a0ca5c0404
----- The Asterisk Development Team would like to announce security releases for Asterisk 13, 15 and 16. The available releases are released as versions 13.28.1, 15.7.4 and 16.5.1. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2019-004: Crash when negotiating for T.38 with a declined stream When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk. * AST-2019-005: Remote Crash Vulnerability in audio transcoding When audio frames are given to the audio transcoding support in Asterisk the number of samples are examined and as part of this a message is output to indicate that no samples are present. A change was done to suppress this message for a particular scenario in which the message was not relevant. This change assumed that information about the origin of a frame will always exist when in reality it may not. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.7.4 The security advisories are available at: https://downloads.asterisk.org/pub/security/AST-2019-004.pdf https://downloads.asterisk.org/pub/security/AST-2019-005.pdf ----- The Asterisk Development Team would like to announce security releases for Asterisk 13, 15 and 16, and Certified Asterisk 13.21. The available releases are released as versions 13.27.1, 15.7.3, 16.4.1 and 13.21-cert4. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2019-002: Remote crash vulnerability with MESSAGE messages A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash. * AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.7.3 The security advisories are available at: https://downloads.asterisk.org/pub/security/AST-2019-002.pdf https://downloads.asterisk.org/pub/security/AST-2019-003.pdf ----- The Asterisk Development Team would like to announce security releases for Asterisk 15 and 16. The available releases are released as versions 15.7.2 and 16.2.1. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2019-001: Remote crash vulnerability with SDP protocol violation When Asterisk makes an outgoing call, a very specific SDP protocol violation by the remote party can cause Asterisk to crash. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.7.2 The security advisory is available at: https://downloads.asterisk.org/pub/security/AST-2019-001.pdf ----- The Asterisk Development Team would like to announce the release of Asterisk 15.7.1. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 15.7.1 resolves an issue reported by the community and would have not been possible without your participation. Thank you! The following issue is resolved in this release: Bugs fixed in this release: ----------------------------------- * ASTERISK-28222 - Regression: MWI polling no longer works (Reported by abelbeck) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-15.7.1 ----- The Asterisk Development Team would like to announce the release of Asterisk 15.7.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 15.7.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following issues are resolved in this release: Security bugs fixed in this release: ----------------------------------- * ASTERISK-28127 - Buffer overflow for DNS SRV/NAPTR records (Reported by Jan Hoffmann) * ASTERISK-28013 - res_http_websocket: Crash when reading HTTP Upgrade requests (Reported by Sean Bright) Bugs fixed in this release: ----------------------------------- * ASTERISK-28076 - bridging: Asterisk crashes when receiving an empty realtime text frame (Reported by Emmanuel BUU) * ASTERISK-28084 - app_queue: QueueMemberStatus Event flooding AMI (Reported by Andrej) * ASTERISK-28077 - res_pjsip: improve realtime performance on CLI 'pjsip show contacts' (Reported by Alexei Gradinari) * ASTERISK-27920 - app_queue: Queue member considered inuse after immediately hanging up during dialing. (Reported by Cao Minh Hiep) * ASTERISK-26094 - stasis: Playing MOH to bridge with ARI does not work (Reported by Cameron) * ASTERISK-28065 - res_odbc: missing SQL error diagnostic (Reported by Alexei Gradinari) * ASTERISK-28057 - chan_sip: SipNotify via