The Asterisk Development Team would like to announce the release
of Asterisk 18.6.0.
This release is available for immediate download at
https://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 18.6.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following issues are resolved in this release:
Security bugs fixed in this release:
-----------------------------------
* ASTERISK-29415 - Crash in PJSIP TLS transport
(Reported by Andrew Yager)
* ASTERISK-29381 - chan_pjsip: Remote denial of service by an
authenticated user
(Reported by Ivan Poddubny)
New Features made in this release:
-----------------------------------
* ASTERISK-29389 - Add PJSIP_HEADERS() and ability to read
header by pattern
(Reported by Igor Goncharovsky)
* ASTERISK-29477 - Function to asynchronously store digits dialed
(Reported by N A)
* ASTERISK-29454 - New application to reload modules
(Reported by N A)
* ASTERISK-29444 - Add application to wait for condition
(Reported by N A)
* ASTERISK-29442 - app_dial: Expand A option to allow
announcement playback to caller
(Reported by N A)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-29494 - cdr_adaptive_odbc: Prevent throwing warnings
if CDR filtering is used
(Reported by N A)
* ASTERISK-29513 - statsd: Remove non-standard metric type Meter
(Reported by Rijnhard Hessel)
* ASTERISK-29526 - G729 audio gets corrupted by Asterisk due to smoother
(Reported by under)
* ASTERISK-29392 - chan_iax2: Asterisk crashes when queueing
video with format
(Reported by Michael Welk)
* ASTERISK-29507 - STUN timeout is silently delaying calls
(Reported by S??bastien Duthil)
* ASTERISK-27871 - Remote URL in playback must end with file extension
(Reported by Caesar)
* ASTERISK-29514 - ari: Audiosocket segfault when no data specified
(Reported by Igor Goncharovsky)
* ASTERISK-29503 - Updated identify/match syntax not supported
by config wizard
(Reported by Sean Bright)
* ASTERISK-29480 - fixedjitterbuffer contains an un-wrappered
assert that triggers on a negative time slew
(Reported by Dan Cropp)
* ASTERISK-29485 - core: Inband generation of tones for Busy()
and Congestion() may not occur
(Reported by Joshua C. Colp)
* ASTERISK-29479 - [patch] Channels are not put on hold for
Session Progress with inactive audio
(Reported by Bernd Zobl)
Improvements made in this release:
-----------------------------------
* ASTERISK-29528 - Add support for multiple files for agent announcements
(Reported by N A)
* ASTERISK-29501 - ARI - Stasis Playback doesn't hangup call
when processing a list of invalid files
(Reported by Andre Barbosa)
* ASTERISK-29464 - ARI - PlaybackFinish skip error events
(Reported by Andre Barbosa)
For a full list of changes in this release, please see the ChangeLog:
https://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-18.6.0
Thank you for your continued support of Asterisk!
The Asterisk Development Team would like to announce security releases for
Asterisk 13, 16, 17 and 18, and Certified Asterisk 16.8. The available releases
are released as versions 13.38.3, 16.19.1, 17.9.4, 18.5.1 and 16.8-cert10.
These releases are available for immediate download at
https://downloads.asterisk.org/pub/telephony/asterisk/releases
The following security vulnerabilities were resolved in these versions:
* AST-2021-007: Remote Crash Vulnerability in PJSIP channel driver
When Asterisk receives a re-INVITE without SDP after having sent
a BYE request a crash will occur. This occurs due to the Asterisk
channel no longer being present while code assumes it is.
* AST-2021-008: Remote crash when using IAX2 channel driver
If the IAX2 channel driver receives a packet that contains an
* AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during
handshake
Depending on the timing, it's possible for Asterisk to crash when
using a TLS connection if the underlying socket parent/listener
gets destroyed during the handshake.
For a full list of changes in the current releases, please see the ChangeLogs:
https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.5.1
The security advisories are available at:
https://downloads.asterisk.org/pub/security/AST-2021-007.pdfhttps://downloads.asterisk.org/pub/security/AST-2021-008.pdfhttps://downloads.asterisk.org/pub/security/AST-2021-009.pdf
Thank you for your continued support of Asterisk!
pkgsrc change: Fix segfault under aarch64 from ryoon for comms/asterisk16.
-----
The Asterisk Development Team would like to announce the release
of Asterisk 18.5.0.
