#14536: [patch] After a caller is processed by app_queue the queue_log
logs the hangup as TRANSFER
#15664: [patch] QUEUE_MEMBER_LIST() returns member names instead of
Category: Applications/app_stack
#15557: [patch] Gosub() dequotes once more than Macro()
#15617: [patch] crash in LOCAL() if Gosub stack is allocated but empty
Category: Applications/app_voicemail
#15717: MWI is not sent to a SIP phone upon registration, but is after the
mailbox is updated/checked
#15720: opendir() return code is not checked in last_message_index()
Category: Applications/app_voicemail/IMAP
#14496: [patch] IMAP crash multiple callers / callers hangup at beep
#14597: greetings can not be retrieved from IMAP
#14950: [patch] Greetings are stored as IMAP messages even when
imapgreetings=no
#15729: IMAP greetings not stored in dovecot
Category: CDR/General
#15751: [patch] Core dump in ast_bridge_call features.c line 2772
Category: Channels/chan_agent
#15668: AGENTACCEPTDTMF is incorrectly spelled as AGENTACCEPTDMTF in code
to recognize channel variables.
Category: Channels/chan_dahdi
#15655: [patch] Dialplan starts execution before call is accepted
#15727: [patch] Message Waiting Indication(MWI) is randomly generated when
FXO is set to DTMF Caller ID
Category: Channels/chan_misdn
#12113: [patch] asterisk crash at reload chan_misdn.so
Category: Channels/chan_sip/General
#12869: [patch] 'context' doesn't change when 'sip reload' issued when
driven from realtime
#15362: [patch] log message output is truncated
#15596: [patch] all codecs allowed, but textsupport=no crashes on T140RED
enabled call
Category: Channels/chan_sip/Registration
#14366: [patch] Registration expiry not compatible with some ITSP
#15539: [patch] Register request line contains wrong address when domain
and registrar host differ
Category: Channels/chan_sip/T.38
#15182: [patch] T.38 invite does not always comply with RFC 2327
Category: Channels/chan_sip/Video
#15121: [patch] Video support in SIP channel driver appears to be totally
broken
Category: Core/BuildSystem
#15697: most cleaner alaw don't compile
#15698: [patch] If enable DEBUG_FD_LEAKS - h323 can't start.
#15714: [patch] Asterisk won't build with curl unless curl_config is
present
Category: Core/General
#14730: [patch] Fix runlevels in Debian rc files
#15273: [patch] german time (20:01:00 oh clock) is announced wrong
#15649: T38 Faxing failing on 1.6.1 svn
#15667: LOGGER WARNING : error executing after rotate
Category: Core/ManagerInterface
#15397: [patch] segfault in action_coreshowchannels() at manager.c
#15730: [patch] manager keeps creating /tmp/ast-ami-XXXXXX files (without
deleting) when a single manager client remains logged in
Category: Core/PBX
#15242: [patch] log does not indicate which function is missing closing
parenthesis
Category: Documentation
#15755: Description in queues.conf on call recording is slightly
misleading
Category: Functions/func_iconv
#15169: When building with uClibc, configure script mistakenly assumes
iconv is always available
Category: General
#15571: [patch] 'received' typos in trunk, in 6 files
#15595: [patch] fix spelling for typos, mainly in comments.
Category: PBX/pbx_dundi
#15322: [patch] DUNDILOOKUP() does not accept comma as argument separator
Category: Resources/General
#15624: res_ais, communication ok, but wrong state send and receive.
Category: Resources/res_config_ldap
#13725: [patch] ERROR[7387]: res_config_ldap.c:1292 update_ldap: Couldn't
modify dn:cn=1001,dc=xxx,dc=xxx because Invalid syntax
#15710: Typo in LDAP schema files on line 598
Category: Resources/res_musiconhold
#15051: [patch] Moh class set in the dialplan is ignored with realtime moh
----------------------------------------------------------------------
Commits Not Associated with an Issue
[Back to Top]
This is a list of all changes that went into this release that did not
directly close an issue from the issue tracker. The commits may have been
marked as being related to an issue. If that is the case, the issue
numbers are listed here, as well.
