Ranjivost programskog paketa asterisk

Detalji os-a: FED
Važnost: IMP
Operativni sustavi: L
Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2014-7551
2014-06-21 02:04:55
——————————————————————————–

Name : asterisk
Product : Fedora 20
Version : 11.10.2
Release : 2.fc20
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

——————————————————————————–
Update Information:

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
releases are released as versions 1.8.15-cert7, 11.6-cert4, 1.8.28.2, 11.10.2,
and 12.3.2.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

These releases resolve security vulnerabilities that were previously fixed in
1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1. Unfortunately, the fix
for AST-2014-007 inadvertently introduced a regression in Asterisk’s TCP and TLS
handling that prevented Asterisk from sending data over these transports. This
regression and the security vulnerabilities have been fixed in the versions
specified in this release announcement.

The security patches for AST-2014-007 have been updated with the fix for the
regression, and are available at http://downloads.asterisk.org/pub/security

Please note that the release of these versions resolves the following security
vulnerabilities:

* AST-2014-005: Remote Crash in PJSIP Channel Driver’s Publish/Subscribe
Framework

* AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
Shell Access

* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
Connections

* AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions

For more information about the details of these vulnerabilities, please read
security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008,
which were released with the previous versions that addressed these
vulnerabilities.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert4
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.2

The security advisories are available at:

* http://downloads.asterisk.org/pub/security/AST-2014-005.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-008.pdf

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following issue:

* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
Connections

Establishing a TCP or TLS connection to the configured HTTP or HTTPS port
respectively in http.conf and then not sending or completing a HTTP request
will tie up a HTTP session. By doing this repeatedly until the maximum number
of open HTTP sessions is reached, legitimate requests are blocked.

Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the
following issue:

* AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
Shell Access

Manager users can execute arbitrary shell commands with the MixMonitor manager
action. Asterisk does not require system class authorization for a manager
user to use the MixMonitor action, so any manager user who is permitted to use
manager commands can potentially execute shell commands as the user executing
the Asterisk process.

Additionally, the release of 12.3.1 resolves the following issues:

* AST-2014-005: Remote Crash in PJSIP Channel Driver’s Publish/Subscribe
Framework

A remotely exploitable crash vulnerability exists in the PJSIP channel
driver’s pub/sub framework. If an attempt is made to unsubscribe when not
currently subscribed and the endpoint’s “sub_min_expiry” is set to zero,
Asterisk tries to create an expiration timer with zero seconds, which is not
allowed, so an assertion raised.

* AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions

When a SIP transaction timeout caused a subscription to be terminated, the
action taken by Asterisk was guaranteed to deadlock the thread on which SIP
requests are serviced. Note that this behavior could only happen on
established subscriptions, meaning that this could only be exploited if an
attacker bypassed authentication and successfully subscribed to a real
resource on the Asterisk server.

These issues and their resolutions are described in the security advisories.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1

The Asterisk Development Team has announced the release of Asterisk 11.10.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.10.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
———————————–
* ASTERISK-23547 – [patch] app_queue removing callers from queue
when reloading (Reported by Italo Rossi)
* ASTERISK-23559 – app_voicemail fails to load after fix to
dialplan functions (Reported by Corey Farrell)
* ASTERISK-22846 – testsuite: masquerade super test fails on all
branches (still) (Reported by Matt Jordan)
* ASTERISK-23545 – Confbridge talker detection settings
configuration load bug (Reported by John Knott)
* ASTERISK-23546 – CB_ADD_LEN does not do what you’d think
(Reported by Walter Doekes)
* ASTERISK-23620 – Code path in app_stack fails to unlock list
(Reported by Bradley Watkins)
* ASTERISK-23616 – Big memory leak in logger.c (Reported by
ibercom)
* ASTERISK-23576 – Build failure on SmartOS / Illumos / SunOS
(Reported by Sebastian Wiedenroth)
* ASTERISK-23550 – Newer sound sets don’t show up in menuselect
(Reported by Rusty Newton)
* ASTERISK-18331 – app_sms failure (Reported by David Woodhouse)
* ASTERISK-19465 – P-Asserted-Identity Privacy (Reported by
Krzysztof Chmielewski)
* ASTERISK-23605 – res_http_websocket: Race condition in shutting
down websocket causes crash (Reported by Matt Jordan)
* ASTERISK-23707 – Realtime Contacts: Apparent mismatch between
PGSQL database state and Asterisk state (Reported by Mark
Michelson)
* ASTERISK-23381 – [patch]ChanSpy- Barge only works on the initial
‘spy’, if the spied-on channel makes a new call, unable to
barge. (Reported by Robert Moss)
* ASTERISK-23665 – Wrong mime type for codec H263-1998 (h263+)
(Reported by Guillaume Maudoux)
* ASTERISK-23664 – Incorrect H264 specification in SDP. (Reported
by Guillaume Maudoux)
* ASTERISK-22977 – chan_sip+CEL: missing ANSWER and PICKUP event
for INVITE/w/replaces pickup (Reported by Walter Doekes)
* ASTERISK-23709 – Regression in Dahdi/Analog/waitfordialtone
(Reported by Steve Davies)

