Posts Tagged asterisk
Asterisk Security Advisory – AST-2010-001: T.38 Remote Crash Vulnerability
Posted by admin in Asterisk Security Advisories, Security Advisories, asterisk, sip, t.38 on February 2, 2010
Asterisk The Open Source PBX & Telephony Platform
Asterisk Project Security Advisory - AST-2010-001
| Product | Asterisk |
| Summary | T.38 Remote Crash Vulnerability |
| Nature of Advisory | Denial of Service |
| Susceptibility | Remote unauthenticated sessions |
| Severity | Critical |
| Exploits Known | No |
| Reported On | 12/03/09 |
| Reported By | issues.asterisk.org users bklang and elsto |
| Posted On | 02/03/10 |
| Last Updated On | February 2, 2010 |
| Advisory Contact | David Vossel < dvossel AT digium DOT com > |
| CVE Name | CVE-2010-0441 |
Asterisk 1.6.0.22, Asterisk 1.6.1.14, Asterisk 1.6.2.2 Released
Posted by admin in Asterisk Security Advisories, Releases, Security Advisories, asterisk, sip, t.38 on February 2, 2010
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced security releases for Asterisk as the following versions:
These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix described in security advisory AST-2010-001.
The issue is that an attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash will occur when the FaxMaxDatagram field is omitted from the SDP, as well.
For more information about the details of this vulnerability, please read the security advisory AST-2010-001, which was released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.22
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.2
Security advisory AST-2010-001 is available at:
http://asterisk.net.ru/en/2010/02/03/asterisk-security-advisory-ast-2010-001-t-38-remote-crash-vulnerability/
Thank you for your continued support of Asterisk!
Asterisk 1.6.2.1 Now Available
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk 1.6.2.1.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.6.2.1 resolved several issues reported by the community, and would have not been possible without your participation. Thank you!
- CLI ‘queue show’ formatting fix.
(Closes issue #16078. Reported by RoadKill. Tested by dvossel. Patched by ppyy.) - Fix misreverting from 177158.
(Closes issue #15725. Reported, Tested by shanermn. Patched by dimas.) - Fixes subscriptions being lost after ‘module reload’.
(Closes issue #16093. Reported by jlaroff. Patched by dvossel.) - app_queue segfaults if realtime field uniqueid is NULL
(Closes issue #16385. Reported, Tested, Patched by haakon.) - Fix to Monitor which previously assumed the file to write to did not contain pathing.
(Closes issue #16377, #16376. Reported by bcnit. Patched by dant.
A summary of changes in this release can be found in the release summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.2.1-summary.txt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.1
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Asterisk 1.6.1.13 Now Available
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk 1.6.1.13.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.6.1.13 resolved several issues reported by the community, and would have not been possible without your participation. Thank you!
- Restarts busydetector (if enabled) when DTMF is received after call is bridged
(Closes issue #16389. Reported, Tested, Patched by alecdavis.) - Send parking lot announcement to the channel which parked the call, not the park-ee.
(Closes issue #16234. Reported, Tested by yeshuawatso. Patched by tilghman.) - When the field is blank, don’t warn about the field being unable to be coerced just skip the column.
(Closes http://lists.digium.com/pipermail/asterisk-dev/2009-December/041362.html)
Reported by Nic Colledge on the -dev list.) - Don’t queue frames to channels that have no means to process them.
(Closes issue #15609. Reported, Tested by aragon. Patched by tilghman.) - Fixes holdtime playback issue in app_queue.
(Closes issue #16168. Reported, Patched by nickilo. Tested by wonderg, nickilo.)
A summary of changes in this release can be found in the release summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.1.13-summary.txt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.13
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Asterisk 1.6.0.21 Now Available
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk 1.6.0.21.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.6.0.21 resolved several issues reported by the community, and would have not been possible without your participation. Thank you!
- Fix to Monitor which previously assumed the file to write to did not contain pathing.
(Closes issue #16377, #16376. Reported by bcnit. Patched by dant. - If EXEC only gets a single argument, don’t crash when the second is used.
(Closes issue #16504. Reported by bklang. Patched by tilghman.) - Avoid a crash with large numbers of MeetMe conferences.
(Closes issue #16509. Reported by Kashif Raza. Tested, Patched by seanbright.) - Try a test compile to see if PTHREAD_ONCE_INIT requires extra braces (for Solaris 10).
(Patched by seanbright.) - Allow “REMAINDER” to function properly in expressions.
(Closes issue #16427. Reported, Patched by wdoekes.) - Shut down the SIP session timers more gracefully, in order to prevent a possible crash.
(Reported, Tested by corruptor. Patched by tilghman.) - Fix channel name comparison for Bridge() application.
(Closes issue #16528. Reported, Patched by telecos82.)
A summary of changes in this release can be found in the release summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.0.21-summary.txt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.21
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Asterisk 1.4.29 Now Available
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk 1.4.29.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.4.29 resolved several issues reported by the community, and would have not been possible without your participation. Thank you!
- Fix to Monitor which previously assumed the file to write to did not contain pathing.
