AST-2013-001, AST-2013-002, and AST-2013-003.
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security releases
are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2, 10.12.2-digiumphones,
and 11.2.2.
The release of these versions resolve the following issues:
* A possible buffer overflow during H.264 format negotiation. The format
attribute resource for H.264 video performs an unsafe read against a media
attribute when parsing the SDP.
This vulnerability only affected Asterisk 11.
* A denial of service exists in Asterisk's HTTP server. AST-2012-014, fixed
in January of this year, contained a fix for Asterisk's HTTP server for a
remotely-triggered crash. While the fix prevented the crash from being
triggered, a denial of service vector still exists with that solution if an
attacker sends one or more HTTP POST requests with very large Content-Length
values.
This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11
* A potential username disclosure exists in the SIP channel driver. When
authenticating a SIP request with alwaysauthreject enabled, allowguest
disabled, and autocreatepeer disabled, Asterisk discloses whether a user
exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways.
This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which were
released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.2.2
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2013-003.pdf
Thank you for your continued support of Asterisk!
----- 11.2.1:
The Asterisk Development Team has announced the release of Asterisk 11.2.1.
The release of Asterisk 11.2.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix astcanary startup problem due to wrong pid value from before
daemon call
* --- Update init.d scripts to handle stderr; readd splash screen for
remote consoles
* --- Reset RTP timestamp; sequence number on SSRC change
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.2.1
Thank you for your continued support of Asterisk!
----- 11.2.0:
The Asterisk Development Team has announced the release of Asterisk 11.2.0.
The release of Asterisk 11.2.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- app_meetme: Fix channels lingering when hung up under certain
conditions
* --- Fix stuck DTMF when bridge is broken.
* --- Add missing support for "who hung up" to chan_motif.
* --- Remove a fixed size limitation for producing SDP and change how
ICE support is disabled by default.
* --- Fix chan_sip websocket payload handling
* --- Fix pjproject compilation in certain circumstances
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.2.0
Thank you for your continued support of Asterisk!
and AST-2012-015. Apparently the last update didn't completely
fix the issues.
The Asterisk Development Team has announced a security release for
Asterisk 11, Asterisk 11.1.2. This release addresses the security
vulnerabilities reported in AST-2012-014 and AST-2012-015, and
replaces the previous version of Asterisk 11 released for these
security vulnerabilities. The prior release left open a vulnerability
in res_xmpp that exists only in Asterisk 11; as such, other versions
of Asterisk were resolved correctly by the previous releases.
The release of these versions resolve the following two issues:
* Stack overflows that occur in some portions of Asterisk that manage a TCP
connection. In SIP, this is exploitable via a remote unauthenticated session;
in XMPP and HTTP connections, this is exploitable via remote authenticated
sessions. The vulnerabilities in SIP and HTTP were corrected in a prior
release of Asterisk; the vulnerability in XMPP is resolved in this release.
* A denial of service vulnerability through exploitation of the device state
cache. Anonymous calls had the capability to create devices in Asterisk that
would never be disposed of. Handling the cachability of device states
aggregated via XMPP is handled in this release.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
Thank you for your continued support of Asterisk - and we apologize for having
to do this twice!
and AST-2012-015.
Approved for commit during freeze by: agc
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security releases
are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1, 10.11.1-digiumphones,
and 11.1.1.
The release of these versions resolve the following two issues:
* Stack overflows that occur in some portions of Asterisk that manage a TCP
connection. In SIP, this is exploitable via a remote unauthenticated session;
in XMPP and HTTP connections, this is exploitable via remote authenticated
sessions.
* A denial of service vulnerability through exploitation of the device state
cache. Anonymous calls had the capability to create devices in Asterisk that
would never be disposed of.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
Thank you for your continued support of Asterisk!
As this is a major release, you should read the information about updating:
https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+11
You can also find documentation in: /usr/pkg/share/doc/asterisk
----- 11.1.0:
The Asterisk Development Team has announced the release of Asterisk 11.1.0.
The release of Asterisk 11.1.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Fix execution of 'i' extension due to uninitialized variable.
* --- Prevent resetting of NATted realtime peer address on reload.
* --- Fix ConfBridge crash if no timing module loaded.
* --- Fix the Park 'r' option when a channel parks itself.
* --- Fix an issue where outgoing calls would fail to establish audio
due to ICE negotiation failures.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.1.0
----- 11.0.1:
The Asterisk Development Team has announced the release of Asterisk 11.0.1.
The release of Asterisk 11.0.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- chan_sip: Fix a bug causing SIP reloads to remove all entries
from the registry
* --- confbridge: Fix a bug which made conferences not record with
AMI/CLI commands
* --- Fix an issue with res_http_websocket where the chan_sip
WebSocket handler could not be registered.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.0.1
Thank you for your continued support of Asterisk!