Improvements made in this release:
———————————–
* ASTERISK-23649 – [patch]Support for DTLS retransmission
(Reported by NITESH BANSAL)
* ASTERISK-23564 – [patch]TLS/SRTP status of channel not currently
available in a CLI command (Reported by Patrick Laimbock)
* ASTERISK-23754 – [patch] Use var/lib directory for log file
configured in asterisk.conf (Reported by Igor Goncharovsky)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.10.0
——————————————————————————–
ChangeLog:

* Thu Jun 19 2014 Jeffrey Ollie <jeff@ocjtech.us> – 11.10.2-2:
– Drop the 389 directory server schema (1061414)
* Thu Jun 19 2014 Jeffrey Ollie <jeff@ocjtech.us> – 11.10.2-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
– releases are released as versions 1.8.15-cert7, 11.6-cert4, 1.8.28.2, 11.10.2,
– and 12.3.2.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– These releases resolve security vulnerabilities that were previously fixed in
– 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1. Unfortunately, the fix
– for AST-2014-007 inadvertently introduced a regression in Asterisk’s TCP and TLS
– handling that prevented Asterisk from sending data over these transports. This
– regression and the security vulnerabilities have been fixed in the versions
– specified in this release announcement.
–
– The security patches for AST-2014-007 have been updated with the fix for the
– regression, and are available at http://downloads.asterisk.org/pub/security
–
– Please note that the release of these versions resolves the following security
– vulnerabilities:
–
– * AST-2014-005: Remote Crash in PJSIP Channel Driver’s Publish/Subscribe
– Framework
–
– * AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
– Shell Access
–
– * AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
– Connections
–
– * AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008,
– which were released with the previous versions that addressed these
– vulnerabilities.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert7
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.2
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.2
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.2
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2014-005.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-008.pdf
* Thu Jun 19 2014 Jeffrey Ollie <jeff@ocjtech.us> – 11.10.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
– releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1,
– and 12.3.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolves the following issue:
–
– * AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
– Connections
–
– Establishing a TCP or TLS connection to the configured HTTP or HTTPS port
– respectively in http.conf and then not sending or completing a HTTP request
– will tie up a HTTP session. By doing this repeatedly until the maximum number
– of open HTTP sessions is reached, legitimate requests are blocked.
–
– Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the
– following issue:
–
– * AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
– Shell Access
–
– Manager users can execute arbitrary shell commands with the MixMonitor manager
– action. Asterisk does not require system class authorization for a manager
– user to use the MixMonitor action, so any manager user who is permitted to use
– manager commands can potentially execute shell commands as the user executing
– the Asterisk process.
–
– Additionally, the release of 12.3.1 resolves the following issues:
–
– * AST-2014-005: Remote Crash in PJSIP Channel Driver’s Publish/Subscribe
– Framework
–
– A remotely exploitable crash vulnerability exists in the PJSIP channel
– driver’s pub/sub framework. If an attempt is made to unsubscribe when not
– currently subscribed and the endpoint’s “sub_min_expiry” is set to zero,
– Asterisk tries to create an expiration timer with zero seconds, which is not
– allowed, so an assertion raised.
–
– * AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions
–