The release of Asterisk 18.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following issues are resolved in this release:
New Features made in this release:
-----------------------------------
* ASTERISK-29446 - app_confbridge: New ConfKick application
(Reported by N A)
* ASTERISK-29440 - app_confbridge: Allow ConfBridge answer to
be suppressed
(Reported by N A)
* ASTERISK-29431 - Minimum and maximum dialplan functions
(Reported by N A)
* ASTERISK-29439 - func_volume: Volume function can't be read
(Reported by N A)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-29475 - SayNumber triggers WARNING if caller hangs
up during application execution
(Reported by N A)
* ASTERISK-29404 - Consolidate res_pjsip_messaging fixes for
domain name
(Reported by George Joseph)
* ASTERISK-29441 - Core reload making TCP endpoints go offline
(Reported by Luke Escude)
* ASTERISK-28237 - "FRACK!, Failed assertion bad magic number"
happens when unsubscribe an application from an event source
(Reported by Lucas Tardioli Silveira)
* ASTERISK-28393 - Multidomain support issue
(Reported by Andrea Sannucci)
* ASTERISK-29433 - res_rtp_asterisk: Server reflexive
candidates use incorrect raddr for RTCP
(Reported by Chris)
* ASTERISK-29397 - pjsip: Asterisk isn't tolerant of RFC8760 UASs
(Reported by George Joseph)
* ASTERISK-24601 - [patch]Missing RFC4235 tags and attributes
in PJSIP NOTIFY event: dialog XML body
(Reported by Marco Paland)
* ASTERISK-29370 - chan_sip does not recognize
application/hook-flash
(Reported by N A)
* ASTERISK-29377 - cpool_release_pool "double free or
corruption (out)"
(Reported by Robert Sutton)
* ASTERISK-29372 - file.c switch does not account for flash
events
(Reported by N A)
* ASTERISK-29358 - chan_pjsip: Trace message for progress is
output even if frame is not queued
(Reported by Michael Maier)
* ASTERISK-29407 - chan_local: Filtering audio formats should
not occur on removed streams
(Reported by Joshua C. Colp)
* ASTERISK-29030 - res_rtp_asterisk: Additional RTP-frame (with
wrong SSRC) gets inserted when switching from progress to
established
(Reported by Matthias Hensler)
Improvements made in this release:
-----------------------------------
* ASTERISK-29450 - Allow setting channel variables using
Originate application
(Reported by N A)
* ASTERISK-29459 - Missing configuration from PJSIP to SIP
conversion script
(Reported by N A)
* ASTERISK-29460 - Recognize application/hook-flash in PJSIP
(Reported by N A)
* ASTERISK-29434 - Asterisk reveals pjproject version in STUN packets
(Reported by Jeremy Lain??)
* ASTERISK-29349 - Silent voicemail option is not completely silent
(Reported by N A)
* ASTERISK-29380 - Add Flash AMI event to handle flash events
(Reported by N A)
For a full list of changes in this release, please see the ChangeLog:
https://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-18.5.0
Thank you for your continued support of Asterisk!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-announce/attachments/20210624/fe9defa9/attachment.html>
Previous message (by thread): [asterisk-announce] Asterisk 16.19.0 Now Available
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the asterisk-announce mailing list
This is a long term support version. It is scheduled to go to
security fixes only on October 20th, 2024, and EOL on October 20th,
2025.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 18.3.0 to Asterisk 18.4.0 ------------
------------------------------------------------------------------------------
logger
------------------
* The dateformat option in logger.conf will now control the remote
console (asterisk -r -T) timestamp format. Previously, dateformat
only controlled the formatting of the timestamp going to log
files and the main console (asterisk -c) but only for non-verbose
messages.
Internally, Asterisk does not send the logging timestamp with
verbose messages to console clients. It's up to the Asterisk
remote consoles to format verbose messages. Asterisk remote
consoles previously did not load dateformat from logger.conf.
Previously there was a non-configurable and hard-coded "%b %e
%T" dateformat that would be used no matter what on all verbose
console messages printed on remote consoles.
Example:
logger.conf
dateformat=%F %T.%3q
# asterisk -rvvv -T
[2021-03-19 09:54:19.760-0400] Loading res_stasis_answer.so.
[Mar 19 09:55:43] -- Goto (dialExten,s,1)
Given the following example configuration in logger.conf, Asterisk
log files and the console, will log verbose messages using the
given timestamp. Now ensuring that all remote console messages
are logged with the same dateformat as other log streams.
---
[general]
dateformat=%F %T.%3q
[logfiles]
console => notice,warning,error,verbose
full => notice,warning,error,debug,verbose
---
Now we have a globally-defined dateformat that will be used
consistently across the Asterisk main console, remote consoles,
and log files.
Now we have consistent logging:
# asterisk -rvvv -T
[2021-03-19 09:54:19.760-0400] Loading res_stasis_answer.so.
[2021-03-19 09:55:43.920-0400] -- Goto (dialExten,s,1)
res_pjsip
------------------
* PJSIP transports can now be partially reloaded safely. This
allows the local_net and external_* options to be updated without
restarting Asterisk.
* PJSIP endpoints can now be configured to skip authentication
when handling OPTIONS requests by setting the
allow_unauthenticated_options configuration property to 'yes.'
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 18.2.2 to Asterisk 18.3.0 ------------
------------------------------------------------------------------------------
app_mixmonitor
------------------
* app_mixmonitor now sends manager events MixMonitorStart,
MixMonitorStop and MixMonitorMute when the channel monitoring
is started, stopped and muted (or unmuted) respectively.
chan_iax2
------------------
* You can now specify a default "auth" method in the [general]
section of iax.conf
chan_pjsip, app_transfer
------------------
* Added TRANSFERSTATUSPROTOCOL variable. When transfer is performed,
transfers can pass a protocol specific error code. Example, in
SIP 3xx-6xx represent any SIP specific error received when
performing a REFER.
func_odbc
------------------
* Introduce an ARGC variable for func_odbc functions, along with
a minargs per-function configuration option.
minargs enables enforcing of minimum count of arguments to pass
to func_odbc, so if you're unconditionally using ARG1 through
ARG4 then this should be set to 4. func_odbc will generate an
error in this case, so for example
[FOO]
minargs = 4
and ODBC_FOO(a,b,c) in dialplan will now error out instead of
using a potentially leaked ARG4 from Gosub().
