AST-2011-002, AST-2011-003, AST-2011-004, AST-2011-005, AST-2011-006,
and AST-2011-007.
pkgsrc changes:
- add patch for autosupport script; == -> =
- patch configure to not unconditionally set PBX_LAUNCHD=1
- this allows res_timing_kqueue.so to build
This last change brings a timing source to NetBSD which allows IAX
trunking and allows the bridging modules to work, a rather major
piece that was missing. Note that I haven't extensively tested
it. But, have at it...
===========================================================================
1.8.4.2:
The Asterisk Development Team has announced the release of Asterisk
version 1.8.4.2, which is a security release for Asterisk 1.8.
The release of Asterisk 1.8.4.2 resolves an issue with SIP URI parsing
which can lead to a remotely exploitable crash:
Remote Crash Vulnerability in SIP channel driver (AST-2011-007)
The issue and resolution is described in the AST-2011-007 security
advisory.
For more information about the details of this vulnerability, please
read the security advisory AST-2011-007, which was released at the same
time as this announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.2
Security advisory AST-2011-007 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-007.pdf
===========================================================================
1.8.4.1:
The Asterisk Development Team has announced the release of Asterisk 1.8.4.1.
The release of Asterisk 1.8.4.1 resolves several issues reported by the
community. Without your help this release would not have been possible.
Thank you!
Below is a list of issues resolved in this release:
* Fix our compliance with RFC 3261 section 18.2.2. (aka Cisco phone fix)
* Resolve a change in IPv6 header parsing due to the Cisco phone fix issue.
This issue was found and reported by the Asterisk test suite.
* Resolve potential crash when using SIP TLS support.
* Improve reliability when using SIP TLS.
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4.1
===========================================================================
1.8.4:
The Asterisk Development Team has announced the release of Asterisk 1.8.4.
The release of Asterisk 1.8.4 resolves several issues reported by the community.
Without your help this release would not have been possible. Thank you!
Below is a sample of the issues resolved in this release:
* Use SSLv23_client_method instead of old SSLv2 only.
* Resolve crash in ast_mutex_init()
* Resolution of several DTMF based attended transfer issues.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve deadlocks related to device states in chan_sip
* Resolve an issue with the Asterisk manager interface leaking memory when
disabled.
* Support greetingsfolder as documented in voicemail.conf.sample.
* Fix channel redirect out of MeetMe() and other issues with channel softhangup
* Fix voicemail sequencing for file based storage.
* Set hangup cause in local_hangup so the proper return code of 486 instead of
503 when using Local channels when the far sides returns a busy. Also affects
CCSS in Asterisk 1.8+.
* Fix issues with verbose messages not being output to the console.
* Fix Deadlock with attended transfer of SIP call
Includes changes per AST-2011-005 and AST-2011-006
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4
Information about the security releases are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.8.3.3:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:
* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)
The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.3
Security advisory AST-2011-005 and AST-2011-006 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.8.3.2:
he Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).
The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.2
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.8.3.1:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.23, 1.6.2.17.1, and 1.8.3.1.
The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.1
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.8.3:
The Asterisk Development Team has announced the release of Asterisk 1.8.3.
The release of Asterisk 1.8.3 resolves several issues reported by the community
and would have not been possible without your participation. Thank you!
The following is a sample of the issues resolved in this release:
* Resolve duplicated data in the AstDB when using DIALGROUP()
* Ensure the ipaddr field in realtime is large enough to handle IPv6 addresses.
* Reworking parsing of mwi => lines to resolve a segfault. Also add a set of
unit tests for the function that does the parsing.
* When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
* Resolve memory leak in iCalendar and Exchange calendaring modules.
* This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
* Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
* Resolve a memory leak when the Asterisk Manager Interface is disabled.
* Reimplemented fax session reservation to reverse the ABI breakage introduced
in r297486.
* Fix regression that changed behavior of queues when ringing a queue member.
* Resolve deadlock involving REFER.
Additionally, this release has the changes related to security bulletin
AST-2011-002 which can be found at
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.3
===========================================================================
1.8.2.4:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems configured for
T.38 pass through or termination are vulnerable. The issue and resolution are
described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.4
Security advisory AST-2011-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
AST-2011-002, AST-2011-003, AST-2011-004, AST-2011-005, and AST-2011-006.
===========================================================================
1.6.2.18:
The Asterisk Development Team has announced the release of Asterisk 1.6.2.18.
The release of Asterisk 1.6.2.18 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Only offer codecs both sides support for directmedia.
* Resolution of several DTMF based attended transfer issues.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve deadlocks related to device states in chan_sip
* Fix channel redirect out of MeetMe() and other issues with channel softhangup
* Fix voicemail sequencing for file based storage.
* Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18
===========================================================================
1.6.2.17.3
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:
* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)
The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.3
Security advisory AST-2011-005 and AST-2011-006 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.6.2.17.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).