+------------------------------------------------------------------------+
| Revision | Author | Summary | Issues |
| | | | Referenced |
|----------+------------+-----------------------------------+------------|
| | | Restore explicit export of | |
| 209058 | kpfleming | ASTCFLAGS/ASTLDFLAGS and | |
| | | underscore-variants to sub-makes. | |
|----------+------------+-----------------------------------+------------|
| 209237 | mmichelson | Gracefully handle malformed RTP | |
| | | text packets. | |
|----------+------------+-----------------------------------+------------|
| 209262 | kpfleming | Make T.38 switchover in | |
| | | ReceiveFAX synchronous. | |
|----------+------------+-----------------------------------+------------|
| 209281 | kpfleming | Cleanup T.38 negotiation changes. | |
|----------+------------+-----------------------------------+------------|
| 209327 | tilghman | Publish French extra sounds | |
|----------+------------+-----------------------------------+------------|
| | | Fix some places where | |
| 209714 | russell | ast_event_type was used instead | |
| | | of ast_event_ie_type. | |
|----------+------------+-----------------------------------+------------|
| 209781 | kpfleming | Minor changes inspired by testing | |
| | | with latest GCC. | |
|----------+------------+-----------------------------------+------------|
| 209900 | russell | Resolve a valgrind warning about | #15396 |
| | | a read from uninitialized memory. | |
|----------+------------+-----------------------------------+------------|
| 211115 | russell | Resolve a deadlock involving | |
| | | app_chanspy and masquerades. | |
|----------+------------+-----------------------------------+------------|
| 211277 | tilghman | Small oops. Clear the flags which | |
| | | have been checked. | |
|----------+------------+-----------------------------------+------------|
| 211569 | tilghman | AST-2009-005 | |
|----------+------------+-----------------------------------+------------|
| 211586 | tilghman | Conversion specifiers, not format | |
| | | specifiers | |
|----------+------------+-----------------------------------+------------|
| | | Check an actual populated | |
| 212069 | file | variable when seeing if we need | |
| | | to do video or not. | |
|----------+------------+-----------------------------------+------------|
| | | Ensure that T38FaxVersion is put | |
| 212115 | kpfleming | into outgoing SDP in the proper | |
| | | case. | |
|----------+------------+-----------------------------------+------------|
| 212386 | seanbright | Handle slin16 for extra sounds as | |
| | | well. | |
|----------+------------+-----------------------------------+------------|
| 212768 | rmudgett | Removed some deadwood and added | |
| | | some doxygen comments. | |
|----------+------------+-----------------------------------+------------|
| | | Make the default extconfig.conf | |
| 212862 | tilghman | match entries with the sample | |
| | | res_mysql.conf. | |
|----------+------------+-----------------------------------+------------|
| 212928 | kpfleming | Convert this branch to Opsound | |
| | | music-on-hold. | |
|----------+------------+-----------------------------------+------------|
| | | Remove some | |
| 212942 | kpfleming | accidentally-committed | |
| | | properties. | |
|----------+------------+-----------------------------------+------------|
| 213449 | twilson | Make LOAD_ORDER actually work | |
|----------+------------+-----------------------------------+------------|
| 213452 | twilson | Oops, committed this first. Make | |
| | | the merged property happy | |
|----------+------------+-----------------------------------+------------|
| | | Make autoheader descriptions | |
| 214365 | tilghman | render correctly in our | #14906 |
| | | autoconfig.h file. | |
|----------+------------+-----------------------------------+------------|
| | | One more build system change, to | |
| 214496 | tilghman | make the descriptions look | |
| | | better, if we have better | |
| | | information. | |
+------------------------------------------------------------------------+
Memory usage was reduced. Tons of bugs were fixed. Support for
reading messages from Motorola phones was improved.
Also BlueTooth support was improved.
20090709 - 1.25.0
[-] * Retry on timeout of usb transfer (bug #940).
[-] * Disable AT OBEX for Motorola PEBL U6 (bug #939).
[-] * Disable AT OBEX for Samsung J700 (bug #948).
[-] * Empty memory entry has length 0 (bug #947).
[-] * Handle some more fields from Nokia phonebook (bug #946), thanks to Will Sowerbutts.
20090624 - 1.24.92
[-] * Fix distutils build (bug #916).
[-] * Detect when phone does not support ATE1 (bug #918).
[-] * Do not use OBEX on Motorola L7 (bug #912).
[-] * Reinclude full SMS text in comments in backup (bug #905).
[-] * Disable AT OBEX for Samsung J750 and J700 (bug #856).
[-] * Avoid shadowing C++ bool definition (bug #920).
[-] * Do not disable CLIP for all SE phones.
[-] * Add ID for Nokia 1209.
[-] * Catch busy error from Nokia phones (bug #932, thanks to Walter Doekes).
20090527 - 1.24.91
[-] * Fix code problems caught by GCC 4.5.
[-] * Compile static libraries with -fPIC (they might be later linked
into shared ones) (bug #909).
[-] * Handle own number error code in 6510 driver (bug #910).
[-] * Add ID for Nokia 5220 (bug #910).
[-] * Handle SMSC error code in 6510 driver (bug #910).
[-] * Disable gcc warnings about non literal format strings (bug #901).
[-] * Add more fuzzy logic to detect bad encoding from phone (bug #874).
[-] * Add ID for Nokia 7500 and Nokia 7210s.
[-] * Improve searching for Bluetooth stack on OS X.
[-] * Fix ctype compile time warnings on NetBSD (bug #908).
[-] * Nokia 3110c has SMS on filesystem (bug #904).
[-] * Add ID for Nokia 5130 (bug #911).
[-] * Faster reading of Nokia filesystem.
[!] * New PDU decoder which properly parses PDU data.
[!] * AT driver uses new PDU decoder.
[!] * 6510 driver uses new PDU decoder and understands most formats of
filesystem Nokia SMS messages (bug #911).
20090512 - 1.24.90
[-] * Fix checking for MPBR (bug #873).
[-] * Fix reading of calls with wrong timestamp (bug #872).
[-] * Increase timeout for IrDA phonet (bug #867).
[-] * Better detect some weird phone states (bug #866).
[-] * Fix handling of caller group in Python bindings (bug #870).
[-] * Correctly detect empty entries from Motorola.
[-] * Better error reporting from at-charset test.
[+] * smsd-inject now shows ID of injected message.
[-] * Fix decoding of date in Nokia phonebooks (bug #876).
[-] * Fix detection of SMS message memories in AT (bug #875).
[-] * Improve documentation for savefile (bug #893).
[-] * Add stricter check for DBI version (bug #894).