AMI behaves differently to CLI (Reported by Peter Katzmann) * ASTERISK-28045 - configure script does not enforce libunbound2 version (Reported by Samuel Galarneau) * ASTERISK-28070 - testsuite: Sniffer assumes pjmedia will use ports below 10000 (Reported by Joshua C. Colp) * ASTERISK-27854 - rtp: Crash in off-nominal case where RTP instance can't be set up (Reported by Lei Fu) * ASTERISK-28059 - PJSIP: Update bundled PJPROJECT to version 2.8 (Reported by Joshua C. Colp) * ASTERISK-27121 - res_pjsip_mwi: Memory leak on reload (Reported by Sergej Kasumovic) * ASTERISK-28047 - chan_pjsip: Declined video stream is added when no video codecs configured and session refresh with removed video stream occurs (Reported by Will) * ASTERISK-28049 - res_pjproject build failure (Reported by Jaco Kroon) * ASTERISK-28034 - chan_sip unstable with TLS after asterisk start or reloads (Reported by David Hajek) * ASTERISK-28029 - [patch] res_musiconhold : music on hold will not start if previous hold just reached end of file (Reported by Frederic LE FOLL) * ASTERISK-28005 - channel.c: ARI ring only once (Reported by Hajek Michal) * ASTERISK-28032 - Realtime queuemembers are not updated during retry phase (Reported by lvl) * ASTERISK-27988 - alembic: PJSIP "mwi_subscribe_replaces_unsolicited" field is integer not boolean (Reported by Joshua C. Colp) * ASTERISK-28020 - res_pjsip_transport_websocket: Properly set 'received' for IPv6 (Reported by Sean Bright) * ASTERISK-28022 - res_pjsip realtime: uri column in ps_contacts table can be too short (Reported by Florian Floimair) Improvements made in this release: ----------------------------------- * ASTERISK-28046 - Remove stale nonoptreq references (Reported by Walter Doekes) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-15.7.0 ----- The Asterisk Development Team would like to announce security releases for Asterisk 15 and 16. The available releases are released as versions 15.6.2 and 16.0.1. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases The following security vulnerabilities were resolved in these versions: There is a buffer overflow vulnerability in dns_srv and dns_naptr functions of Asterisk that allows an attacker to crash Asterisk via a specially crafted DNS SRV or NAPTR response. The attacker???s request causes Asterisk to segfault and crash. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.6.2 The security advisory is available at: https://downloads.asterisk.org/pub/security/AST-2018-010.pdf ----- The Asterisk Development Team would like to announce security releases for Asterisk 13, 14 and 15, and Certified Asterisk 13.21. The available releases are released as versions 13.23.1, 14.7.8, 15.6.1 and 13.21-cert3. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade There is a stack overflow vulnerability in the res_http_websocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attacker???s request causes Asterisk to run out of stack space and crash. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.6.1 The security advisory is available at: https://downloads.asterisk.org/pub/security/AST-2018-009.pdf ----- The Asterisk Development Team would like to announce the release of Asterisk 15.6.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 15.6.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following issues are resolved in this release: Bugs fixed in this release: ----------------------------------- * ASTERISK-28002 - When T.140 realtime text is negociated, a lot of debug traces are generated (Reported by Emmanuel BUU) * ASTERISK-27881 - PBX calls via chan_sip TCP trunk now get authentification error (Reported by Ian Gilmour) * ASTERISK-28011 - chan_sip: get_refer_info() attempted unlock mutex 'peer' without owning it! (Reported by Alec Davis) * ASTERISK-27944 - res_pjsip_t38: Crash receiving 1xx responses other than 100 before 200 for T.38 reINVITE (Reported by Joshua Elson) * ASTERISK-28007 - rtcp-mux is put in SDP answer regardless of offer (Reported by Torrey Searle) * ASTERISK-27398 - No