| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
to log to /spool/fax/Faxlog.
|
|
|
|
and AST-2012-015. Apparently the last update didn't completely
fix the issues.
The Asterisk Development Team has announced a security release for
Asterisk 11, Asterisk 11.1.2. This release addresses the security
vulnerabilities reported in AST-2012-014 and AST-2012-015, and
replaces the previous version of Asterisk 11 released for these
security vulnerabilities. The prior release left open a vulnerability
in res_xmpp that exists only in Asterisk 11; as such, other versions
of Asterisk were resolved correctly by the previous releases.
The release of these versions resolve the following two issues:
* Stack overflows that occur in some portions of Asterisk that manage a TCP
connection. In SIP, this is exploitable via a remote unauthenticated session;
in XMPP and HTTP connections, this is exploitable via remote authenticated
sessions. The vulnerabilities in SIP and HTTP were corrected in a prior
release of Asterisk; the vulnerability in XMPP is resolved in this release.
* A denial of service vulnerability through exploitation of the device state
cache. Anonymous calls had the capability to create devices in Asterisk that
would never be disposed of. Handling the cachability of device states
aggregated via XMPP is handled in this release.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
Thank you for your continued support of Asterisk - and we apologize for having
to do this twice!
|
|
and AST-2012-015.
Approved for commit during freeze by: agc
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security releases
are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1, 10.11.1-digiumphones,
and 11.1.1.
The release of these versions resolve the following two issues:
* Stack overflows that occur in some portions of Asterisk that manage a TCP
connection. In SIP, this is exploitable via a remote unauthenticated session;
in XMPP and HTTP connections, this is exploitable via remote authenticated
sessions.
* A denial of service vulnerability through exploitation of the device state
cache. Anonymous calls had the capability to create devices in Asterisk that
would never be disposed of.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
Thank you for your continued support of Asterisk!
|
|
and AST-2012-015.
Approved for commit during freeze by: agc
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security releases
are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1, 10.11.1-digiumphones,
and 11.1.1.
The release of these versions resolve the following two issues:
* Stack overflows that occur in some portions of Asterisk that manage a TCP
connection. In SIP, this is exploitable via a remote unauthenticated session;
in XMPP and HTTP connections, this is exploitable via remote authenticated
sessions.
* A denial of service vulnerability through exploitation of the device state
cache. Anonymous calls had the capability to create devices in Asterisk that
would never be disposed of.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
Thank you for your continued support of Asterisk!
|
|
and AST-2012-015.
Approved for commit during freeze by: agc
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security releases
are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1, 10.11.1-digiumphones,
and 11.1.1.
The release of these versions resolve the following two issues:
* Stack overflows that occur in some portions of Asterisk that manage a TCP
connection. In SIP, this is exploitable via a remote unauthenticated session;
in XMPP and HTTP connections, this is exploitable via remote authenticated
sessions.
* A denial of service vulnerability through exploitation of the device state
cache. Anonymous calls had the capability to create devices in Asterisk that
would never be disposed of.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
Thank you for your continued support of Asterisk!
|
|
|
|
|
|
|
|
comms/deforaos-phone (version 0.3.11)
|
|
|
|
|
|
Note that Asterisk 10.* will be going into security fix only mode
on Dec. 15th, 2012. Users may wish to consider moving to one of
the Long Term Support versions: comms/asterisk18 (Asterisk 1.8.*)
or comms/asterisk (which currently has Asterisk 11.*). See
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions for
information on Asterisk versions.
----- 10.11.0:
The Asterisk Development Team has announced the release of Asterisk 10.11.0.
The release of Asterisk 10.11.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Prevent resetting of NATted realtime peer address on reload.
* --- Do not use a FILE handle when doing SIP TCP reads.
* --- Fix ConfBridge crash if no timing module loaded.
* --- confbridge: Fix a bug which made conferences not record with
AMI/CLI commands
* --- Fix execution of 'i' extension due to uninitialized variable.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.11.0
Thank you for your continued support of Asterisk!
----- 10.10.1:
The Asterisk Development Team has announced the release of Asterisk 10.10.1.
The release of Asterisk 10.10.1 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!
The following is the issue resolved in this release:
* --- chan_local: Fix local_pvt ref leak in local_devicestate().
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.10.1
Thank you for your continued support of Asterisk!
|
|
----- 1.8.19.0:
The Asterisk Development Team has announced the release of Asterisk 1.8.19.0.
The release of Asterisk 1.8.19.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Prevent resetting of NATted realtime peer address on reload.
* --- Do not use a FILE handle when doing SIP TCP reads.
* --- Fix execution of 'i' extension due to uninitialized variable.
* --- Ensure that the Queue application tracks busy members in off
nominal situations
* --- Properly extract the Body information of an EWS calendar item
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.19.0
Thank you for your continued support of Asterisk!
