Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
Reported By Ben Williams
Posted On
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description It is possible to enumerate SIP usernames when the general
and user/peer NAT settings differ in whether to respond to
the port a request is sent from or the port listed for
responses in the Via header. In 1.4 and 1.6.2, this would
mean if one setting was nat=yes or nat=route and the other
was either nat=no or nat=never. In 1.8 and 10, this would
mean when one was nat=force_rport or nat=yes and the other
was nat=no or nat=comedia.
Resolution Handling NAT for SIP over UDP requires the differing
behavior introduced by these options.
To lessen the frequency of unintended username disclosure,
the default NAT setting was changed to always respond to the
port from which we received the request-the most commonly
used option.
Warnings were added on startup to inform administrators of
the risks of having a SIP peer configured with a different
setting than that of the general setting. The documentation
now strongly suggests that peers are no longer configured
for NAT individually, but through the global setting in the
"general" context.
Affected Versions
Product Release Series
Asterisk Open Source All All versions
Corrected In
As this is more of an issue with SIP over UDP in general, there is no
fix supplied other than documentation on how to avoid the problem. The
default NAT setting has been changed to what we believe the most
commonly used setting for the respective version in Asterisk 1.4.43,
1.6.2.21, and 1.8.7.2.
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-013.pdf and
http://downloads.digium.com/pub/security/AST-2011-013.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-013
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-014
Product Asterisk
Summary Remote crash possibility with SIP and the "automon"
feature enabled
Nature of Advisory Remote crash vulnerability in a feature that is
disabled by default
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known Yes
Reported On November 2, 2011
Reported By Kristijan Vrban
Posted On 2011-11-03
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description When the "automon" feature is enabled in features.conf, it
is possible to send a sequence of SIP requests that cause
Asterisk to dereference a NULL pointer and crash.
Resolution Applying the referenced patches that check that the pointer
is not NULL before accessing it will resolve the issue. The
"automon" feature can be disabled in features.conf as a
workaround.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Corrected In
Product Release
Asterisk Open Source 1.6.2.21, 1.8.7.2
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-014.pdf and
http://downloads.digium.com/pub/security/AST-2011-014.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-014
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
in the iLBC codec files.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
Reported By Ben Williams
Posted On
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description It is possible to enumerate SIP usernames when the general
and user/peer NAT settings differ in whether to respond to
the port a request is sent from or the port listed for
responses in the Via header. In 1.4 and 1.6.2, this would
mean if one setting was nat=yes or nat=route and the other
was either nat=no or nat=never. In 1.8 and 10, this would
mean when one was nat=force_rport or nat=yes and the other
was nat=no or nat=comedia.
Resolution Handling NAT for SIP over UDP requires the differing
behavior introduced by these options.
To lessen the frequency of unintended username disclosure,
the default NAT setting was changed to always respond to the
port from which we received the request-the most commonly
used option.
Warnings were added on startup to inform administrators of
the risks of having a SIP peer configured with a different
setting than that of the general setting. The documentation
now strongly suggests that peers are no longer configured
for NAT individually, but through the global setting in the
"general" context.
Affected Versions
Product Release Series
Asterisk Open Source All All versions
Corrected In
As this is more of an issue with SIP over UDP in general, there is no
fix supplied other than documentation on how to avoid the problem. The
default NAT setting has been changed to what we believe the most
commonly used setting for the respective version in Asterisk 1.4.43,
1.6.2.21, and 1.8.7.2.
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-013.pdf and
http://downloads.digium.com/pub/security/AST-2011-013.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-013
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-014
Product Asterisk
Summary Remote crash possibility with SIP and the "automon"
feature enabled
Nature of Advisory Remote crash vulnerability in a feature that is
disabled by default
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known Yes
Reported On November 2, 2011
Reported By Kristijan Vrban
Posted On 2011-11-03
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description When the "automon" feature is enabled in features.conf, it
is possible to send a sequence of SIP requests that cause
Asterisk to dereference a NULL pointer and crash.
Resolution Applying the referenced patches that check that the pointer
is not NULL before accessing it will resolve the issue. The
"automon" feature can be disabled in features.conf as a
workaround.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Corrected In
Product Release
Asterisk Open Source 1.6.2.21, 1.8.7.2
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-014.pdf and
http://downloads.digium.com/pub/security/AST-2011-014.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-014
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
2) Pass BUILDLINK_CPPFLAGS and BUILDLINK_LDFLAGS to the make process.