joint capabilities with video and audio-only streams (Reported by Benjamin Keith Ford) * ASTERISK-27973 - app_queue: QUEUESTATUS = CONTINUE instead LEAVEEMPTY (Reported by Valentin Safonov) * ASTERISK-27997 - pjproject_bundled: Fix for Solaris builds. Do not undef s_addr. (Reported by Alexander Traud) * ASTERISK-27999 - Wrong SRTP use status report (Reported by Salah Ahmed) * ASTERISK-28001 - res_pjsip_registrar: Improve performance of inbound handling (Reported by Joshua Colp) * ASTERISK-27966 - pjsip: Race condition in 183 re transmission can result in a deadlock (Reported by Torrey Searle) * ASTERISK-15331 - make menuselect fails due to undefined symbols (initscr32, w32addch) in menuselect_curses.o (Reported by Majdi Bsoul) * ASTERISK-14935 - [regression] menuselect compilation failure on Solaris 10 (Reported by Samuel Owens) * ASTERISK-12382 - menuselect compilation failure on Solaris 10 / gcc 3.4.3 (Reported by rleasure) * ASTERISK-9107 - menuselect compilation failure on Solaris 10/gcc-4.1.1 (Reported by Bob Atkins) * ASTERISK-27991 - BuildSystem: Enable Jansson in Solaris 11. (Reported by Alexander Traud) * ASTERISK-27548 - res_pjsip_endpoint_identifier_ip only matches against "generic string" headers (Reported by George Joseph) * ASTERISK-27990 - res_rtp_asterisk: Requires OpenSSL in Developer Mode. (Reported by Alexander Traud) * ASTERISK-27591 - Frack errors in stasis.c and memory leakage (Reported by Siruja Maharjan) * ASTERISK-27978 - res_pjsip: Change default transport keepalive to preserve behavior (Reported by Joshua Colp) * ASTERISK-27968 - systemd: asterisk.service (Reported by seanchann.zhou) * ASTERISK-27880 - [patch] pjproject_bundled: Repair ./configure --with-ssl=PATH. (Reported by Alexander Traud) * ASTERISK-27810 - BASIC-RETRANS: Implement receive (Reported by Benjamin Keith Ford) * ASTERISK-27972 - res_sorcery_config: Allow object name based matching (Reported by Joshua Colp) * ASTERISK-25548 - stasis: Improve message type "Use of before init/after destruction" error (Reported by Joshua Colp) * ASTERISK-27967 - srtp: rejecting short sdes lifetimes incompatible with obihai ATAs (Reported by Nick French) * ASTERISK-27961 - res_pjsip: Spurious ERROR logging when printing headers in sip_msg (Reported by Nick French) * ASTERISK-27563 - pjsip modules always get -O2 even when DONT_OPTIMIZE is set (Reported by George Joseph) * ASTERISK-27957 - PJSIP proposes ICE candidates on answer even if not in offer (Reported by Torrey Searle) * ASTERISK-27347 - [patch] pjproject_bundled: Disable TCP/TLS keep-alives. (Reported by Alexander Traud) * ASTERISK-27938 - [patch] Compile fails with `IPTOS_MINCOST' undeclared. (Reported by Alexander Traud) * ASTERISK-27955 - res_pjsip_session: sdp group:BUNDLE attribute truncated (Reported by Kevin Harwell) * ASTERISK-27956 - res_pjsip_pubsub: segfault in function publish_expire (Reported by Alexei Gradinari) * ASTERISK-27949 - res_pjsip_rfc3326: A lot of endpoints do not correctly handle two Reason headers (Reported by Ross Beer) * ASTERISK-27763 - res_pjsip_session: Initial INVITE with audio+fax results in 488 instead of declining stream (Reported by Thiago Coutinho) * ASTERISK-27657 - res_pjsip_t38: ATA fails with hangupcause 58(Bearer capability not available) (Reported by Jared Hull) * ASTERISK-27080 - res_pjsip_t38: Slow T.38 re-invite rejection if remote leg has T.38 disabled (Reported by Torrey Searle) * ASTERISK-26686 - res_pjsip: Lock inversion in transport management (Reported by Ross Beer) * ASTERISK-27939 - [patch] bridge_softmix_binaural: Enable FFTW3 in Solaris 11. (Reported by Alexander Traud) Improvements made in this release: ----------------------------------- * ASTERISK-28006 - PJSIP: Missing "party=calling"/"party=called" in Remote-Party-ID (Reported by Eric Dantie) * ASTERISK-27995 - pjproject_bundled: Find shared libraries in root --with-ssl=PATH. (Reported by Alexander Traud) * ASTERISK-27993 - pjsip_wizard example gives wrong info about unsupported SRV records (Reported by Jonathan Harris) * ASTERISK-27970 - res_rtp_asterisk: T.140 packets containing backspace or end of line are merged with regular text and it causes some UA to break (Reported by Emmanuel BUU) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-15.6.0 ----- The Asterisk Development Team would like to announce the release of Asterisk 15.5.