(Closes issue #16377, #16376. Reported by bcnit. Patched by dant. - Propertly set T.38 attributes and don’t return before T.38 ports are configured when T.38 is found but no audio stream is found.
(Closes issue #16318. Reported by bird_of_Luck. Tested by vrban, mihaill. Patched by vrban, mnicholson.) - Avoid crashes with large numbers of MeetMe conferences.
(Closes issue #16509. Reported by Kashif Raza. Tested, Patched by seanbright.) - Change in ’sip show channels’ display format allowing more digits for CID.
(Closes issue #16459. Reported, Patched by Rzadzins. - Revise documentation on disposition values to the actual values used.
(Closes issue #16289. Reported by wdoekes.)
A summary of changes in this release can be found in the release summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.4.29-summary.txt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Asterisk 1.4.29-rc1, Asterisk 1.6.0.21-rc1, Asterisk 1.6.1.13-rc1, Asterisk 1.6.2.1-rc1 Released
Posted by admin in Release Candidates, asterisk on January 11, 2010
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced release candidates (RC1) for Asterisk versions 1.4.29, 1.6.0.21, 1.6.1.13, and 1.6.2.1. These release candidates are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release candidates address issues that were reported by the community and resolved since the last round of bug fix releases.
For a full list of changes in the current release candidates, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29-rc1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.21-rc1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.13-rc1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.1-rc1
For a summary of the issues found in these release candidates, please see the summary files:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.4.29-rc1-summary.html
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.0.21-rc1-summary.html
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.1.13-rc1-summary.html
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.2.1-rc1-summary.html
Issues found in any of these release candidates should be reported to the Asterisk issue tracker at http://issues.asterisk.org
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Fax For Asterisk 1.1.6 Release Announcement
T.38 fax for Asterisk
Digium is pleased to announce the release of version 1.1.6 of its Fax For Asterisk product, a commercial grade FAX add-on module for open source Asterisk.
This release contains a number of significant improvements, including:
- Support for 64-bit Linux installations.
- Reduction in resource consumption, and increase in performance, of T.38 session handling.
- Simplification of session handling during transition from G.711 to T.38 mode.
- Adoption of the latest Asterisk T.38 negotiation API, ensuring interoperability with a wide range of T.38 endpoints.
Version 1.1.6 of Fax For Asterisk is available for immediate download at http://www.digium.com/en/docs/FAX/faa-download.php. Note that because this release uses the very latest T.38 negotiation mechanism in Asterisk, it is not compatible with all released versions of Asterisk. The Fax For Asterisk download selector lists the Asterisk versions supported by this release.
For more information about Fax For Asterisk, please visit the product page.
Thank you for your support!
Read the rest of this entry »
Asterisk 1.6.0.20 Now Available
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk 1.6.0.20.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.6.0.20 resolved several issues reported by the community, and would have not been possible without your participation. Thank you!
- clarify requirecalltoken option in iax.sample.conf (closes issue #16223), reported, patched by: bklang
- Prevent double closing of FDs by EIVR (closes issue #16305), reported by: diLLec, patched, tested by: thedavidfactor
- Fix multiple issues with musiconhold, which led to classes not getting destroyed properly. (closes issues #16279, #16207), reported by: parisioa, dcabot, patched by: tilghman, tested by: parisioa, tilghman
- Send ack (response/message) after receiving manager action userevent (closes issue #16264), reported, patched by: dimas
- Make manager response to “Action: events” finish with empty line (closes issue #16275), reported, patched by: vnovy
This release also contains significant improvements to T.38 support. Anyone who has tried T.38 faxing in the past should try again as most problems should now be resolved.
A summary of changes in this release can be found in the release summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.0.20-summary.txt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.20
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Asterisk 1.4.27, Asterisk 1.6.0.18 and Asterisk 1.6.1.10 released
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team is pleased to announce the release of Asterisk 1.4.27, 1.6.0.18, and 1.6.1.10. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
These releases resolve a large assortment of issues reported by the community.
For a summary of the changes in these releases, please see the release summaries:
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1.4.27-summary.html
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1.6.0.18-summary.html
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1.6.1.10-summary.html
For a full list of changes in these releases, please see the ChangeLogs:
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.27
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.0.18
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.10
The following non-exhaustive list of issues were resolved with the participation of the community, and this release would not have been possible without your help!
- Seg fault in chan_local – local_pvt_destroy
(closes issue #15314. Reported by sroberts. Tested by davidw, lottc. Patch by davidw.) - T.38 reinvite started from Asterisk
(closes issue #15373. Reported by dcolombo. Tested by dcolombo, mbrancaleoni. Patch by mbrancaleoni.) - manager keeps creating /tmp/ast-ami-XXXXXX files (without deleting) when a single manager client remains logged in
(closes issue #15730. Reported by zmehmood. Tested by zmehmood. Patch by junky.) - BASE64_DECODE() adds garbage end end of decoded string
(closes issue #15271. Reported by chappell. Tested by kobaz. Patch by chappell.) - Fix ExternalIVR Documentation in 1.4
(closes issue #16220. Reported and patched by thedavidfactor.)
Thank you for your continued support of Asterisk!
Read the rest of this entry »