----- 1.8.18.1:
The Asterisk Development Team has announced the release of Asterisk 1.8.18.1.
The release of Asterisk 1.8.18.1 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!
The following is the issue resolved in this release:
* --- chan_local: Fix local_pvt ref leak in local_devicestate().
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.18.1
Thank you for your continued support of Asterisk!
|
|
|
|
Relevant ChangeLog entries since 2.5:
* src/main.c, src/minicom.c: iconv: Handle the case that iconv
did not convert anything. Reported by Mike Crowe, Debian #659351.
* src/ipc.c: Formatting cleanup.
* src/main.c: ETIME -> ETIMEDOUT as ETIME is not available on BSDs
* src/main.c: Fix invalid memory used, reported by Larry Baker
* src/config.c, src/rwconf.c: Do not set modem init and reset string
anymore, define them empty. Instead, when editing those offer
them as a default.
* src/minicom.h, src/main.c, src/dial.c: only update statusline
if there's a change (e.g. for updates times)
* src/updown.c: Flush before forking helper program,
patch by Domen Puncer, thanks!
* src/minicom.c, src/minicom.h, src/vt100.c: Add timestamps with
milliseconds, based on patch by Rapha�l Ass�nat, thanks!
* src/dial.c, src/minicom.c, src/main.c: Cleanups. Print
basename of current device to statusline if online time is disabled.
* configure.in, src/Makefile.am, src/main.c, src/minicom.c,
src/minicom.h, src/updown.c: Add lockdev support,
by Ludwig Nussel <ludwig.nussel@suse.de>
* src/dial.c: add a dialdir version 6 which does not save the
pointer on disk and should now work on 32 and 64 bit
systems equally.
* configure.in: Use AM_ICONV_LINK...
* src/script.c: Fix a buffer overflow problem. Thanks Frederic Germain.
* src/minicom.c: Do not use iconv-functions if iconv is not available.
* src/config.c, src/main.c, src/vt100.c, src/vt100.h: Add transmit
delay for every character, based on patch by Nicolas PILLON.
* src/config.c: Do not extend tilde to home directory for
non-path arguments. Debian bug #621741
* configure.in, src/Makefile.am: Add workaround and then use
libiconv for linking, fixes build issue on Mac OS X.
* src/main.c: Increase serial port open timeout, by
Lubomir Rintel
* src/main.c: Set sensible errno if port open times out,
by Lubomir Rintel
* src/help.c: Help fix for timestamp toggle by Mark Einon
* src/minicom.c: Code consolidation.
* src/minicom.c, src/minicom.h, src/vt100.c, man/minicom.1: Make
line timestamps three value: every line, every second, and off.
* man/minicom.1: Wording fix.
* src/vt100.c: Cleanups: Delete everything that was in OLD blocks.
Do not explicitly set global variables to 0.
* src/vt100.c, man/minicom.1: Change timestamp style, prepend every
line. Add in manpage.
* src/dial.c src/help.c src/ipc.c src/minicom.c src/minicom.h
src/vt100.c src/vt100.h: Addition by Mark Einon
<mark.einon@gmail.com> to add current date/time to each line.
* src/file.c: Only enter directory if we have read permissions to
get directory listings, by Jan Görig.
* src/file.c, src/getsdir.c: Cleanup and simplify.
* man/runscript.1, man/minicom.1: Fixes by John Bradshaw
* src/main.c: Avoid redraw of status line in Offline mode when
nothing changed.
* src/minicom.c: Do not lose line wrap setting over terminal resizes.
* src/main.c: Simplify status line update, also makes status
messages display the amount of time they are actually supposed
to display.
|
|
|
|
|
|
As this is a major release, you should read the information about updating:
https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+11
You can also find documentation in: /usr/pkg/share/doc/asterisk
----- 11.1.0:
The Asterisk Development Team has announced the release of Asterisk 11.1.0.
The release of Asterisk 11.1.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Fix execution of 'i' extension due to uninitialized variable.
* --- Prevent resetting of NATted realtime peer address on reload.
* --- Fix ConfBridge crash if no timing module loaded.
* --- Fix the Park 'r' option when a channel parks itself.
* --- Fix an issue where outgoing calls would fail to establish audio
due to ICE negotiation failures.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.1.0
----- 11.0.1:
The Asterisk Development Team has announced the release of Asterisk 11.0.1.
The release of Asterisk 11.0.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- chan_sip: Fix a bug causing SIP reloads to remove all entries
from the registry
* --- confbridge: Fix a bug which made conferences not record with
AMI/CLI commands
* --- Fix an issue with res_http_websocket where the chan_sip
WebSocket handler could not be registered.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.0.1
Thank you for your continued support of Asterisk!
