| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The Asterisk Development Team has announced a security release for
Asterisk 10. This security release is released as version 10.5.1.
The release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of Asterisk 10.5.1 resolves the following issue:
* A remotely exploitable crash vulnerability was found in the Skinny
(SCCP) Channel driver. When an SCCP client sends an Off Hook
message, followed by a Key Pad Button Message, a structure that
was previously set to NULL is dereferenced. This allows remote
authenticated connections the ability to cause a crash in the
server, denying services to legitimate users.
This issue and its resolution is described in the security advisory.
For more information about the details of this vulnerability, please
read security advisory AST-2012-009, which was released at the same
time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.1
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2012-009.pdf
Thank you for your continued support of Asterisk!
|
|
|
|
The Asterisk Development Team has announced the release of Asterisk
10.5.0.
The release of Asterisk 10.5.0 resolves several issues reported by
the community and would have not been possible without your
participation. Thank you!
The following is a sample of the issues resolved in this release:
* --- Turn off warning message when bind address is set to any.
* --- Prevent overflow in calculation in ast_tvdiff_ms on 32-bit
machines
* --- Make DAHDISendCallreroutingFacility wait 5 seconds for a reply
before disconnecting the call.
* --- Fix recalled party B feature flags for a failed DTMF atxfer.
* --- Fix DTMF atxfer running h exten after the wrong bridge ends.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.5.0
Thank you for your continued support of Asterisk!
|
|
AST-2012-008 along with some general bug fixes.
----- 10.4.1 -----
The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available
security releases are released as versions 1.8.11-cert2, 1.8.12.1,
and 10.4.1.
The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve
the following two issues:
* A remotely exploitable crash vulnerability exists in the IAX2
channel driver if an established call is placed on hold without
a suggested music class. Asterisk will attempt to use an invalid
pointer to the music on hold class name, potentially causing a
crash.
* A remotely exploitable crash vulnerability was found in the Skinny
(SCCP) Channel driver. When an SCCP client closes its connection
to the server, a pointer in a structure is set to NULL. If the
client was not in the on-hook state at the time the connection
was closed, this pointer is later dereferenced. This allows remote
authenticated connections the ability to cause a crash in the
server, denying services to legitimate users.
These issues and their resolution are described in the security
advisories.
For more information about the details of these vulnerabilities,
please read security advisories AST-2012-007 and AST-2012-008,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.12.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.4.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-007.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-008.pdf
Thank you for your continued support of Asterisk!
----- 10.4.2 -----
The Asterisk Development Team has announced the release of Asterisk
10.4.2.
The release of Asterisk 10.4.2 resolves several issues reported by
the community and would have not been possible without your
participation. Thank you!
The following are the issues resolved in this release:
* --- Resolve crash in subscribing for MWI notifications
(Closes issue ASTERISK-19827. Reported by B. R)
* --- Fix crash in ConfBridge when user announcement is played for
more than 2 users
(Closes issue ASTERISK-19899. Reported by Florian Gilcher)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.4.2
Thank you for your continued support of Asterisk!
|
|
Fix inline definitions to work with C99 compiler.
|
|
The Asterisk Development Team has announced the release of Asterisk 10.4.0.
The release of Asterisk 10.4.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Prevent chanspy from binding to zombie channels
* --- Fix Dial m and r options and forked calls generating warnings
for voice frames.
* --- Remove ISDN hold restriction for non-bridged calls.
* --- Fix copying of CDR(accountcode) to local channels.
* --- Ensure Asterisk acknowledges ACKs to 4xx on Replaces errors
* --- Eliminate double close of file descriptor in manager.c
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.4.0
Thank you for your continued support of Asterisk!
|
|
and AST-2012-006.
The Asterisk Development Team has announced security releases for
Asterisk 1.6.2 , 1.8, and 10. The available security releases are
released as versions 1.6.2.24, 1.8.11.1, and 10.3.1.
The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the
following two issues:
* A permission escalation vulnerability in Asterisk Manager
Interface. This would potentially allow remote authenticated
users the ability to execute commands on the system shell with
the privileges of the user running the Asterisk application.
* A heap overflow vulnerability in the Skinny Channel driver.
The keypad button message event failed to check the length of
a fixed length buffer before appending a received digit to the
end of that buffer. A remote authenticated user could send
sufficient keypad button message events that th e buffer would
be overrun.
In addition, the release of Asterisk 1.8.11.1 and 10.3.1 resolve
the following issue:
* A remote crash vulnerability in the SIP channel driver when
processing UPDATE requests. If a SIP UPDATE request was received
indicating a connected line update after a channel was terminated
but before the final destruction of the associated SIP dialog,
Asterisk would attempt a connected line update on a non-existing
channel, causing a crash.