ARGC is needed if you're using optional argument, to verify
whether or not an argument has been passed, else it's possible
to use a leaked ARGn from Gosub (app_stack). So now you can
safely do ${IF($[${ARGC}>3]?${ARGV}:default value)} kind of
thing.
res_srtp
------------------
* SRTP replay protection has been added to res_srtp and
a new configuration option "srtpreplayprotection" has been added
to the rtp.conf config file. For security reasons, the default
setting is "yes". Buggy clients may not handle this correctly
which could result in no, or one way, audio and Asterisk error
messages like "replay check failed".
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 18.1.0 to Asterisk 18.2.0 ------------
------------------------------------------------------------------------------
Core
------------------
* The location where the media cache stores its temporary files
is no longer hardcoded to /tmp but can now be configured separately
via the astcachedir config variable in asterisk.conf. To retain
backwards compatibility, the default location remains /tmp.
app_voicemail
------------------
* The VoiceMail application can now be configured to send greetings
and instructions via early media and only answering the channel
when it is time for the caller to record their message. This
behavior can be activated by passing the new 'e' option to
VoiceMail.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 18.0.0 to Asterisk 18.1.0 ------------
------------------------------------------------------------------------------
Core
------------------
* Added debug logging categories that allow a user to output debug
information based on a specified category. This lets the user
limit, and filter debug output to data relevant to a particular
context, or topic. For instance the following categories are
now available for debug logging purposes:
dtls, dtls_packet, ice, rtcp, rtcp_packet, rtp, rtp_packet, stun, stun_packet
These debug categories can be enable/disable via an Asterisk
CLI command:
core set debug category <category>[:<sublevel>] [category[:<sublevel] ...]
core set debug category off [<category> [<category>] ...]
If no sub-level is associated all debug statements for a given
category are output. If a sub-level is given then only those
statements assigned a value at or below the associated sub-level
are output.
app_confbridge
------------------
* app_confbridge now has the ability to force the estimated bitrate
on an SFU bridge. To use it, set a bridge profile's remb_behavior
to "force" and set remb_estimated_bitrate to a rate in bits per
second. The remb_estimated_bitrate parameter is ignored if
remb_behavior is something other than "force".
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 17.0.0 to Asterisk 18.0.0 ------------
------------------------------------------------------------------------------
chan_pjsip
------------------
* The PJSIP_SEND_SESSION_REFRESH dialplan function now issues a
warning, and returns unsuccessful if it's used on a channel
prior to answering.
logger
------------------
* Added a new log formatter called "plain" that always prints
file, function and line number if available (even for verbose
messages) and never prints color control characters. Most
suitable for file output but can be used for other channels as
well.
You use it in logger.conf like so:
debug => [plain]debug
console => [plain]error,warning,debug,notice,pjsip_history
messages => [plain]warning,error,verbose
------------------------------------------------------------------------------
--- New functionality introduced in Asterisk 18.0.0 --------------------------
------------------------------------------------------------------------------
Core
------------------
* The Streams API becomes the home for the core ACN capabilities.
These include...
* Parsing and formatting of codec negotation preferences.
* Resolving pending streams and topologies with those configured
using configured preferences.
* Utility functions for creating string representations of
streams, topologies, and negotiation preferences.
For codec negotiation preferences:
* Added ast_stream_codec_prefs_parse() which takes a string
representation of codec negotiation preferences, which may
come from a pjsip endpoint for example, and populates a
ast_stream_codec_negotiation_prefs structure.
* Added ast_stream_codec_prefs_to_str() which does the reverse.
* Added many functions to parse individual parameter name
and value strings to their respectrive enum values, and the
reverse.
For streams:
* Added ast_stream_create_resolved() which takes a "live" stream
and resolves it with a configured stream and the negotiation
preferences to create a new stream.
* Added ast_stream_to_str() which create a string representation
of a stream suitable for debug or display purposes.
For topology:
* Added ast_stream_topology_create_resolved() which takes a
"live" topology and resolves it, stream by stream, with a
configured topology stream and the negotiation preferences
to create a new topology.
* Added ast_stream_topology_to_str() which create a string
representation of a topology suitable for debug or display
purposes.
* Renamed ast_format_caps_from_topology() to
ast_stream_topology_get_formats() to be more consistent with
the existing ast_stream_get_formats().
Additional changes:
* A new function ast_format_cap_append_names() appends the
results to the ast_str buffer instead of replacing buffer
contents.
app_bridgeaddchan
------------------
* The BridgeAdd application now behaves more like the Bridge
application. The application now sets the BRIDGERESULT channel
variable to indicate what happened when the channel resumes in
dialplan. This is instead of hanging up the channel on failure
conditions.
res_pjsip
------------------
* Two new options, incoming_call_offer_pref and outgoing_call_offer_pref
have been added to res_pjsip endpoints that specify the preferred
order of codecs to use between those received/sent in an SDP
offer and those set in the endpoint configuration.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 17.0.0 to Asterisk 18.0.0 ------------
------------------------------------------------------------------------------
AMI
------------------
* You can now specify an optional 'Content-Type' as an argument
for the Asterisk SendText manager action.
ARI
------------------
* A new parameter 'inhibitConnectedLineUpdates' is now available
in the 'bridges.addChannel' call. This prevents the identity of
the newly connected channel from being presented to other bridge
members.
ARI Channels
------------------
* The Channel resource has a new sub-resource "externalMedia".
This allows an application to create a channel for the sole
purpose of exchanging media with an external server. Once
created, this channel could be placed into a bridge with existing
channels to allow the external server to inject audio into the
bridge or receive audio from the bridge. See
https://wiki.asterisk.org/wiki/display/AST/External+Media+and+ARI
for more information.