– When a SIP transaction timeout caused a subscription to be terminated, the
– action taken by Asterisk was guaranteed to deadlock the thread on which SIP
– requests are serviced. Note that this behavior could only happen on
– established subscriptions, meaning that this could only be exploited if an
– attacker bypassed authentication and successfully subscribed to a real
– resource on the Asterisk server.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008,
– which were released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2014-005.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-008.pdf
* Thu Jun 19 2014 Jeffrey Ollie <jeff@ocjtech.us> – 11.10.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.10.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.10.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following are the issues resolved in this release:
–
– Bugs fixed in this release:
– ———————————–
– * ASTERISK-23547 – [patch] app_queue removing callers from queue
– when reloading (Reported by Italo Rossi)
– * ASTERISK-23559 – app_voicemail fails to load after fix to
– dialplan functions (Reported by Corey Farrell)
– * ASTERISK-22846 – testsuite: masquerade super test fails on all
– branches (still) (Reported by Matt Jordan)
– * ASTERISK-23545 – Confbridge talker detection settings
– configuration load bug (Reported by John Knott)
– * ASTERISK-23546 – CB_ADD_LEN does not do what you’d think
– (Reported by Walter Doekes)
– * ASTERISK-23620 – Code path in app_stack fails to unlock list
– (Reported by Bradley Watkins)
– * ASTERISK-23616 – Big memory leak in logger.c (Reported by
– ibercom)
– * ASTERISK-23576 – Build failure on SmartOS / Illumos / SunOS
– (Reported by Sebastian Wiedenroth)
– * ASTERISK-23550 – Newer sound sets don’t show up in menuselect
– (Reported by Rusty Newton)
– * ASTERISK-18331 – app_sms failure (Reported by David Woodhouse)
– * ASTERISK-19465 – P-Asserted-Identity Privacy (Reported by
– Krzysztof Chmielewski)
– * ASTERISK-23605 – res_http_websocket: Race condition in shutting
– down websocket causes crash (Reported by Matt Jordan)
– * ASTERISK-23707 – Realtime Contacts: Apparent mismatch between
– PGSQL database state and Asterisk state (Reported by Mark
– Michelson)
– * ASTERISK-23381 – [patch]ChanSpy- Barge only works on the initial
– ‘spy’, if the spied-on channel makes a new call, unable to
– barge. (Reported by Robert Moss)
– * ASTERISK-23665 – Wrong mime type for codec H263-1998 (h263+)
– (Reported by Guillaume Maudoux)
– * ASTERISK-23664 – Incorrect H264 specification in SDP. (Reported
– by Guillaume Maudoux)
– * ASTERISK-22977 – chan_sip+CEL: missing ANSWER and PICKUP event
– for INVITE/w/replaces pickup (Reported by Walter Doekes)
– * ASTERISK-23709 – Regression in Dahdi/Analog/waitfordialtone
– (Reported by Steve Davies)
–
– Improvements made in this release:
– ———————————–
– * ASTERISK-23649 – [patch]Support for DTLS retransmission
– (Reported by NITESH BANSAL)
– * ASTERISK-23564 – [patch]TLS/SRTP status of channel not currently
– available in a CLI command (Reported by Patrick Laimbock)
– * ASTERISK-23754 – [patch] Use var/lib directory for log file
– configured in asterisk.conf (Reported by Igor Goncharovsky)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.10.0
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 11.9.0-2.1
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu May 15 2014 Dennis Gilmore <dennis@ausil.us> – 11.9.0-2
– build against gmime-devel not gmime22-devel
– do not use -m64 on aarch64
* Wed Apr 23 2014 Jeffrey Ollie <jeff@ocjtech.us> – 11.9.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.9.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.9.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following are the issues resolved in this release:
–
– Bugs fixed in this release:
– ———————————–
– * ASTERISK-22790 – check_modem_rate() may return incorrect rate
– for V.27 (Reported by Paolo Compagnini)
– * ASTERISK-23034 – [patch] manager Originate doesn’t abort on
