Archive for category Security Advisories
Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2 Now Available (Security Release)
Posted by admin in asterisk, Asterisk Security Releases, Security Advisories on December 8, 2011
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced security releases for Asterisk 1.4, 1.6.2 and 1.8. The available security releases are released as versions 1.4.43, 1.6.2.21 and 1.8.7.2.
These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of Asterisk versions 1.4.43, 1.6.2.21, and 1.8.7.2 resolves an issue with possible remote enumeration of SIP endpoints with differing NAT settings.
The release of Asterisk versions 1.6.2.21 and 1.8.7.2 resolves a remote crash possibility with SIP when the “automon” feature is enabled.
The issues and resolutions are described in the AST-2011-013 and AST-2011-014 security advisories.
For more information about the details of these vulnerabilities, please read the security advisories AST-2011-013 and AST-2011-014, which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
Security advisory AST-2011-013 is available at:
Security advisory AST-2011-014 is available at:
Thank you for your continued support of Asterisk!
Asterisk Security Advisories – AST-2011-013: Possible remote enumeration of SIP endpoints with differing NAT settings
Posted by admin in asterisk, Asterisk Security Advisories, Security Advisories on December 8, 2011
Asterisk Project Security Advisory - AST-2011-013
|
Product |
Asterisk |
|
Summary |
Possible remote enumeration of SIP endpoints with differing NAT settings |
|
Nature of Advisory |
Unauthorized data disclosure |
|
Susceptibility |
Remote unauthenticated sessions |
|
Severity |
Minor |
|
Exploits Known |
Yes |
|
Reported On |
2011-07-18 |
|
Reported By |
Ben Williams |
|
Posted On |
|
|
Last Updated On |
December 8, 2011 |
|
Advisory Contact |
Terry Wilson <twilson@digium.com> |
|
CVE Name |
Asterisk Security Advisories – AST-2011-014: Remote crash possibility with SIP and the “automon” feature enabled
Posted by admin in asterisk, Asterisk Security Advisories, Security Advisories on December 7, 2011
Asterisk Project Security Advisory - AST-2011-014
|
Product |
Asterisk |
|
Summary |
Remote crash possibility with SIP and the “automon” feature enabled |
|
Nature of Advisory |
Remote crash vulnerability in a feature that is disabled by default |
|
Susceptibility |
Remote unauthenticated sessions |
|
Severity |
Moderate |
|
Exploits Known |
Yes |
|
Reported On |
November 2, 2011 |
|
Reported By |
Kristijan Vrban |
|
Posted On |
2011-11-03 |
|
Last Updated On |
December 7, 2011 |
|
Advisory Contact |
Terry Wilson <twilson@digium.com> |
|
CVE Name |
Asterisk Security Advisories – AST-2011-012: Remote crash vulnerability in SIP channel driver
Posted by admin in asterisk, Asterisk Security Releases, Security Advisories on October 17, 2011
Asterisk Project Security Advisory – AST-2011-012
|
Product |
Asterisk |
|
Summary |
Remote crash vulnerability in SIP channel |
|
Nature of Advisory |
Remote crash |
|
Susceptibility |
Remote authenticated sessions |
|
Severity |
Critical |
|
Exploits Known |
No |
|
Reported On |
October 4, 2011 |
|
Reported By |
Ehsan Foroughi |
|
Posted On |
October 17, 2011 |
|
Last Updated On |
October 17, 2011 |
|
Advisory Contact |
Terry Wilson <twilson@digium.com> |
|
CVE Name |
Asterisk 1.8.7.1 now available (Security Release)
Posted by admin in asterisk, Asterisk Security Releases, Security Advisories on October 17, 2011
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced a security release for Asterisk 1.8.
The available security release is released as version 1.8.7.1.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which can lead to a remotely exploitable crash:
Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
The issue and resolution is described in the AST-2011-012 security advisory.
For more information about the details of this vulnerability, please read the security advisory AST-2011-012, which was released at the same time as this announcement.
For a full list of changes in the current release, please see the ChangeLog:
Security advisory AST-2011-012 is available at:
Thank you for your continued support of Asterisk!
