7e3dedbc81
AST-2010-003. AST-2010-002 was just a warning about dialplan scripting errors that could lead to security issues. Asterisk 1.6.1.13: general bug fixes Asterisk 1.6.1.14: fix AST-2010-001 Asterisk 1.6.1.15: not released, skipped for security releases Asterisk 1.6.1.16: fix AST-2010-002 Asterisk 1.6.1.17: fix AST-2010-003 Note that the only change in Asterisk 1.6.1.16 was the addtion of a README file. However, the package doesn't install random docs. That is planned for a future update seperate from the upstream updates. ----- Asterisk 1.6.1.13: The release of Asterisk 1.6.1.13 resolved several issues reported by the community, and would have not been possible without your participation. Thank you! * Restarts busydetector (if enabled) when DTMF is received after call is bridged (Closes issue #16389. Reported, Tested, Patched by alecdavis.) * Send parking lot announcement to the channel which parked the call, not the park-ee. (Closes issue #16234. Reported, Tested by yeshuawatso. Patched by tilghman.) * When the field is blank, don't warn about the field being unable to be coerced just skip the column. (Closes http://lists.digium.com/pipermail/asterisk-dev/2009-December/041362.html) Reported by Nic Colledge on the -dev list.) * Don't queue frames to channels that have no means to process them. (Closes issue #15609. Reported, Tested by aragon. Patched by tilghman.) * Fixes holdtime playback issue in app_queue. (Closes issue #16168. Reported, Patched by nickilo. Tested by wonderg, nickilo.) A summary of changes in this release can be found in the release summary: http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.1.13-summary.t xt For a full list of changes in this releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.13 ----- Asterisk 1.6.1.14: The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix described in security advisory AST-2010-001. The issue is that an attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash will occur when the FaxMaxDatagram field is omitted from the SDP, as well. For more information about the details of this vulnerability, please read the security advisory AST-2009-009, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14 Security advisory AST-2010-001 is available at: http://downloads.asterisk.org/pub/security/AST-2010-001.pdf ----- Asterisk 1.6.1.16: The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 include documention describing a possible dialplan string injection with common usage of the ${EXTEN} (and other expansion variables). The issue and resolution are described in the AST-2010-002 security advisory. If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer. Please note that this is not limited to an specific protocol or the Dial() application. The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug - that is the entire point of string expansion. However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan. With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked. This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers. For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16 Security advisory AST-2010-002 is available at: http://downloads.asterisk.org/pub/security/AST-2010-002.pdf The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from 1.2 and up. http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt ----- Asterisk 1.6.1.17: The releases of Asterisk 1.6.0.25, 1.6.1.17, and 1.6.2.5 resolve an issue with invalid parsing of ACL (Access Control List) rules leading to a possible compromise in security. The issue and resolution are described in the AST-2010-003 security advisory. For more information about the details of this vulnerability, please read the security advisory AST-2010-003, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.17 Security advisory AST-2010-003 is available at: http://downloads.asterisk.org/pub/security/AST-2010-003.pdf ----- |
||
---|---|---|
.. | ||
files | ||
patches | ||
DESCR | ||
distinfo | ||
Makefile | ||
MESSAGE | ||
options.mk | ||
PLIST |