----- 11.0.0:
The Asterisk Development Team is pleased to announce the release of
Asterisk 11.0.0.
Asterisk 11 is the next major release series of Asterisk. It is a Long Term
Support (LTS) release, similar to Asterisk 1.8. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
For important information regarding upgrading to Asterisk 11, please see the
Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+11
A short list of new features includes:
* A new channel driver named chan_motif has been added which provides support
for Google Talk and Jingle in a single channel driver. This new channel
driver includes support for both audio and video, RFC2833 DTMF, all codecs
supported by Asterisk, hold, unhold, and ringing notification. It is also
compliant with the current Jingle specification, current Google Jingle
specification, and the original Google Talk protocol.
* Support for the WebSocket transport for chan_sip.
* SIP peers can now be configured to support negotiation of ICE candidates.
* The app_page application now no longer depends on DAHDI or app_meetme. It
has been re-architected to use app_confbridge internally.
* Hangup handlers can be attached to channels using the CHANNEL() function.
Hangup handlers will run when the channel is hung up similar to the h
extension; however, unlike an h extension, a hangup handler is associated with
the actual channel and will execute anytime that channel is hung up,
regardless of where it is in the dialplan.
* Added pre-dial handlers for the Dial and Follow-Me applications. Pre-dial
allows you to execute a dialplan subroutine on a channel before a call is
placed but after the application performing a dial action is invoked. This
means that the handlers are executed after the creation of the callee
channels, but before any actions have been taken to actually dial the callee
channels.
* Log messages can now be easily associated with a certain call by looking at
a new unique identifier, "Call Id". Call ids are attached to log messages for
just about any case where it can be determined that the message is related
to a particular call.
* Introduced Named ACLs as a new way to define Access Control Lists (ACLs) in
Asterisk. Unlike traditional ACLs defined in specific module configuration
files, Named ACLs can be shared across multiple modules.
* The Hangup Cause family of functions and dialplan applications allow for
inspection of the hangup cause codes for each channel involved in a call.
This allows a dialplan writer to determine, for each channel, who hung up and
for what reason(s).
* Two new functions have been added: FEATURE() and FEATUREMAP(). FEATURE()
lets you set some of the configuration options from the general section
of features.conf on a per-channel basis. FEATUREMAP() lets you customize
the key sequence used to activate built-in features, such as blindxfer,
and automon.
* Support for DTLS-SRTP in chan_sip.
* Support for named pickupgroups/callgroups, allowing any number of pickupgroups
and callgroups to be defined for several channel drivers.
* IPv6 Support for AMI, AGI, ExternalIVR, and the SIP Security Event Framework.
More information about the new features can be found on the Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+11+Documentation
A full list of all new features can also be found in the CHANGES file.
http://svnview.digium.com/svn/asterisk/branches/11/CHANGES
For a full list of changes in the current release, please see the ChangeLog.
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.0.0
Thank you for your continued support of Asterisk!
|
|
serial ports across platforms.
|
|
the environment's SHELL to be patched into a dozen or so installed scripts,
instead of a bourne-like shell. Needed after 1.13 of patches/patch-ab (fix
for building on Solaris). Sh scripts don't work well with /bin/tcsh...
Bump revision to recognize whether the fixed one is installed.
|
|
being buildlinked in. This ultimately fails. So buildlink it in.
Bump PKGREVISION.
|
|
|
|
|
|
|
|
LIRC is a package that supports receiving and sending IR signals of
the most common IR remote controls. It contains a daemon that decodes
and sends IR signals, a mouse daemon that translates IR signals to
mouse movements and a couple of user programs that allow to control
your computer with a remote control.
Tested on RHEL.
|
|
|
|
|
|
AMF Packet is an extended format of AMF, and is used for Flash's HTTP based
Remote Procidure Call (known as Flash Remoting).
|
|
Redo patches to be relative to WRKDIR.
|
|
The Asterisk Development Team has announced the release of Asterisk 10.10.0.
The release of Asterisk 10.10.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Resolve issues in ConfBridge regarding marked, waitmarked, and
unmarked users
* --- dsp.c User Configurable DTMF_HITS_TO_BEGIN and
DTMF_MISSES_TO_END
* --- Fix error where improper IMAP greetings would be deleted.
* --- iax2-provision: Fix improper return on failed cache retrieval
* --- Fix T.38 support when used with chan_local in between.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.10.0
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced the release of Asterisk 1.8.18.0.
The release of Asterisk 1.8.18.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- dsp.c User Configurable DTMF_HITS_TO_BEGIN and
DTMF_MISSES_TO_END
* --- Fix error where improper IMAP greetings would be deleted.