Core
------------------
* H.265/HEVC is now a supported video codec and it can be used by
specifying "h265" in the allow line. Please note however, that
handling of the additional SDP parameters described in RFC 7798
section 7.2 is not yet supported.
Features
------------------
* Adds support for AudioSocket, a very simple bidirectional audio
streaming protocol. There are both channel and application
interfaces.
A description of the protocol can be found on the referenced
wiki page. A short talk about the reasons and implementation
can be found on YouTube at the link provided.
ARI support has also been added via the existing "externalMedia"
ARI functionality. The UUID is specified using the arbitrary
"data" field.
Wiki: https://wiki.asterisk.org/wiki/display/AST/AudioSocket
YouTube: https://www.youtube.com/watch?v=tjduXbZZEgI
Messaging
------------------
* In order to reduce the amount of AMI and ARI events generated,
the global "Message/ast_msg_queue" channel can be set to suppress
it's normal channel housekeeping events such as "Newexten",
"VarSet", etc. This can greatly reduce load on the manager and
ARI applications when the Digium Phone Module for Asterisk is
in use. To enable, set "hide_messaging_ami_events" in asterisk.conf
to "yes" In Asterisk versions <18, the default is "no" preserving
existing behavior. Beginning with Asterisk 18, the option will
default to "yes".
STIR/SHAKEN
------------------
* STIR/SHAKEN support has been added to Asterisk. Configuration
is done in stir_shaken.conf. There is a sample configuration
file to help you get started
(asterisk/configs/samples/stir_shaken.conf.sample). Once that's
set up, you can enable STIR/SHAKEN on any endpoint by setting
stir_shaken to yes on the endpoint configuration object. This
will add an Identity header on outgoing INVITEs, and check for
an Identity header on incoming INVITEs. This option has been
added to Alembic as well.
The information received on an incoming INVITE can be checked
using the STIR_SHAKEN dialplan function. There are two variations:
STIR_SHAKEN(count)
STIR_SHAKEN(0, verify_result)
The first variation will tell you how many STIR/SHAKEN results
are on the channel. The second fetches information for a specific
result. The first parameter is the index, followed by what
information you want to retrieve. The available options are
'verify_result', 'identity', and 'attestation'.
app_chanisavail
------------------
* The ChanIsAvail application now tolerates empty positions in
the supplied device list. Dialplan can now be simplified by
not having to check for empty positions in the device list.
app_confbridge
------------------
* A new bridge profile option, maximum_sample_rate, has been added
which sets a maximum sample rate that the bridge will be mixed
at. This allows the bridge to move below the maximum sample rate
as needed but caps it at the maximum.
* A new option, "text_messaging", has been added to the user
profile which allows control over whether text messaging is
enabled or disabled for a user. If enabled (the default) text
messages will be sent to the user. If disabled no text messages
will be sent to the user.
app_dial
------------------
* The Dial application now tolerates empty positions in the supplied
destination list. Dialplan can now be simplified by not having
to check for empty positions in the destination list. If there
are no endpoints to dial then DIALSTATUS is set to CHANUNAVAIL.
app_mixmonitor
------------------
* An option 'S' has been added to MixMonitor. If used in combination
with the r() and/or t() options, if a frame is available to
write to one of those files but not the other, a frame of silence
if written to the file that does not have an audio frame. This
should prevent the two files from "drifting" when mixed after
the fact.
* If the 'filename' argument to MixMonitor() ended with '.wav49,'
Asterisk would silently convert the extension to '.WAV' when
opening the file for writing. This caused the MIXMONITOR_FILENAME
variable to reference the wrong file. The MIXMONITOR_FILENAME
variable will now reflect the name of the file that Asterisk
actually used instead of the filename that was passed to the
application.
app_page
------------------
* The Page application now tolerates empty positions in the supplied
destination list. Dialplan can now be simplified by not having
to check for empty positions in the destination list.
app_voicemail
------------------
* A feature was added in Asterisk 13.27.0 and 16.4.0 that removed
lock files from the Asterisk voicemail directory on startup.
Some users that store their voicemails on network storage devices
experienced slow startup times due to the relative expense of
traversing the voicemail directory structure looking for orphaned
lock files. This feature has now been removed.
Users who require the lock files to be removed at startup should
modify their startup scripts to do so before starting the asterisk
process.
chan_pjsip
------------------
* A new dialplan function, PJSIP_MOH_PASSTRHOUGH, has been added
to chan_pjsip. This allows the behaviour of the moh_passthrough
endpoint option to be read or changed in the dialplan. This
allows control on a per-call basis.
chan_rtp
------------------
* The UnicastRTP channel driver provided by chan_rtp now accepts
"<hostname>:<port>" as an alternative to "<ip_address>:<port>"
in the destination. The first AAAA (preferred) or A record
resolved will be used as the destination. The lookup is
synchronous so beware of possible dialplan delays if you specify
a hostname.
func_curl
------------------
* A new parameter, httpheader, has been added to CURLOPT function.