These issues and their resolution are described in the security
advisories.
For more information about the details of these vulnerabilities,
please read security advisories AST-2012-004, AST-2012-005, and
AST-2012-006, which were released at the same time as this
announcement.
For a full list of changes in the current releases, please see the
ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.3.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-004.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-005.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-006.pdf
Thank you for your continued support of Asterisk!
|
|
|
|
pkgsrc change: eliminate ilbc option now that iLBC codec is always built
The Asterisk Development Team has announced the release of Asterisk 10.3.0.
The release of Asterisk 10.3.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix potential buffer overrun and memory leak when executing "sip
show peers"
* --- Fix ACK routing for non-2xx responses.
* --- Remove possible segfaults from res_odbc by adding locks around
usage of odbc handle
* --- Fix blind transfer parking issues if the dialed extension is not
recognized as a parking extension.
* --- Copy CDR variables when set during a bridge
* --- push 'outgoing' flag from sig_XXX up to chan_dahdi
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.3.0
Thank you for your continued support of Asterisk!
|
|
This is a security fix release. It fixes AST-2012-002 and AST-2012-003.
pkgsrc changes:
- adapt to having iLBC source code included
- fix building on Solaris
- adapt to new sound tarball
----- 10.2.0 -----
The Asterisk Development Team has announced the release of Asterisk 10.2.0.
The release of Asterisk 10.2.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Prevent outbound SIP NOTIFY packets from displaying a port of 0 ---
* --- Include iLBC source code for distribution with Asterisk ---
* --- Fix callerid of originated calls ---
* --- Fix outbound DTMF for inband mode of chan_ooh323 ---
* --- Create and initialize udptl only when dialog requests image media ---
* --- Don't prematurely stop SIP session timer ---
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.2.0
Thank you for your continued support of Asterisk!
----- 10.2.1 -----
The Asterisk Development Team has announced security releases for
Asterisk 1.4, 1.6.2, 1.8, and 10. The available security releases
are released as versions 1.4.44, 1.6.2.23, 1.8.10.1, and 10.2.1.
The release of Asterisk 1.8.10.1 and 10.2.1 resolve two issues.
First, they resolve the issue in app_milliwatt, wherein a buffer
can potentially be overrun on the stack, but no remote code execution
is possible. Second, they resolve an issue in HTTP AMI where digest
authentication information can be used to overrun a buffer on the
stack, allowing for code injection and execution.
These issues and their resolution are described in the security
advisory.
For more information about the details of these vulnerabilities,
please read the security advisories AST-2012-002 and AST-2012-003,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.2.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-003.pdf
Thank you for your continued support of Asterisk!
|
|
|
|
The Asterisk Development Team has announced the release of Asterisk 10.1.3.
The release of Asterisk 10.1.3 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix ACK routing for non-2xx responses.
(Closes issue ASTERISK-19389. Reported by: Karsten Wemheuer)
* --- Fix regressions with regards to route-set creation on early dialogs ---
(Closes issue ASTERISK-19358. Reported-by: Karsten Wemheuer)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.3
Thank you for your continued support of Asterisk!
|
|
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix SIP INFO DTMF handling for non-numeric codes ---
(Closes issue ASTERISK-19290. Reported by: Ira Emus)
* --- Fix crash in ParkAndAnnounce ---
(Closes issue ASTERISK-19311. Reported-by: tootai)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.2
|
|
The release of Asterisk 10.1.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Fixes deadlocks occuring in chan_agent ---
* --- Ensure entering T.38 passthrough does not cause an infinite loop ---
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.1
Thank you for your continued support of Asterisk!
|
|
a) tiff update to 4.0 (shlib major change)
b) glib2 update 2.30.2 (adds libffi dependency to buildlink3.mk)
Enjoy.
|
|
The Asterisk Development Team is pleased to announce the release of
Asterisk 10.1.0. This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 10.1.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* AST-2012-001: prevent crash when an SDP offer
is received with an encrypted video stream when support for video
is disabled and res_srtp is loaded. (closes issue ASTERISK-19202)
Reported by: Catalin Sanda
* Allow playback of formats that don't support seeking. ast_streamfile
previously did unconditional seeking on files that broke playback of
formats that don't support that functionality. This patch avoids the
seek that was causing the problem.