----- 11.0.0:
The Asterisk Development Team is pleased to announce the release of
Asterisk 11.0.0.
Asterisk 11 is the next major release series of Asterisk. It is a Long Term
Support (LTS) release, similar to Asterisk 1.8. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
For important information regarding upgrading to Asterisk 11, please see the
Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+11
A short list of new features includes:
* A new channel driver named chan_motif has been added which provides support
for Google Talk and Jingle in a single channel driver. This new channel
driver includes support for both audio and video, RFC2833 DTMF, all codecs
supported by Asterisk, hold, unhold, and ringing notification. It is also
compliant with the current Jingle specification, current Google Jingle
specification, and the original Google Talk protocol.
* Support for the WebSocket transport for chan_sip.
* SIP peers can now be configured to support negotiation of ICE candidates.
* The app_page application now no longer depends on DAHDI or app_meetme. It
has been re-architected to use app_confbridge internally.
* Hangup handlers can be attached to channels using the CHANNEL() function.
Hangup handlers will run when the channel is hung up similar to the h
extension; however, unlike an h extension, a hangup handler is associated with
the actual channel and will execute anytime that channel is hung up,
regardless of where it is in the dialplan.
* Added pre-dial handlers for the Dial and Follow-Me applications. Pre-dial
allows you to execute a dialplan subroutine on a channel before a call is
placed but after the application performing a dial action is invoked. This
means that the handlers are executed after the creation of the callee
channels, but before any actions have been taken to actually dial the callee
channels.
* Log messages can now be easily associated with a certain call by looking at
a new unique identifier, "Call Id". Call ids are attached to log messages for
just about any case where it can be determined that the message is related
to a particular call.
* Introduced Named ACLs as a new way to define Access Control Lists (ACLs) in
Asterisk. Unlike traditional ACLs defined in specific module configuration
files, Named ACLs can be shared across multiple modules.
* The Hangup Cause family of functions and dialplan applications allow for
inspection of the hangup cause codes for each channel involved in a call.
This allows a dialplan writer to determine, for each channel, who hung up and
for what reason(s).
* Two new functions have been added: FEATURE() and FEATUREMAP(). FEATURE()
lets you set some of the configuration options from the general section
of features.conf on a per-channel basis. FEATUREMAP() lets you customize
the key sequence used to activate built-in features, such as blindxfer,
and automon.
* Support for DTLS-SRTP in chan_sip.
* Support for named pickupgroups/callgroups, allowing any number of pickupgroups
and callgroups to be defined for several channel drivers.
* IPv6 Support for AMI, AGI, ExternalIVR, and the SIP Security Event Framework.
More information about the new features can be found on the Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+11+Documentation
A full list of all new features can also be found in the CHANGES file.
http://svnview.digium.com/svn/asterisk/branches/11/CHANGES
For a full list of changes in the current release, please see the ChangeLog.
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.0.0
Thank you for your continued support of Asterisk!
hex digits, so patching the makefile to compare it as decimal will
not work. Just patch out the test entirely, as pkgsrc guarantees
curl will always be present and the packaging is not equipped to
deal with this check failing anyhow.
1.2.36 fixed AST-2009-008, and 1.2.37 fixed AST-2009-010. The
problem in AST-2009-008 is:
-----
It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of "403 Authentication user name does not
match account name". If the peer does not exist the response will
be "404 Not Found" if alwaysauthreject is disabled and "401
Unauthorized" if alwaysauthreject is enabled.
-----
And, the problem in AST-2009-010 is:
-----
An attacker sending a valid RTP comfort noise payload containing
a data length of 24 bytes or greater can remotely crash Asterisk.
-----
* channels/chan_sip.c: Copy the From header into a variable so that
pedantic SIP handling does not try to mess with a NULL pointer.
(AST-2008-008)
* channels/chan_iax2.c: When we receive a full frame that is
supposed to contain our call number, ensure that it has the
correct one. (closes issue #10078) (AST-2008-006)
Update for several critical security issues:
* astobj.h: Fix character string being treated as format string
* chan_sip.c: Do not return with a successful
authentication if the From header ends up empty. (AST-2008-003)
* chan_iax2.c: Fix another potential seg fault (closes issue #11606)
* chan_iax2.c: Fix a couple of places where it's possible
to dereference a NULL pointer.
* chan_sip.c, channels/chan_iax2.c: Fixing AST-2007-027
* cdr_pgsql.c: Properly escape src and dst fields (Fixes AST-2007-026)