This parameter allows to set custom http headers for subsequent
calls of CURL function. Any setting of headers will replace
the default curl headers (e.g. "Content-type:
application/x-www-form-urlencoded")
* A new option, followlocation, can now be enabled with the
CURLOPT() dialplan function. Setting this will instruct cURL to
follow 3xx redirects, which it does not by default.
func_jitterbuffer
------------------
* The JITTERBUFFER dialplan function now has an option to enable
video synchronization support. When enabled and used with a
compatible channel driver (chan_sip, chan_pjsip) the video is
buffered according to the size of the audio jitterbuffer and is
synchronized to the audio.
func_volume
------------------
* Accept decimal number as argument.
http
------------------
* You can now disable the /httpstatus page served by Asterisk's
built-in HTTP server by setting 'enable_status' to 'no' in
http.conf.
minmemfree
------------------
* The 'minmemfree' configuration option now counts memory allocated
to the filesystem cache as "free" because it is memory that is
available to the process.
res_ari_channels
------------------
* When creating a channel in ARI using the create call
you can now specify dialplan variables to be set as part of the
same operation.
res_musiconhold
------------------
* This fix allows a realtime moh class to be unregistered from
the command line. This is useful when the contents of a directory
referenced by a realtime moh class have changed. The realtime
moh class is then reloaded on the next request and uses the new
directory contents.
* A new mode - playlist - has been added to res_musiconhold. This
mode allows the user to specify the files (or URLs) to play
explicitly by putting them directly in musiconhold.conf.
res_pjsip
------------------
* Added a new PJSIP system setting called disable_rport.
Default is no to keep support working as before.
If it is false (default) it adds the 'rport' parameter in the
outgoing request message. If it is true it does not add the
'rport' parameter in the outgoing request message.
This is a system option, but working as a global option.
res_pjsip_endpoint_identifier_ip
------------------
* In 'type = identify' sections, the addresses specified for the
'match' clause can now include a port number. For IP addresses,
the port is provided by including a colon after the address,
followed by the desired port number. If supplied, the netmask
should follow the port number. To specify a port for IPv6
addresses, the address itself must be enclosed in brackets to
be parsed correctly.
res_pjsip_logger
------------------
* The PJSIP packet logger now has the following CLI commands:
pjsip set logger pcap <filename>
When used this will create a pcap file containing the incoming
and outgoing SIP packets, in unencrypted form.
pjsip set logger console <on / off>
This allows you to toggle logging to console on and off.
pjsip set logger host <IP/subnet mask> add
This allows you to add an additional IP address or subnet mask
to logging, allowing you to log multiple instead of just a single
IP address or all traffic.
The normal "pjsip set logger host" CLI command has also been
expanded to allow subnet masks as well.
res_pjsip_session
------------------
* When placing an outgoing call to a PJSIP endpoint the intent
of any requested formats will now be respected. If only an audio
format is requested (such as ulaw) but the underlying endpoint
does not support the format the resulting SDP will still only
contain an audio stream, and not any additional streams such as
video.
* Two new options, incoming_call_offer_pref and outgoing_call_offer_pref
have been added to res_pjsip endpoints that specify the preferred
order of codecs to use between those received/sent in an SDP
offer and those set in the endpoint configuration.
res_rtp_asterisk
------------------
* This change include a new cli command 'rtp show settings'
The command display by general settings of rtp configuration.
For this point is added the fields: rtpstart, rtpend, dtmftimeout,
rtpchecksum, strictrtp, learning_min_sequential and icesupport.
* The blacklist mechanism in res_rtp_asterisk for ICE and STUN
was converted to an ACL mechanism.
As such six new options are now available:
ice_deny
ice_permit
ice_acl
stun_deny
stun_permit
stun_acl
These options have their obvious meanings as used elsewhere.
Backwards compatibility was maintained by adding {stun,ice}_blacklist
as aliases for {stun,ice}_deny.
res_sorcery_memory_cache
------------------
* The SorceryMemoryCacheExpireObject AMI action and CLI
command allow expiring of a specific object within the sorcery
memory cache. This is done by removing the object from the cache
with the expectation that the cache will then re-populate the
object when it is next needed.
For full backend caching this does not occur. The cache won't
repopulate until an entire refresh is done resulting in the
possibility that objects are missing until that time.
The AMI action and CLI command will now not allow expiring of
an object if the cache is configured as a full backend cache.
Instead you must use either the SorceryMemoryCacheExpire or
SorceryMemoryCachePopulate AMI actions or their associated CLI
commands.
taskprocessor.c
------------------
* Added two new CLI commands to reset stats for taskprocessors.
You can reset stats for a single, specific taskprocessor ('core
reset taskprocessor <taskprocessor>'), or you can reset all
taskprocessors ('core reset taskprocessors'). These commands
will reset the counter for the number of tasks processed as well
as the max queue size.
* Added "like" support for 'core show taskprocessors'. Now you
can specify a specific set of taskprocessors (or just one) by
adding the keyword "like" to the above command, followed by your
search criteria.
pkgsrc-users@ a few weeks ago. This package is ancient and has
been EOL for a couple of years. It likely has numerous security
issues. Also, the PKGNAME will conflict with the upcoming Asterisk
18.* in a couple of years times. There were no objections.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
Existing SHA1 digests verified, all found to be the same on the
machine holding the existing distfiles (morden). Existing SHA1
digests retained for now as an audit trail.
The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11,
12, and 13. The available security releases are released as versions
1.8.28.cert-5, 1.8.32.3, 11.6-cert11, 11.17.1, 12.8.2, 13.1-cert2,
and 13.3.2.