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 15.5.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following issues are resolved in this release: Security bugs fixed in this release: ----------------------------------- * ASTERISK-27818 - Username bruteforce is possible when using ACL with PJSIP (Reported by John) * ASTERISK-27807 - iostreams: Potential DoS when client connection closed prematurely (Reported by Sean Bright) Bugs fixed in this release: ----------------------------------- * ASTERISK-27783 - res_pjsip_pubsub: apparent crash on shutdown (Reported by Kevin Harwell) * ASTERISK-27870 - app_confbridge: Conference bridge and announcer channels are not removed if conference is ended as soon as it starts (Reported by Robert Mordec) * ASTERISK-27943 - AMI: Action SendText needs to use the correct thread. (Reported by Richard Mudgett) * ASTERISK-27942 - res_pjsip_messaging doesn't accept application/* content-types. (Reported by George Joseph) * ASTERISK-27909 - cdr: Deadlock with submit_scheduled_batch and submit_unscheduled_batch (Reported by Denis Lebedev) * ASTERISK-27936 - res_pjsip_session doesn't update media when a 200 comes in with a different port than a 183 (Reported by George Joseph) * ASTERISK-26987 - pbx_dundi: Asterisk crashes when unloading module pbx_dundi.so with dundi peers (Reported by Kirsty Tyerman) * ASTERISK-27933 - [patch] uuid: Enable UUID in Solaris 11. (Reported by Alexander Traud) * ASTERISK-27625 - channels: CHECK_BLOCKING is ineffective (Reported by Corey Farrell) * ASTERISK-27931 - [patch] BuildSystem: Enable ./configure in Solaris 11. (Reported by Alexander Traud) * ASTERISK-27926 - [patch] bootstrap.sh: find -maxdepth is not POSIX compatible. (Reported by Alexander Traud) * ASTERISK-27903 - menuselect: GCC 8: restrict-qualified parameter passed and aliased. (Reported by Alexander Traud) * ASTERISK-27914 - [patch] tests/test_utils: Repair ./configure --with-ssl=PATH. (Reported by Alexander Traud) * ASTERISK-27705 - chan_iax2: Stops listening for traffic (Reported by Kirsty Tyerman) * ASTERISK-27908 - [patch] crypto.h: Repair ./configure --with-ssl=PATH. (Reported by Alexander Traud) * ASTERISK-27905 - [patch] res_srtp: Repair ./configure --with-ssl=PATH. (Reported by Alexander Traud) * ASTERISK-27888 - SQL fetch error on query which return 0 columns (Reported by Alexei Gradinari) * ASTERISK-27902 - chan_pjsip isn't updating hangupcause on 4XX responses (Reported by George Joseph) * ASTERISK-27901 - [patch] ooh323c: GCC 8: output truncated before terminating nul. (Reported by Alexander Traud) * ASTERISK-27872 - res_pjsip: Modified qualify_frequency doesn't effect until pjsip reload (Reported by Alexei Gradinari) * ASTERISK-27094 - res_fax: Deadlock when using Local channels and fax gateway (Reported by David Brillert) * ASTERISK-27848 - rtp: DTMF Breaks With telephony-event/16000 (Reported by Dominic) * ASTERISK-25261 - Manager events for MeetMe have incorrectly documented key name 'Usernum' - should be 'User' (Reported by Francois Blackburn) * ASTERISK-27878 - [patch] tcptls.h: Repair ./configure --with-ssl=PATH. (Reported by Alexander Traud) * ASTERISK-27876 - [patch] tcptls: Allow OpenSSL configured with no-dh. (Reported by Alexander Traud) * ASTERISK-27874 - [patch] tcptls: Allow OpenSSL 1.1.x configured with enable-ssl3-method no-deprecated. (Reported by Alexander Traud) * ASTERISK-27845 - Codec-Change Re-INVITE during DTMF can cause marker bit error (Reported by Torrey Searle) * ASTERISK-27831 - res_rtp_asterisk: Add support for abs-send-time RTP extension (Reported by Joshua Colp) * ASTERISK-27863 - config/ast_destroy_realtime_fields: successful DELETE is treated as failed (Reported by