3) Have the build variables HAVE_LIBCURSES and HAVE_CURSES needed for the
linux build set the by pkgsrc.
Bump PKGREVISION
pkgsrc change: now what sqlite3 has been imported into NetBSD, enable it
Asterisk Project Security Advisory - AST-2011-012
Product Asterisk
Summary Remote crash vulnerability in SIP channel driver
Nature of Advisory Remote crash
Susceptibility Remote authenticated sessions
Severity Critical
Exploits Known No
Reported On October 4, 2011
Reported By Ehsan Foroughi
Posted On October 17, 2011
Last Updated On October 17, 2011
Advisory Contact Terry Wilson <twilson@digium.com>
CVE Name CVE-2011-4063
Description A remote authenticated user can cause a crash with a
malformed request due to an unitialized variable.
Resolution Ensure variables are initialized in all cases when parsing
the request.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions (currently in beta)
Corrected In
Product Release
Asterisk Open Source 1.8.7.1, 10.0.0-rc1
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-012-1.8.diff 1.8
http://downloads.asterisk.org/pub/security/AST-2011-012-10.diff 10
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-012.pdf and
http://downloads.digium.com/pub/security/AST-2011-012.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-012
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
This update adds a "jabber" option which is enabled by default.
This option pulls in iksemel which is used by the res_jabber.
Doing this allows chan_jingle (jabber) and chan_gtalk to work.
pkgsrc changes:
- adjust for ilbc changes after it was acquired by Google
- install AST.pdf IAX2-security.pdf into share/doc/asterisk
1.8.7.0:
========
The release of Asterisk 1.8.7.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
Please note that a significant numbers of changes and fixes have
gone into features.c in this release (call parking, built-in
transfers, call pickup, etc.).
NOTE:
Recently, we were notified that the mechanism included in our
Asterisk source code releases to download and build support for
the iLBC codec had stopped working correctly; a little investigation
revealed that this occurred because of some changes on the
ilbcfreeware.org website. These changes occurred as a result of
Google's acquisition of GIPS, who produced (and provided licenses
for) the iLBC codec.
If you are a user of Asterisk and iLBC together, and you've already
executed a license agreement with GIPS, we believe you can continue
using iLBC with Asterisk. If you are a user of Asterisk and iLBC
together, but you had not executed a license agreement with GIPS,
we encourage you to research the situation and consult with your
own legal representatives to determine what actions you may want
to take (or avoid taking).
More information is available on the Asterisk blog:
http://blogs.asterisk.org/2011/09/19/ilbc-support-in-asterisk-after-googles-acquisition-of-gips/
The following is a sample of the issues resolved in this release:
* Added the 'storesipcause' option to sip.conf to allow the user to
disable the setting of HASH(SIP_CAUSE,) on the channel. Having
chan_sip set HASH(SIP_CAUSE,) on the channel carries a significant
performance penalty because of the usage of the MASTER_CHANNEL()
dialplan function.
We've decided to disable this feature by default in future 1.8
versions. This would be an unexpected behavior change for anyone
depending on that SIP_CAUSE update in their dialplan. Please
refer to the asterisk-dev mailing list more information:
http://lists.digium.com/pipermail/asterisk-dev/2011-August/050626.html
* Significant fixes and improvements to parking lots.
(Closes issues ASTERISK-17183, ASTERISK-17870, ASTERISK-17430,
ASTERISK-17452, ASTERISK-17452, ASTERISK-15792.)
* Numerous issues have been reported for deadlocks that are caused
by a blocking read in res_timing_timerfd on a file descriptor
that will never be written to.
A change to Asterisk adds some checks to make sure that the
timerfd is both valid and armed before calling read(). Should
fix: ASTERISK-18142, ASTERISK-18197, ASTERISK-18166 and possibly
others. (In essence, this change should make res_timing_timerfd
usable.)
* Resolve segfault when publishing device states via XMPP and not connected.
(Closes issue ASTERISK-18078.)
* Refresh peer address if DNS unavailable at peer creation.
(Closes issue ASTERISK-18000)
* Fix the missing DAHDI channels when using the newer chan_dahdi.conf
sections for channel configuration.
(Closes issue ASTERISK-18496.)
* Remove unnecessary libpri dependency checks in the configure script.
(Closes issue ASTERISK-18535.)