The release of these versions resolves the following security vulnerability:
* AST-2015-003: TLS Certificate Common name NULL byte exploit
When Asterisk registers to a SIP TLS device and verifies the
server, Asterisk will accept signed certificates that match a
common name other than the one Asterisk is expecting if the signed
certificate has a common name containing a null byte after the
portion of the common name that Asterisk expected. This potentially
allows for a man in the middle attack.
For more information about the details of this vulnerability, please read
security advisory AST-2015-003, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the Change Logs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
Thank you for your continued support of Asterisk!
pkgsrc change: adapt to splitting up of speex
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,
11.15.1, 12.8.1, and 13.1.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2015-001: File descriptor leak when incompatible codecs are offered
Asterisk may be configured to only allow specific audio or
video codecs to be used when communicating with a
particular endpoint. When an endpoint sends an SDP offer
that only lists codecs not allowed by Asterisk, the offer
is rejected. However, in this case, RTP ports that are
allocated in the process are not reclaimed.
This issue only affects the PJSIP channel driver in
Asterisk. Users of the chan_sip channel driver are not
affected.
* AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as well
as its res_config_curl.so (cURL realtime backend) modules.
Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.
For more information about the details of these vulnerabilities, please read
security advisory AST-2015-001 and AST-2015-002, which were released at the same
time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2015-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2015-002.pdf
Thank you for your continued support of Asterisk!
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
11.14.1, 12.7.1, and 13.0.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
address families
Many modules in Asterisk that service incoming IP traffic have ACL options
("permit" and "deny") that can be used to whitelist or blacklist address
ranges. A bug has been discovered where the address family of incoming
packets is only compared to the IP address family of the first entry in the
list of access control rules. If the source IP address for an incoming
packet is not of the same address as the first ACL entry, that packet
bypasses all ACL rules.
* AST-2014-018: Permission Escalation through DB dialplan function
The DB dialplan function when executed from an external protocol, such as AMI,
could result in a privilege escalation. Users with a lower class authorization
in AMI can access the internal Asterisk database without the required SYSTEM
class authorization.
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
Thank you for your continued support of Asterisk!
The Asterisk Development Team has announced the release of Asterisk 1.8.32.0.
The release of Asterisk 1.8.32.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.32.0
Thank you for your continued support of Asterisk!
The Asterisk Development Team has announced the release of Asterisk 1.8.31.0.
The release of Asterisk 1.8.31.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.31.0
Thank you for your continued support of Asterisk!
The Asterisk Development Team has announced the release of Asterisk 1.8.30.0.
The release of Asterisk 1.8.30.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
Improvements made in this release:
-----------------------------------
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.30.0
Thank you for your continued support of Asterisk!
The Asterisk Development Team has announced the release of Asterisk 1.8.29.0.
The release of Asterisk 1.8.29.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-22551 - Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23582 - [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 - AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 - ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki Cívico)
* ASTERISK-23683 - #includes - wildcard character in a path more
than one directory deep - results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 - autoservice thread doesn't exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-23673 - Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 - DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 - [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23667 - features.conf.sample is unclear as to which
options can or cannot be set in the general section (Reported by
David Brillert)
* ASTERISK-23790 - [patch] - SIP From headers longer than 256
characters result in dropped call and 'No closing bracket'
warnings. (Reported by uniken1)
* ASTERISK-23908 - [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 - refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 - REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23984 - Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 - [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)
Improvements made in this release:
-----------------------------------
* ASTERISK-23564 - [patch]TLS/SRTP status of channel not currently
available in a CLI command (Reported by Patrick Laimbock)
* ASTERISK-23492 - Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.29.0
Thank you for your continued support of Asterisk!
numerous general bugs. The vulnerabilities fixed are: AST-2014-001,
AST-2014-002, and AST-2014-007.
-----
The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The
available security releases are released as versions 1.8.15-cert7,
11.6-cert4, 1.8.28.2, 11.10.2, and 12.3.2.
These releases resolve security vulnerabilities that were previously
fixed in 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1.
Unfortunately, the fix for AST-2014-007 inadvertently introduced
a regression in Asterisk's TCP and TLS handling that prevented
Asterisk from sending data over these transports. This regression
and the security vulnerabilities have been fixed in the versions
specified in this release announcement.
The security patches for AST-2014-007 have been updated with the
fix for the regression, and are available at
http://downloads.asterisk.org/pub/security
Please note that the release of these versions resolves the following security
vulnerabilities:
* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
Connections
For more information about the details of these vulnerabilities,
please read security advisories AST-2014-005, AST-2014-006,
AST-2014-007, and AST-2014-008, which were released with the previous
versions that addressed these vulnerabilities.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.2
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The
available security releases are released as versions 1.8.15-cert6,
11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following issue:
* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
Connections
Establishing a TCP or TLS connection to the configured HTTP or
HTTPS port respectively in http.conf and then not sending or
completing a HTTP request will tie up a HTTP session. By doing
this repeatedly until the maximum number of open HTTP sessions
is reached, legitimate requests are blocked.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities,
please read security advisories AST-2014-005, AST-2014-006,
AST-2014-007, and AST-2014-008, which were released at the same
time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced the release of Asterisk 1.8.28.0.