* --- iax2-provision: Fix improper return on failed cache retrieval
* --- Fix T.38 support when used with chan_local in between.
* --- Fix an issue where media would not flow for situations where the
legacy STUN code is in use.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.18.0
Thank you for your continued support of Asterisk!
|
|
|
|
The Asterisk Development Team has announced the release of Asterisk 10.9.0.
The release of Asterisk 10.9.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Fix channel reference leak in ChanSpy.
* --- dsp.c: Fix multiple issues when no-interdigit delay is present,
and fast DTMF 50ms/50ms
* --- Fix bug where final queue member would not be removed from
memory.
* --- Fix memory leak when CEL is successfully written to PostgreSQL
database
* --- Fix DUNDi message routing bug when neighboring peer is
unreachable
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.9.0
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced the release of Asterisk 1.8.17.0.
The release of Asterisk 1.8.17.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Fix channel reference leak in ChanSpy.
* --- dsp.c: Fix multiple issues when no-interdigit delay is present,
and fast DTMF 50ms/50ms
* --- Fix bug where final queue member would not be removed from
memory.
* --- Fix memory leak when CEL is successfully written to PostgreSQL
database
* --- Fix DUNDi message routing bug when neighboring peer is
unreachable
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.17.0
Thank you for your continued support of Asterisk!
|
|
|
|
|
|
are called p5-*.
I hope that's all of them.
|
|
|
|
requested by Thomas Klausner.
|
|
This is the second attempt to fix the build problem that some people
have seen (I have received inconsistent reports). This should
force chan_mgcp to build on systems where it can. It was tested
on NetBSD 5.0, thus ensuring that it doesn't break previously
working systems; and NetBSD 6.99.7, where I finally saw the problem
that some people were reporting.
|
|
|
|
(additionaly, reset PKGREVISION of qt4-* sub packages from base qt4 update)
|
|
has been removed. This is included in all existing packages and
is expected to be included in any new packages.
|
|
21st, 2012. It most likely has multiple security issues. By this
point, all users of this package should have migrated to comms/asterisk18
or comms/asterisk10 as this version has been marked as being
deprecated for some time now.
Note that this directory is likely to re-appear in late 2017 when
Asterisk 16 comes out, assuming the current schedule is followed.
However that will be a vastly different version as Asterisk 11 is
only in the RC stage now (i.e. it will be five major versions after
the one that is expected to be released later this year).
|
|
AST-2012-013, and some general bugs.
The Asterisk Development Team has announced the release of Asterisk 1.8.16.0.
The release of Asterisk 1.8.16.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- AST-2012-012: Resolve AMI User Unauthorized Shell Access through
ExternalIVR
* --- AST-2012-013: Resolve ACL rules being ignored during calls by
some IAX2 peers
* --- Handle extremely out of order RFC 2833 DTMF
* --- Resolve severe memory leak in CEL logging modules.
* --- Only re-create an SRTP session when needed; respond with correct
crypto policy
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.16.0
Thank you for your continued support of Asterisk!
|
|
AST-2012-013, and some general bugs.
The Asterisk Development Team has announced the release of Asterisk 10.8.0.
The release of Asterisk 10.8.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- AST-2012-012: Resolve AMI User Unauthorized Shell Access through
ExternalIVR
* --- AST-2012-013: Resolve ACL rules being ignored during calls by
some IAX2 peers
* --- Handle extremely out of order RFC 2833 DTMF
* --- Resolve severe memory leak in CEL logging modules.
* --- Only re-create an SRTP session when needed
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.8.0
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones.
The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones
resolve the following two issues:
* A permission escalation vulnerability in Asterisk Manager Interface. This
would potentially allow remote authenticated users the ability to execute
commands on the system shell with the privileges of the user running the
Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt
file delivered with Asterisk has been updated due to this and other related
vulnerabilities fixed in previous versions of Asterisk.
* When an IAX2 call is made using the credentials of a peer defined in a
dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that
peer are not applied to the call attempt. This allows for a remote attacker
who is aware of a peer's credentials to bypass the ACL rules set for that
peer.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-012 and AST-2012-013, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-012.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-013.pdf
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones.
The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones
resolve the following two issues:
* A permission escalation vulnerability in Asterisk Manager Interface. This
would potentially allow remote authenticated users the ability to execute
commands on the system shell with the privileges of the user running the
Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt
file delivered with Asterisk has been updated due to this and other related
vulnerabilities fixed in previous versions of Asterisk.
* When an IAX2 call is made using the credentials of a peer defined in a
dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that
peer are not applied to the call attempt. This allows for a remote attacker
who is aware of a peer's credentials to bypass the ACL rules set for that
peer.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-012 and AST-2012-013, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-012.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-013.pdf
Thank you for your continued support of Asterisk!
|
|
|