Alexei Gradinari) * ASTERISK-27865 - [patch]: tcptls: Repair ./configure --with-ssl=PATH. (Reported by Alexander Traud) * ASTERISK-27760 - Asterisk ODBC Voicemail Prompt storage fails with recent MariaDB version. (Reported by Nic Colledge) * ASTERISK-27853 - Incorrect error reported when leaving/retrieving a ODBC voicemail (Reported by Nic Colledge) * ASTERISK-27726 - chan_mobile: presents incorrect inbound Caller-ID names (Reported by Brian) * ASTERISK-27861 - [patch] res_pjsip_endpoint_identifier_ip: Unregister the module for headers. (Reported by Alexander Traud) * ASTERISK-27860 - [patch] res_pjsip: Register pjsip_transport_management not externally but internally. (Reported by Alexander Traud) * ASTERISK-27852 - cli: "manager show settings" mislabels HTTP timeout as being minutes. (Reported by Corey Farrell) * ASTERISK-27824 - Fix issues exposed by GCC 8 (Reported by George Joseph) * ASTERISK-27850 - [patch] rtp_engine: Allow Media Formats with add_static_payload(-1) on egress again. (Reported by Alexander Traud) * ASTERISK-27811 - [patch] sip_to_pjsip: Enable python3 compatibility. (Reported by Alexander Traud) * ASTERISK-27841 - digest over for manager (ami) over http fails on too long uris (Reported by Jaco Kroon) * ASTERISK-26570 - Macro allows an infinite loop of dialplan inclusion resulting in a crash (Reported by Tzafrir Cohen) * ASTERISK-27801 - Asterisk got stuck while enabling "ari set debug all on" (Reported by shaurya jain) * ASTERISK-27795 - chan_sip: one way / no audio with srtp (Reported by Florian Kaiser) * ASTERISK-27800 - One way audio when calling from Asterisk(sip trunk) to another number where both are connected to a SBC using TLS+SRTP (Reported by Artur Pires) * ASTERISK-26806 - pjsip_options: rework to make more efficient (Reported by Kevin Harwell) * ASTERISK-27814 - translate: interpolated frames are not passed through (Reported by Kevin Harwell) * ASTERISK-27812 - When the ooh323 debug is on there is no ringing signal to incoming calls via H323 trunk. (Reported by Dimos) * ASTERISK-26893 - No "alert" or "progress" in chan_ooh323 if debug is enabled only on the module (Reported by Marco Giordani) * ASTERISK-27639 - [patch] BuildSystem: Enable IMAP storage on FreeBSD and DragonFly BSD. (Reported by Alexander Traud) * ASTERISK-27804 - bridge_softmix / app_confbridge: Add support for combining REMB reports (Reported by Joshua Colp) * ASTERISK-27418 - app_confbridge: "core show profile bridge" does not output "sfu" when video_mode is sfu (Reported by Carlos Chavez) * ASTERISK-27808 - [patch] chan_vpb: Avoid GNU old-style field designator extension. (Reported by Alexander Traud) Improvements made in this release: ----------------------------------- * ASTERISK-27929 - [patch] BuildSystem: Enable autotools in Solaris 11. (Reported by Alexander Traud) * ASTERISK-27752 - Ten seconds of silence after mp3 playback (Reported by Sam Wierema) * ASTERISK-27910 - [patch] res_rtp_asterisk: Allow OpenSSL configured with no-deprecated. (Reported by Alexander Traud) * ASTERISK-27906 - [patch] res_crypto: Allow OpenSSL configured with no-deprecated. (Reported by Alexander Traud) * ASTERISK-27877 - app_confbridge: Add talking indicator for ConfBridgeList AMI response (Reported by William McCall) * ASTERISK-27873 - documentation: Error on wiki description of Asterisk 13 "MeetmeMute" event (Reported by Alessandro Polidori) * ASTERISK-27846 - ast_coredumper: Fix OUTPUT directory (Reported by Ted G) * ASTERISK-27867 - [patch] libasteriskssl: Allow OpenSSL 1.0.2 configured with no-deprecated. (Reported by Alexander Traud) * ASTERISK-27796 - res_hep: Allow create_address to resolve a provided hostname (Reported by Sebastian Gutierrez) * ASTERISK-27820 - [patch] Add DragonFly BSD. (Reported by Alexander Traud) * ASTERISK-27793 - cppcheck identifies redundant "if" (Reported by Ilya Shipitsin) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-15.5.0 |
||
---|---|---|
.. | ||
files | ||
patches | ||
DESCR | ||
distinfo | ||
Makefile | ||
options.mk | ||
PLIST |