The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.2
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.17.1:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.23, 1.6.2.17.1, and 1.8.3.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.1
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.16.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems configured for
T.38 pass through or termination are vulnerable. The issue and resolution are
described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2
Security advisory AST-2011-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
AST-2011-002, AST-2011-003, AST-2011-004, AST-2011-005, and AST-2011-006.
===========================================================================
1.6.2.18:
The Asterisk Development Team has announced the release of Asterisk 1.6.2.18.
The release of Asterisk 1.6.2.18 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Only offer codecs both sides support for directmedia.
* Resolution of several DTMF based attended transfer issues.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve deadlocks related to device states in chan_sip
* Fix channel redirect out of MeetMe() and other issues with channel softhangup
* Fix voicemail sequencing for file based storage.
* Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18
===========================================================================
1.6.2.17.3
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:
* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)
The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.3
Security advisory AST-2011-005 and AST-2011-006 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.6.2.17.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).
The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.2
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.17.1:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.23, 1.6.2.17.1, and 1.8.3.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.1
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.17:
The Asterisk Development Team has announced the release of Asterisk 1.6.2.17.
The release of Asterisk 1.6.2.17 resolves several issues reported by the
community and would have not been possible without your participation.
The following is a sample of the issues resolved in this release:
* Resolve duplicated data in the AstDB when using DIALGROUP()
* Correct issue where res_config_odbc could populate fields with invalid data.
* When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
* Resolve issue where re-transmissions of SUBSCRIBE could break presence.
* Fix regression causing forwarding voicemails to not work with file storage.
* This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
* Resolve several issues with DTMF based attended transfers.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
* Fix regression that changed behavior of queues when ringing a queue member.
Additionally, this release has the changes related to security bulletin
AST-2011-002 which can be found at
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17
===========================================================================
1.6.2.16.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems configured for
T.38 pass through or termination are vulnerable. The issue and resolution are
described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2
Security advisory AST-2011-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
=============================================================================
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
SMS::Send is intended to provide a driver-based single API for sending SMS and
MMS messages. The intent is to provide a single API against which to write the
code to send an SMS message.
At the same time, the intent is to remove the limits of some of the previous
attempts at this sort of API, like "must be free internet-based SMS services".
SMS::Send drivers are installed seperately, and might use the web, email or
physical SMS hardware. It could be a free or paid. The details shouldn't matter.
You should not have to care how it is actually sent, only that it has been sent
(although some drivers may not be able to provide certainty).
sample per second world of E1s, T1s, and higher order PCM channels.
It contains low level functions, such as basic filters. It also
contains higher level functions, such as cadenced supervisory tone
detection, and a complete software FAX machine. The software has
been designed to avoid intellectual property issues, using mature
techniques where all relevant patents have expired. See the file
DueDiligence for important information about these intellectual
property issues.
to enable res_fax_spandsp.so. Don't bother with a PKGREVISION bump since
this doesn't change default builds and there is no need tobother people
that don't need the option.
pkgsrc: fix issue with patch for detecting sys/atomic.h
The Asterisk Development Team has announced the release of Asterisk 1.8.2.3.
The release of Asterisk 1.8.2.3 resolves the following issue:
* Reimplemented fax session reservation to reverse the ABI breakage introduced
in r297486.
(Reported by Jeremy Kister on the asterisk-users mailing list. Patched by
mnicholson)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.2.3
This is to fix AST-2011-001: Stack buffer overflow in SIP channel driver
Asterisk Project Security Advisory - AST-2011-001
Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
For full details, see:
http://downloads.digium.com/pub/security/AST-2011-001.html
This is to fix AST-2011-001: Stack buffer overflow in SIP channel driver
Asterisk Project Security Advisory - AST-2011-001
Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
For full details, see:
http://downloads.digium.com/pub/security/AST-2011-001.html
The release of Asterisk 1.8.2 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* 'sip notify clear-mwi' needs terminating CRLF.
(Closes issue #18275. Reported, patched by klaus3000)
* Patch for deadlock from ordering issue between channel/queue locks in
app_queue (set_queue_variables).
(Closes issue #18031. Reported by rain. Patched by bbryant)
* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Fix reloading of peer when a user is requested. Prevent peer reloading from
causing multiple MWI subscriptions to be created when using realtime.
(Closes issue #18342. Reported, patched by nivek.)
* Fix XMPP PubSub-based distributed device state. Initialize pubsubflags to 0
so res_jabber doesn't think there is already an XMPP connection sending
device state. Also clean up CLI commands a bit.
(Closes issue #18272. Reported by klaus3000. Patched by Marquis42)
* Don't crash after Set(CDR(userfield)=...) in ast_bridge_call. Instead of
setting peer->cdr = NULL, set it to not post.
(Closes issue #18415. Reported by macbrody. Patched, tested by jsolares)
* Fixes issue with outbound google voice calls not working. Thanks to az1234
and nevermind_quack for their input in helping debug the issue.
(Closes issue #18412. Reported by nevermind_quack. Patched by dvossel)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.2
The release of Asterisk 1.6.2.16 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Linux and *BSD disagree on the elements within the ucred structure. Detect
which one is in use on the system.