The release of Asterisk 1.8.28.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-23547 - [patch] app_queue removing callers from queue
when reloading (Reported by Italo Rossi)
* ASTERISK-22846 - testsuite: masquerade super test fails on all
branches (still) (Reported by Matt Jordan)
* ASTERISK-23546 - CB_ADD_LEN does not do what you'd think
(Reported by Walter Doekes)
* ASTERISK-23620 - Code path in app_stack fails to unlock list
(Reported by Bradley Watkins)
* ASTERISK-18331 - app_sms failure (Reported by David Woodhouse)
* ASTERISK-19465 - P-Asserted-Identity Privacy (Reported by
Krzysztof Chmielewski)
* ASTERISK-23707 - Realtime Contacts: Apparent mismatch between
PGSQL database state and Asterisk state (Reported by Mark
Michelson)
* ASTERISK-23665 - Wrong mime type for codec H263-1998 (h263+)
(Reported by Guillaume Maudoux)
* ASTERISK-22977 - chan_sip+CEL: missing ANSWER and PICKUP event
for INVITE/w/replaces pickup (Reported by Walter Doekes)
* ASTERISK-23709 - Regression in Dahdi/Analog/waitfordialtone
(Reported by Steve Davies)
* ASTERISK-23650 - Intermittent segfault in string functions
(Reported by Roel van Meer)
Improvements made in this release:
-----------------------------------
* ASTERISK-23754 - [patch] Use var/lib directory for log file
configured in asterisk.conf (Reported by Igor Goncharovsky)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.28.0
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced the release of Asterisk 1.8.27.0.
The release of Asterisk 1.8.27.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-22790 - check_modem_rate() may return incorrect rate
for V.27 (Reported by Paolo Compagnini)
* ASTERISK-23061 - [Patch] 'textsupport' setting not mentioned in
sip.conf.sample (Reported by Eugene)
* ASTERISK-23028 - [patch] Asterisk man pages contains unquoted
minus signs (Reported by Jeremy Lainé)
* ASTERISK-23046 - Custom CDR fields set during a GoSUB called
from app_queue are not inserted (Reported by Denis Pantsyrev)
* ASTERISK-23027 - [patch] Spelling typo "transfered" instead of
"transferred" (Reported by Jeremy Lainé)
* ASTERISK-23008 - Local channels loose CALLERID name when DAHDI
channel connects (Reported by Michael Cargile)
* ASTERISK-23100 - [patch] In chan_mgcp the ident in transmitted
request and request queue may differ - fix for locking (Reported
by adomjan)
* ASTERISK-22988 - [patch]T38 , SIP 488 after Rejecting image
media offer due to invalid or unsupported syntax (Reported by
adomjan)
* ASTERISK-22861 - [patch]Specifying a null time as parameter to
GotoIfTime or ExecIfTime causes segmentation fault (Reported by
Sebastian Murray-Roberts)
* ASTERISK-17837 - extconfig.conf - Maximum Include level (1)
exceeded (Reported by pz)
* ASTERISK-22662 - Documentation fix? - queues.conf says
persistentmembers defaults to yes, it appears to lie (Reported
by Rusty Newton)
* ASTERISK-23134 - [patch] res_rtp_asterisk port selection cannot
handle selinux port restrictions (Reported by Corey Farrell)
* ASTERISK-23220 - STACK_PEEK function with no arguments causes
crash/core dump (Reported by James Sharp)
* ASTERISK-19773 - Asterisk crash on issuing Asterisk-CLI 'reload'
command multiple times on cli_aliases (Reported by Joel Vandal)
* ASTERISK-22757 - segfault in res_clialiases.so on reload when
mapping "module reload" command (Reported by Gareth Blades)
* ASTERISK-17727 - [patch] TLS doesn't get all certificate chain
(Reported by LN)
* ASTERISK-23178 - devicestate.h: device state setting functions
are documented with the wrong return values (Reported by
Jonathan Rose)
* ASTERISK-23297 - Asterisk 12, pbx_config.so segfaults if
res_parking.so is not loaded, or if res_parking.conf has no
configuration (Reported by CJ Oster)
* ASTERISK-23069 - Custom CDR variable not recorded when set in
macro called from app_queue (Reported by Bryan Anderson)
* ASTERISK-19499 - ConfBridge MOH is not working for transferee
after attended transfer (Reported by Timo Teräs)
* ASTERISK-23261 - [patch]Output mixup in
${CHANNEL(rtpqos,audio,all)} (Reported by rsw686)
* ASTERISK-23260 - [patch]ForkCDR v option does not keep CDR
variables for subsequent records (Reported by zvision)
* ASTERISK-23141 - Asterisk crashes on Dial(), in
pbx_find_extension at pbx.c (Reported by Maxim)
* ASTERISK-23231 - Since 405693 If we have res_fax.conf file set
to minrate=2400, then res_fax refuse to load (Reported by David
Brillert)
* ASTERISK-23135 - Crash - segfault in ast_channel_hangupcause_set
- probably introduced in 11.7.0 (Reported by OK)
* ASTERISK-23323 - [patch]chan_sip: missing p->owner checks in
handle_response_invite (Reported by Walter Doekes)
* ASTERISK-23382 - [patch]Build System: make -qp can corrupt
menuselect-tree and related files (Reported by Corey Farrell)
* ASTERISK-23406 - [patch]Fix typo in "sip show peer" (Reported by
ibercom)
* ASTERISK-23310 - bridged channel crashes in bridge_p2p_rtp_write
(Reported by Jeremy Lainé)
* ASTERISK-23104 - Specifying the SetVar AMI without a Channel
cause Asterisk to crash (Reported by Joel Vandal)
* ASTERISK-23383 - Wrong sense test on stat return code causes
unchanged config check to break with include files. (Reported by
David Woolley)
* ASTERISK-17523 - Qualify for static realtime peers does not work
(Reported by Maciej Krajewski)
* ASTERISK-21406 - [patch] chan_sip deadlock on monlock between