– failed format_cap allocation (Reported by Corey Farrell)
– * ASTERISK-23061 – [Patch] ‘textsupport’ setting not mentioned in
– sip.conf.sample (Reported by Eugene)
– * ASTERISK-23028 – [patch] Asterisk man pages contains unquoted
– minus signs (Reported by Jeremy Lainé)
– * ASTERISK-23046 – Custom CDR fields set during a GoSUB called
– from app_queue are not inserted (Reported by Denis Pantsyrev)
– * ASTERISK-23027 – [patch] Spelling typo “transfered” instead of
– “transferred” (Reported by Jeremy Lainé)
– * ASTERISK-23008 – Local channels loose CALLERID name when DAHDI
– channel connects (Reported by Michael Cargile)
– * ASTERISK-23100 – [patch] In chan_mgcp the ident in transmitted
– request and request queue may differ – fix for locking (Reported
– by adomjan)
– * ASTERISK-22988 – [patch]T38 , SIP 488 after Rejecting image
– media offer due to invalid or unsupported syntax (Reported by
– adomjan)
– * ASTERISK-22861 – [patch]Specifying a null time as parameter to
– GotoIfTime or ExecIfTime causes segmentation fault (Reported by
– Sebastian Murray-Roberts)
– * ASTERISK-17837 – extconfig.conf – Maximum Include level (1)
– exceeded (Reported by pz)
– * ASTERISK-22662 – Documentation fix? – queues.conf says
– persistentmembers defaults to yes, it appears to lie (Reported
– by Rusty Newton)
– * ASTERISK-23134 – [patch] res_rtp_asterisk port selection cannot
– handle selinux port restrictions (Reported by Corey Farrell)
– * ASTERISK-23220 – STACK_PEEK function with no arguments causes
– crash/core dump (Reported by James Sharp)
– * ASTERISK-19773 – Asterisk crash on issuing Asterisk-CLI ‘reload’
– command multiple times on cli_aliases (Reported by Joel Vandal)
– * ASTERISK-22757 – segfault in res_clialiases.so on reload when
– mapping “module reload” command (Reported by Gareth Blades)
– * ASTERISK-17727 – [patch] TLS doesn’t get all certificate chain
– (Reported by LN)
– * ASTERISK-23178 – devicestate.h: device state setting functions
– are documented with the wrong return values (Reported by
– Jonathan Rose)
– * ASTERISK-23232 – LocalBridge AMI Event LocalOptimization value
– is opposite to what’s expected (Reported by Leon Roy)
– * ASTERISK-23098 – [patch]possible null pointer dereference in
– format.c (Reported by Marcello Ceschia)
– * ASTERISK-23297 – Asterisk 12, pbx_config.so segfaults if
– res_parking.so is not loaded, or if res_parking.conf has no
– configuration (Reported by CJ Oster)
– * ASTERISK-23069 – Custom CDR variable not recorded when set in
– macro called from app_queue (Reported by Bryan Anderson)
– * ASTERISK-19499 – ConfBridge MOH is not working for transferee
– after attended transfer (Reported by Timo Teräs)
– * ASTERISK-23261 – [patch]Output mixup in
– ${CHANNEL(rtpqos,audio,all)} (Reported by rsw686)
– * ASTERISK-23279 – [patch]Asterisk doesn’t support the dynamic
– payload change in rtp mapping in the 200 OK response (Reported
– by NITESH BANSAL)
– * ASTERISK-23255 – UUID included for Redhat, but missing for
– Debian distros in install_prereq script (Reported by Rusty
– Newton)
– * ASTERISK-23260 – [patch]ForkCDR v option does not keep CDR
– variables for subsequent records (Reported by zvision)
– * ASTERISK-23141 – Asterisk crashes on Dial(), in
– pbx_find_extension at pbx.c (Reported by Maxim)
– * ASTERISK-23336 – Asterisk warning “Don’t know how to indicate
– condition 33 on ooh323c” on outgoing calls from H323 to SIP peer
– (Reported by Alexander Semych)
– * ASTERISK-23231 – Since 405693 If we have res_fax.conf file set
– to minrate=2400, then res_fax refuse to load (Reported by David
– Brillert)
– * ASTERISK-23135 – Crash – segfault in ast_channel_hangupcause_set
– – probably introduced in 11.7.0 (Reported by OK)
– * ASTERISK-23323 – [patch]chan_sip: missing p->owner checks in
– handle_response_invite (Reported by Walter Doekes)
– * ASTERISK-23406 – [patch]Fix typo in “sip show peer” (Reported by
– ibercom)
– * ASTERISK-23310 – bridged channel crashes in bridge_p2p_rtp_write
– (Reported by Jeremy Lainé)