(closes issue ASTERISK-18994) Patched by: Timo Teras
* Add pjmedia probation concepts to res_rtp_asterisk's learning mode. In
order to better handle RTP sources with strictrtp enabled (which is the
default setting in 10) using the learning mode to figure out new sources
when they change is handled by checking for a number of consecutive (by
sequence number) packets received to an rtp struct based on a new
configurable value called 'probation'. Also, during learning mode instead
of liberally accepting all packets received, we now reject packets until a
clear source has been determined.
* Handle AST_CONTROL_UPDATE_RTP_PEER frames in local bridge loop. Failing
to handle AST_CONTROL_UPDATE_RTP_PEER frames in the local bridge loop
causes the loop to exit prematurely. This causes a variety of negative side
effects, depending on when the loop exits. This patch handles the frame by
essentially swallowing the frame in the local loop, as the current channel
drivers expect the RTP bridge to handle the frame, and, in the case of the
local bridge loop, no additional action is necessary.
(closes issue ASTERISK-19095) Reported by: Stefan Schmidt Tested
by: Matt Jordan
* Fix timing source dependency issues with MOH. Prior to this patch,
res_musiconhold existed at the same module priority level as the timing
sources that it depends on. This would cause a problem when music on
hold was reloaded, as the timing source could be changed after
res_musiconhold was processed. This patch adds a new module priority
level, AST_MODPRI_TIMING, that the various timing modules are now loaded
at. This now occurs before loading other resource modules, such
that the timing source is guaranteed to be set prior to resolving
the timing source dependencies.
(closes issue ASTERISK-17474) Reporter: Luke H Tested by: Luke H,
Vladimir Mikhelson, zzsurf, Wes Van Tlghem, elguero, Thomas Arimont
Patched by elguero
* Fix RTP reference leak. If a blind transfer were initiated using a
REFER without a prior reINVITE to place the call on hold, AND if Asterisk
were sending RTCP reports, then there was a reference leak for the
RTP instance of the transferrer.
(closes issue ASTERISK-19192) Reported by: Tyuta Vitali
* Fix blind transfers from failing if an 'h' extension
is present. This prevents the 'h' extension from being run on the
transferee channel when it is transferred via a native transfer
mechanism such as SIP REFER. (closes issue ASTERISK-19173) Reported
by: Ross Beer Tested by: Kristjan Vrban Patches: ASTERISK-19173 by
Mark Michelson (license 5049)
* Restore call progress code for analog ports. Extracting sig_analog
from chan_dahdi lost call progress detection functionality. Fix
analog ports from considering a call answered immediately after
dialing has completed if the callprogress option is enabled.
(closes issue ASTERISK-18841)
Reported by: Richard Miller Patched by Richard Miller
* Fix regression that 'rtp/rtcp set debup ip' only works when a port
was also specified.
(closes issue ASTERISK-18693) Reported by: Davide Dal Reviewed by:
Walter Doekes
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.0
Thank you for your continued support of Asterisk!
|
|
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
|
|
|
|
The Asterisk Development Team is proud to announce the release of
Asterisk 10.0.0. This release is available for immediate download
at http://downloads.asterisk.org/pub/telephony/asterisk/
Asterisk 10 is the next major release series of Asterisk. It will
be a Standard support release, similar to Asterisk 1.6.2. For more
information about support time lines for Asterisk releases, see
the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
With the release of the Asterisk 10 branch, the preceding '1.' has
been removed from the version number per the blog post available
at
http://blogs.digium.com/2011/07/21/the-evolution-of-asterisk-or-how-we-arrived-at-asterisk-10/
The release of Asterisk 10 would not have been possible without
the support and contributions of the community.
You can find an overview of the work involved with the 10.0.0
release in the summary:
http://svn.asterisk.org/svn/asterisk/tags/10.0.0/asterisk-10.0.0-summary.txt
A short list of available features includes:
* T.38 gateway functionality has been added to res_fax.
* Protocol independent out-of-call messaging support. Text messages not
associated with an active call can now be routed through the Asterisk
dialplan. SIP and XMPP are supported so far.
* New highly optimized and customizable ConfBridge application capable
of mixing audio at sample rates ranging from 8kHz-192kHz
* Addition of video_mode option in confbridge.conf to provide basic video
conferencing in the ConfBridge() dialplan application.
* Support for defining hints has been added to pbx_lua.
* Replacement of Berkeley DB with SQLite for the Asterisk Database (AstDB).
* Much, much more!
A full list of new features can be found in the CHANGES file.
http://svn.asterisk.org/svn/asterisk/branches/10/CHANGES
Also, when upgrading a system between major versions, it is imperative
that you read and understand the contents of the UPGRADE.txt file,
which is located at:
http://svn.asterisk.org/svn/asterisk/branches/10/UPGRADE.txt
Thank you for your continued support of Asterisk!
|