unload_module and do_monitor (Reported by Corey Farrell)
* ASTERISK-23373 - [patch]Security: Open FD exhaustion with
chan_sip Session-Timers (Reported by Corey Farrell)
* ASTERISK-23340 - Security Vulnerability: stack allocation of
cookie headers in loop allows for unauthenticated remote denial
of service attack (Reported by Matt Jordan)
* ASTERISK-23488 - Logic error in callerid checksum processing
(Reported by Russ Meyerriecks)
* ASTERISK-20841 - fromdomain not honored on outbound INVITE
request (Reported by Kelly Goedert)
* ASTERISK-22079 - Segfault: INTERNAL_OBJ (user_data=0x6374652f)
at astobj2.c:120 (Reported by Jamuel Starkey)
* ASTERISK-23509 - [patch]SayNumber for Polish language tries to
play empty files for numbers divisible by 100 (Reported by
zvision)
* ASTERISK-23391 - Audit dialplan function usage of channel
variable (Reported by Corey Farrell)
* ASTERISK-23548 - POST to ARI sometimes returns no body on
success (Reported by Scott Griepentrog)
Improvements made in this release:
-----------------------------------
* ASTERISK-22980 - [patch]Allow building cdr_radius and cel_radius
against libfreeradius-client (Reported by Jeremy Lainé)
* ASTERISK-22661 - Unable to exit ChanSpy if spied channel does
not have a call in progress (Reported by Chris Hillman)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.27.0
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The
available security releases are released as versions 1.8.15-cert5,
11.6-cert2, 1.8.26.1, 11.8.1, and 12.1.1.
The release of these versions resolve the following issues:
* AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
Sending a HTTP request that is handled by Asterisk with a large number of
Cookie headers could overflow the stack.
Another vulnerability along similar lines is any HTTP request with a
ridiculous number of headers in the request could exhaust system memory.
* AST-2014-002: chan_sip: Exit early on bad session timers request
This change allows chan_sip to avoid creation of the channel and
consumption of associated file descriptors altogether if the inbound
request is going to be rejected anyway.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities,
please read security advisories AST-2014-001, AST-2014-002,
AST-2014-003, and AST-2014-004, which were released at the same
time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.26.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced the release of Asterisk 1.8.26.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 1.8.26.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-22544 - Italian prompt vm-options has advertisement in
it (Reported by Rusty Newton)
* ASTERISK-12117 - chan_sip creates a new local tag (from-tag) for
every register message (Reported by Pawel Pierscionek)
* ASTERISK-20862 - Asterisk min and max member penalties not
honored when set with 0 (Reported by Schmooze Com)
* ASTERISK-22746 - [patch]Crash in chan_dahdi during caller id
read (Reported by Michael Walton)
* ASTERISK-22788 - [patch] main/translate.c: access to variable f
after free in ast_translate() (Reported by Corey Farrell)
* ASTERISK-21242 - Segfault when T.38 re-invite retransmission
receives 200 OK (Reported by Ashley Winters)
* ASTERISK-22590 - BufferOverflow in unpacksms16() when receiving
16 bit multipart SMS with app_sms (Reported by Jan Juergens)
* ASTERISK-22905 - Prevent Asterisk functions that are 'dangerous'
from being executed from external interfaces (Reported by Matt
Jordan)
* ASTERISK-23021 - Typos in code : "avaliable" instead of
"available" (Reported by Jeremy Lainé)
* ASTERISK-22970 - [patch]Documentation fix for QUOTE() (Reported
by Gareth Palmer)
* ASTERISK-22856 - [patch]SayUnixTime in polish reads minutes
instead of seconds (Reported by Robert Mordec)
* ASTERISK-22854 - [patch] - Deadlock between cel_pgsql unload and
core_event_dispatcher taskprocessor thread (Reported by Etienne
Lessard)
* ASTERISK-22910 - [patch] - REPLACE() calls strcpy on overlapping
memory when <replace-char> is empty (Reported by Gareth Palmer)
* ASTERISK-22871 - cel_pgsql module not loading after "reload" or
"reload cel_pgsql.so" command (Reported by Matteo)
* ASTERISK-23084 - [patch]rasterisk needlessly prints the
AST-2013-007 warning (Reported by Tzafrir Cohen)
* ASTERISK-17138 - [patch] Asterisk not re-registering after it
receives "Forbidden - wrong password on authentication"
(Reported by Rudi)
* ASTERISK-23011 - [patch]configure.ac and pbx_lua don't support
lua 5.2 (Reported by George Joseph)
* ASTERISK-22834 - Parking by blind transfer when lot full orphans
channels (Reported by rsw686)
* ASTERISK-23047 - Orphaned (stuck) channel occurs during a failed
SIP transfer to parking space (Reported by Tommy Thompson)
* ASTERISK-22946 - Local From tag regression with sipgate.de
(Reported by Stephan Eisvogel)
* ASTERISK-23010 - No BYE message sent when sip INVITE is received
(Reported by Ryan Tilton)
Improvements made in this release:
-----------------------------------
* ASTERISK-22659 - Make a new core and extra sounds release
(Reported by Rusty Newton)
* ASTERISK-22918 - dahdi show channels slices PRI channel dnid on
output (Reported by outtolunc)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.26.0
Thank you for your continued support of Asterisk!
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