– * ASTERISK-22911 – [patch]Asterisk fails to resume WebRTC call
– from hold (Reported by Vytis Valentinavičius)
– * ASTERISK-23104 – Specifying the SetVar AMI without a Channel
– cause Asterisk to crash (Reported by Joel Vandal)
– * ASTERISK-21930 – [patch]WebRTC over WSS is not working.
– (Reported by John)
– * ASTERISK-23383 – Wrong sense test on stat return code causes
– unchanged config check to break with include files. (Reported by
– David Woolley)
– * ASTERISK-20149 – Crash when faxing SIP to SIP with strictrtp set
– to yes (Reported by Alexandr Gordeev)
– * ASTERISK-17523 – Qualify for static realtime peers does not work
– (Reported by Maciej Krajewski)
– * ASTERISK-21406 – [patch] chan_sip deadlock on monlock between
– unload_module and do_monitor (Reported by Corey Farrell)
– * ASTERISK-23373 – [patch]Security: Open FD exhaustion with
– chan_sip Session-Timers (Reported by Corey Farrell)
– * ASTERISK-23340 – Security Vulnerability: stack allocation of
– cookie headers in loop allows for unauthenticated remote denial
– of service attack (Reported by Matt Jordan)
– * ASTERISK-23311 – Manager – MoH Stop Event fails to show up when
– leaving Conference (Reported by Benjamin Keith Ford)
– * ASTERISK-23420 – [patch]Memory leak in manager_add_filter
– function in manager.c (Reported by Etienne Lessard)
– * ASTERISK-23488 – Logic error in callerid checksum processing
– (Reported by Russ Meyerriecks)
– * ASTERISK-23461 – Only first user is muted when joining
– confbridge with ‘startmuted=yes’ (Reported by Chico Manobela)
– * ASTERISK-20841 – fromdomain not honored on outbound INVITE
– request (Reported by Kelly Goedert)
– * ASTERISK-22079 – Segfault: INTERNAL_OBJ (user_data=0x6374652f)
– at astobj2.c:120 (Reported by Jamuel Starkey)
– * ASTERISK-23509 – [patch]SayNumber for Polish language tries to
– play empty files for numbers divisible by 100 (Reported by
– zvision)
– * ASTERISK-23103 – [patch]Crash in ast_format_cmp, in ao2_find
– (Reported by JoshE)
– * ASTERISK-23391 – Audit dialplan function usage of channel
– variable (Reported by Corey Farrell)
– * ASTERISK-23548 – POST to ARI sometimes returns no body on
– success (Reported by Scott Griepentrog)
– * ASTERISK-23460 – ooh323 channel stuck if call is placed directly
– and gatekeeper is not available (Reported by Dmitry Melekhov)
–
– Improvements made in this release:
– ———————————–
– * ASTERISK-22980 – [patch]Allow building cdr_radius and cel_radius
– against libfreeradius-client (Reported by Jeremy Lainé)
– * ASTERISK-22661 – Unable to exit ChanSpy if spied channel does
– not have a call in progress (Reported by Chris Hillman)
– * ASTERISK-23099 – [patch] WSS: enable ast_websocket_read()
– function to read the whole available data at first and then wait
– for any fragmented packets (Reported by Thava Iyer)
* Tue Mar 11 2014 Jeffrey Ollie <jeff@ocjtech.us> – 11.8.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
– releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1,
– and 12.1.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
–
– Sending a HTTP request that is handled by Asterisk with a large number of
– Cookie headers could overflow the stack.
–
– Another vulnerability along similar lines is any HTTP request with a
– ridiculous number of headers in the request could exhaust system memory.
–
– * AST-2014-002: chan_sip: Exit early on bad session timers request
–
– This change allows chan_sip to avoid creation of the channel and
– consumption of associated file descriptors altogether if the inbound
– request is going to be rejected anyway.
–
– Additionally, the release of 12.1.1 resolves the following issue:
–
– * AST-2014-003: res_pjsip: When handling 401/407 responses don’t assume a
– request will have an endpoint.
–
– This change removes the assumption that an outgoing request will always
– have an endpoint and makes the authenticate_qualify option work once again.
–
– Finally, a security advisory, AST-2014-004, was released for a vulnerability
– fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to
– 12.1.1 to resolve both vulnerabilities.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004,
– which were released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert5
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.26.1
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert2
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.8.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.1.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-003.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-004.pdf
* Tue Mar 4 2014 Jeffrey Ollie <jeff@ocjtech.us> – 11.8.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.8.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.8.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following are the issues resolved in this release:
–
– Bugs fixed in this release:
– ———————————–
– * ASTERISK-22544 – Italian prompt vm-options has advertisement in
– it (Reported by Rusty Newton)
– * ASTERISK-21383 – STUN Binding Requests Not Being Sent Back from
– Asterisk to Chrome (Reported by Shaun Clark)
– * ASTERISK-22478 – [patch]Can’t use pound(hash) symbol for custom
– DTMF menus in ConfBridge (processed as directive) (Reported by
– Nicolas Tanski)
– * ASTERISK-12117 – chan_sip creates a new local tag (from-tag) for
– every register message (Reported by Pawel Pierscionek)
– * ASTERISK-20862 – Asterisk min and max member penalties not
– honored when set with 0 (Reported by Schmooze Com)
– * ASTERISK-22746 – [patch]Crash in chan_dahdi during caller id
– read (Reported by Michael Walton)
– * ASTERISK-22788 – [patch] main/translate.c: access to variable f
– after free in ast_translate() (Reported by Corey Farrell)
– * ASTERISK-21242 – Segfault when T.38 re-invite retransmission
– receives 200 OK (Reported by Ashley Winters)
– * ASTERISK-22590 – BufferOverflow in unpacksms16() when receiving
– 16 bit multipart SMS with app_sms (Reported by Jan Juergens)
– * ASTERISK-22905 – Prevent Asterisk functions that are ‘dangerous’
– from being executed from external interfaces (Reported by Matt
– Jordan)
– * ASTERISK-23021 – Typos in code : “avaliable” instead of
– “available” (Reported by Jeremy Lainé)
– * ASTERISK-22970 – [patch]Documentation fix for QUOTE() (Reported
– by Gareth Palmer)
– * ASTERISK-21960 – ooh323 channels stuck (Reported by Dmitry
– Melekhov)
– * ASTERISK-22350 – DUNDI – core dump on shutdown – segfault in
– sqlite3_reset from /usr/lib/libsqlite3.so.0 (Reported by Birger
– “WIMPy” Harzenetter)
– * ASTERISK-22942 – [patch] – Asterisk crashed after
– Set(FAXOPT(faxdetect)=t38) (Reported by adomjan)
– * ASTERISK-22856 – [patch]SayUnixTime in polish reads minutes
– instead of seconds (Reported by Robert Mordec)
– * ASTERISK-22854 – [patch] – Deadlock between cel_pgsql unload and
– core_event_dispatcher taskprocessor thread (Reported by Etienne
– Lessard)
– * ASTERISK-22910 – [patch] – REPLACE() calls strcpy on overlapping
– memory when <replace-char> is empty (Reported by Gareth Palmer)
– * ASTERISK-22871 – cel_pgsql module not loading after “reload” or
– “reload cel_pgsql.so” command (Reported by Matteo)
– * ASTERISK-23084 – [patch]rasterisk needlessly prints the
– AST-2013-007 warning (Reported by Tzafrir Cohen)
– * ASTERISK-17138 – [patch] Asterisk not re-registering after it
– receives “Forbidden – wrong password on authentication”
– (Reported by Rudi)
– * ASTERISK-23011 – [patch]configure.ac and pbx_lua don’t support
– lua 5.2 (Reported by George Joseph)
– * ASTERISK-22834 – Parking by blind transfer when lot full orphans
– channels (Reported by rsw686)
– * ASTERISK-23047 – Orphaned (stuck) channel occurs during a failed
– SIP transfer to parking space (Reported by Tommy Thompson)
– * ASTERISK-22946 – Local From tag regression with sipgate.de
– (Reported by Stephan Eisvogel)
– * ASTERISK-23010 – No BYE message sent when sip INVITE is received
– (Reported by Ryan Tilton)
– * ASTERISK-23135 – Crash – segfault in ast_channel_hangupcause_set