* Update get_ilbc_source.sh script to work again.
(Closes issue ASTERISK-18412)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.7.0
Thank you for your continued support of Asterisk!
1.8.6.0:
========
The release of Asterisk 1.8.6.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
The following is a sample of the issues resolved in this release:
* Fix an issue with Music on Hold classes losing files in playlist
when realtime is used. (Closes issue ASTERISK-17875.)
* Resolve a potential crash in chan_sip when utilizing auth= and
performing a 'sip reload' from the console. (Closes issue
ASTERISK-17939.)
* Address some improper sql statements in res_odbc that would cause
an update to fail on realtime peers due to trying to set as
"(NULL)" rather than an actual NULL. (Closes issue ASTERISK-17791.)
* Resolve issue where 403 Forbidden would always be sent maximum
number of times regardless to receipt of ACK.
* Resolve issue where if a call to MeetMe includes both the dynamic(D)
and always request PIN(P) options, MeetMe will ask for the PIN
two times: once for creating the conference and once for entering
the conference.
* Fix New Zealand indications profile based on
http://www.telepermit.co.nz/TNA102.pdf
(Closes issue ASTERISK-16263.)
* Segfault in shell_helper in func_shell.c
(Closes issue ASTERISK-18109.)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.6.0
Thank you for your continued support of Asterisk!
misuse of function pointer casts and mismatched function calls and
arguments. Now this has some chance at running on something other
than i386.
PKGREVISION -> 12.
require you to use movd (instead of movq) when transferring data
between reg32/64 and an mmx register. No PKGREVISION bump since it
failed to compile on amd64 meaning there was no binary package.
Changes:
0.4, 20110831 - jeagle
Fix packet timeout bug reported by Dave S.
Replace call to die() in __data_to_int with return undef, update docs to
reflect this.
Device::XBee::API is a module designed to encapsulate the Digi XBee API in
object-oriented Perl. This module expects to communicate with an XBee
module using the API firmware via a serial (or serial over USB) device.
1.58 Mon Mar 7 22:31:22 EST 2011
- Fixed RT #48229, an uninitialized value when registering to the network
but getting no answer from the phone.
1.57 Mon Mar 7 20:53:03 EST 2011
- Fixed a bug in send_sms() that prevented it from working at all.
The bug was introduced with the "assume_registered" option.
- Fixed RT #57585. Thanks to Eric Kössldorfer for his patch and
test case.
- Added PDU<->latin1 conversion functions in Device::Gsm::Pdu
- Note to self: first release from Australia!
* Handle device reconnected more smoothly (USB-serial dongles)
* Translation updates: Danish
* Several fixes (see ChangeLog)
Changes 2.4:
* Add -D and -b options to specify device and baud rate on the command
line.
* Do character conversion between local and remote side (-R option)
* Added indonesian translation
* Compatibility fixes for recent build environments
* Remove code that handled very old systems
Changes 2.3:
* Fix build on Mac OS X
* New version of the dial format to be little and big endian as well as
32/64 bit safe
* Support more baud rates
* Handle device disappearances (e.g. serial-USB device unplug)
* Various build and other fixes
Changes 2.2:
* Vietnamese translation added
* Norwegian translation added
* Traditional chinese translation added
* Swedish translation added
* Romanian translation added
* default to 8bit mode if LANG or LC_ALL are set
* default baud rate set to 115200
* Various code cleanups and fixes
The release of Asterisk 1.8.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Fix Deadlock with attended transfer of SIP call
* Fixes thread blocking issue in the sip TCP/TLS implementation.
* Be more tolerant of what URI we accept for call completion PUBLISH requests.
* Fix a nasty chanspy bug which was causing a channel leak every time a spied on
channel made a call.
* This patch fixes a bug with MeetMe behavior where the 'P' option for always
prompting for a pin is ignored for the first caller.
* Fix issue where Asterisk does not hangup a channel after endpoint hangs up. If
the call that the dialplan started an AGI script for is hungup while the AGI
script is in the middle of a command then the AGI script is not notified of
the hangup.
* Resolve issue where leaving a voicemail, the MWI message is never sent. The
same thing happens when checking a voicemail and marking it as read.
* Resolve issue where wait for leader with Music On Hold allows crosstalk
between participants. Parenthesis in the wrong position. Regression from issue
#14365 when expanding conference flags to use 64 bits.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.5.0
Thank you for your continued support of Asterisk!