(Closes issue #18384. Reported, patched, tested by bjm, tilghman)
* app_followme: Don't create a Local channel if the target extension does not
exist.
(Closes issue #18126. Reported, patched by junky)
* Revert code that changed SSRC for DTMF.
(Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686.
Tested by cmbaker82)
* Resolve issue where REGISTER request with a Call-ID matching an existing
transaction is received it was possible that the REGISTER request would
overwrite the initreq of the private structure.
(Closes issue #18051. Reported by eeman. Patched, tested by twilson)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16
alternative from mk/jpeg.buildlink3.mk
This allows selection of an alternative jpeg library (namely the x86 MMX,
SSE, SSE2 accelerated libjpeg-turbo) via JPEG_DEFAULT=libjpeg-turbo, and
follows the current standard model for alternatives (fam, motif, fuse etc).
The mechanical edits were applied via the following script:
#!/bin/sh
for d in */*; do
[ -d "$d" ] || continue
for i in "$d/"Makefile* "$d/"*.mk; do
case "$i" in *.orig|*"*"*) continue;; esac
out="$d/x"
sed -e 's;graphics/jpeg/buildlink3\.mk;mk/jpeg.buildlink3.mk;g' \
-e 's;BUILDLINK_PREFIX\.jpeg;JPEGBASE;g' \
< "$i" > "$out"
if cmp -s "$i" "$out"; then
rm -f "$out"
else
echo "Edited $i"
mv -f "$i" "$i.orig" && mv "$out" "$i"
fi
done
done
Don't bother bumping the version since it didn't build on DFBSD
before there is no binary package that could have changed, and this
doesn't change the binary packages on other systems.
The release of Asterisk 1.8.1.1 resolves two issues reported by the community
since the release of Asterisk 1.8.1.
* Don't crash after Set(CDR(userfield)=...) in ast_bridge_call. Instead of
setting peer->cdr = NULL, set it to not post.
(Closes issue #18415. Reported by macbrody. Patched, tested by jsolares)
* Fixes issue with outbound google voice calls not working. Thanks to az1234
and nevermind_quack for their input in helping debug the issue.
(Closes issue #18412. Reported by nevermind_quack. Patched by dvossel)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.1.1
Asterisk is a complete PBX in software. It provides all of the
features you would expect from a PBX and more. Asterisk does voice
over IP in three protocols, and can interoperate with almost all
standards-based telephony equipment using relatively inexpensive
hardware.
Asterisk 1.8 is a long term support version (i.e. it will be
supported for four years with an additional year of security only
fixes). See:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
What's new:
Asterisk 1.8 is the next major release series of Asterisk.
The release of Asterisk 1.8.0 would not have been possible without the support
and contributions of the community. Since Asterisk 1.6.2, we've had over 500
reporters, more than 300 testers and greater than 200 developers contributed to
this release.
You can find a summary of the work involved with the 1.8.0 release in the
sumary:
http://svn.asterisk.org/svn/asterisk/tags/1.8.0/asterisk-1.8.0-summary.txt
A short list of available features includes:
* Secure RTP
* IPv6 Support in the SIP channel driver
* Connected Party Identification Support
* Calendaring Integration
* A new call logging system, Channel Event Logging (CEL)
* Distributed Device State using Jabber/XMPP PubSub
* Call Completion Supplementary Services support
* Advice of Charge support
* Much, much more!
A full list of new features can be found in the CHANGES file.
http://svn.digium.com/view/asterisk/branches/1.8/CHANGES?view=markup
For a full list of changes in the current release candidate, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.0
-----
The Asterisk Development Team has announced the release of Asterisk 1.8.1.
The release of Asterisk 1.8.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Fix issue when using directmedia. Asterisk needs to limit the codecs offered
to just the ones that both sides recognize, otherwise they may end up sending
audio that the other side doesn't understand.
(Closes issue #17403. Reported, patched by one47. Tested by one47, falves11)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix playback failure when using IAX with the timerfd module.
(Closes issue #18110. Reported, tested by tpanton. Patched by jpeeler)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Fix issue where it is possible to crash Asterisk by feeding the curl engine
invalid data.
(Closes issue #18161. Reported by wdoekes. Patched by tilghman)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.1
- disable automatic Lua detection for now until lang/lua/builtin.mk exists
The release of Asterisk 1.6.2.15 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* When using chan_skinny, don't crash when parking a non-bridged call.
(Closes issue #17680. Reported, tested by jmhunter. Patched, tested by DEA)
* Add ability for Asterisk to try both the encoded and unencoded subscription
URI for a match in hints.
(Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman)
* Set the caller id on CDRs when it is set on the parent channel.
(Closes issue #17569. Reported, patched by tbelder)
* Ensure user portion of SIP URI matches dialplan when using encoded characters
(Closes issue #17892. Reported by wdoekes. Patched by jpeeler)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Multiple fixes related to Local channels.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.15