– – probably introduced in 11.7.0 (Reported by OK)
–
– Improvements made in this release:
– ———————————–
– * ASTERISK-22728 – [patch] Improve Understanding Of ‘Forcerport’
– When Running “sip show peers” (Reported by Michael L. Young)
– * ASTERISK-22659 – Make a new core and extra sounds release
– (Reported by Rusty Newton)
– * ASTERISK-22919 – core show channeltypes slicing (Reported by
– outtolunc)
– * ASTERISK-22918 – dahdi show channels slices PRI channel dnid on
– output (Reported by outtolunc)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.8.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.7.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.7.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.7.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_confbridge: Can now set the language used for announcements
– to the conference.
– (Closes issue ASTERISK-19983. Reported by Jonathan White)
–
– * — app_queue: Fix CLI “queue remove member” queue_log entry.
– (Closes issue ASTERISK-21826. Reported by Oscar Esteve)
–
– * — chan_sip: Do not increment the SDP version between 183 and 200
– responses.
– (Closes issue ASTERISK-21204. Reported by NITESH BANSAL)
–
– * — chan_sip: Allow a sip peer to accept both AVP and AVPF calls
– (Closes issue ASTERISK-22005. Reported by Torrey Searle)
–
– * — chan_sip: Fix Realtime Peer Update Problem When Un-registering
– And Expires Header In 200ok
– (Closes issue ASTERISK-22428. Reported by Ben Smithurst)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
– releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
– 10.12.4-digiumphones, and 11.6.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
– infinite loop could occur which would overwrite memory when a message is
– received into the unpacksms16() function and the length of the message is an
– odd number of bytes.
–
– * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
– now marks certain individual dialplan functions as ‘dangerous’, which will
– inhibit their execution from external sources.
–
– A ‘dangerous’ function is one which results in a privilege escalation. For
– example, if one were to read the channel variable SHELL(rm -rf /) Bad
– Things(TM) could happen; even if the external source has only read
– permissions.
–
– Execution from external sources may be enabled by setting ‘live_dangerously’
– to ‘yes’ in the [options] section of asterisk.conf. Although doing so is not
– recommended.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-006 and AST-2013-007, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.6.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.6.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Confbridge: empty conference not being torn down
– (Closes issue ASTERISK-21859. Reported by Chris Gentle)
–
– * — Let Queue wrap up time influence member availability
– (Closes issue ASTERISK-22189. Reported by Tony Lewis)
–
– * — Fix a longstanding issue with MFC-R2 configuration that
– prevented users
– (Closes issue ASTERISK-21117. Reported by Rafael Angulo)
–
– * — chan_iax2: Fix saving the wrong expiry time in astdb.
– (Closes issue ASTERISK-22504. Reported by Stefan Wachtler)
–
– * — Fix segfault for certain invalid WebSocket input.
– (Closes issue ASTERISK-21825. Reported by Alfred Farrugia)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
* Mon Oct 21 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-3:
– Disable hardened build, as it’s apparently causing problems loading modules.
——————————————————————————–
References:

[ 1 ] Bug #1109284 – CVE-2014-4047 asterisk: DoS due to Exhaustion of Allowed Concurrent HTTP Connections (AST-2014-007)
https://bugzilla.redhat.com/show_bug.cgi?id=1109284
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update asterisk’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-7570
2014-06-21 02:05:39
——————————————————————————–

Name : asterisk
Product : Fedora 19
Version : 11.10.2
Release : 2.fc19
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.