Asterisk 1.4.41.2, Asterisk 1.6.2.18.2, Asterisk 1.8.4.4 Now Available (Security Release)
Posted by admin in asterisk, Asterisk Security Releases, Security Advisories, sip on June 28, 2011
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk versions 1.4.41.2, 1.6.2.18.2, and 1.8.4.4, which are security releases.
These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of Asterisk 1.4.41.2, 1.6.2.18.2, and 1.8.4.4 resolves the following issue:
- AST-2011-011: Asterisk may respond differently to SIP requests from an invalid SIP user than it does to a user configured on the system, even when the alwaysauthreject option is set in the configuration. This can leak information about what SIP users are valid on the Asterisk system.
For more information about the details of this vulnerability, please read the security advisory AST-2011-011, which was released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
Security advisory AST-2011-011 is available at:
Thank you for your continued support of Asterisk!
Asterisk Security Advisories – AST-2011-011: Possible enumeration of SIP users due to differing authentication responses
Posted by admin in asterisk, Asterisk Security Advisories, Security Advisories, sip on June 28, 2011
Asterisk Project Security Advisory - AST-2011-011
| Product | Asterisk |
| Summary | Possible enumeration of SIP users due to differing authentication responses |
| Nature of Advisory | Unauthorized data disclosure |
| Susceptibility | Remote unauthenticated sessions |
| Severity | Moderate |
| Exploits Known | No |
| Reported On | June 11, 2011 |
| Reported By | |
| Posted On | June 28, 2011 |
| Last Updated On | June 28, 2011 |
| Advisory Contact | Terry Wilson <twilson@digium.com> |
| CVE Name | CVE-2011-2536 |
Asterisk 1.4.39.2, Asterisk 1.6.1.22, Asterisk 1.6.2.16.2 and Asterisk 1.8.2.4 Now Available
Posted by admin in asterisk, Asterisk Security Releases, Security Advisories, t.38 on February 22, 2011
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced security releases for Asterisk branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple stack and heap based arrays can be made to overflow by specially crafted packets. Systems doing T.38 pass through or termination are vulnerable. The issue and resolution are described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the security advisory AST-2011-002, which was released at the same time as this announcement.
For a full list of changes in the current release, please see the ChangeLog:
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
Security advisory AST-2011-002 is available at:
Thank you for your continued support of Asterisk!
Asterisk Security Advisory – AST-2011-002: Multiple array overflow and crash vulnerabilities in UDPTL code
Posted by admin in asterisk, Asterisk Security Advisories, Security Advisories, t.38 on February 22, 2011
| Product | Asterisk |
| Summary | Multiple array overflow and crash vulnerabilities in UDPTL code |
| Nature of Advisory | Exploitable Stack and Heap Array Overflows |
| Susceptibility | Remote Unauthenticated Sessions |
| Severity | Critical |
| Exploits Known | No |
| Reported On | January 27, 2011 |
| Reported By | Matthew Nicholson |
| Posted On | February 21, 2011 |
| Last Updated On | February 22, 2011 |
| Advisory Contact | Matthew Nicholson <mnicholson@digium.com> |
| CVE Name |
| Description | When decoding UDPTL packets, multiple stack and heap based arrays can be made to overflow by specially crafted packets. Systems configured for T.38 pass through or termination are vulnerable. |
Asterisk 1.8.2.2 Now Available (Security Release)
Posted by admin in asterisk, Asterisk Security Releases on January 20, 2011
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced a release for the security issue described in AST-2011-001.
Due to a failed merge, Asterisk 1.8.2.1 which should have included the security fix did not. Asterisk 1.8.2.2 contains the the changes which should have been included in Asterisk 1.8.2.1.
This releases is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2, 1.8.1.2, and 1.8.2.2 resolve an issue when forming an outgoing SIP request while in pedantic mode, which can cause a stack buffer to be made to overflow if supplied with carefully crafted caller ID information. The issue and resolution are described in the AST-2011-001 security advisory.
For more information about the details of this vulnerability, please read the security advisory AST-2011-001, which was released at the same time as this announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-…
Security advisory AST-2011-001 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-001.pdf
Thank you for your continued support of Asterisk!
-
You are currently browsing the archives for the Security Advisories category.
