Posts Tagged sip
Asterisk Security Advisory – AST-2010-001: T.38 Remote Crash Vulnerability
Posted by admin in Asterisk Security Advisories, Security Advisories, asterisk, sip, t.38 on February 2, 2010
Asterisk The Open Source PBX & Telephony Platform
Asterisk Project Security Advisory - AST-2010-001
| Product | Asterisk |
| Summary | T.38 Remote Crash Vulnerability |
| Nature of Advisory | Denial of Service |
| Susceptibility | Remote unauthenticated sessions |
| Severity | Critical |
| Exploits Known | No |
| Reported On | 12/03/09 |
| Reported By | issues.asterisk.org users bklang and elsto |
| Posted On | 02/03/10 |
| Last Updated On | February 2, 2010 |
| Advisory Contact | David Vossel < dvossel AT digium DOT com > |
| CVE Name | CVE-2010-0441 |
Asterisk 1.6.0.22, Asterisk 1.6.1.14, Asterisk 1.6.2.2 Released
Posted by admin in Asterisk Security Advisories, Releases, Security Advisories, asterisk, sip, t.38 on February 2, 2010
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced security releases for Asterisk as the following versions:
These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix described in security advisory AST-2010-001.
The issue is that an attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash will occur when the FaxMaxDatagram field is omitted from the SDP, as well.
For more information about the details of this vulnerability, please read the security advisory AST-2010-001, which was released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.22
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.2
Security advisory AST-2010-001 is available at:
http://asterisk.net.ru/en/2010/02/03/asterisk-security-advisory-ast-2010-001-t-38-remote-crash-vulnerability/
Thank you for your continued support of Asterisk!
Asterisk 1.6.0.21 Now Available
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk 1.6.0.21.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.6.0.21 resolved several issues reported by the community, and would have not been possible without your participation. Thank you!
- Fix to Monitor which previously assumed the file to write to did not contain pathing.
(Closes issue #16377, #16376. Reported by bcnit. Patched by dant. - If EXEC only gets a single argument, don’t crash when the second is used.
(Closes issue #16504. Reported by bklang. Patched by tilghman.) - Avoid a crash with large numbers of MeetMe conferences.
(Closes issue #16509. Reported by Kashif Raza. Tested, Patched by seanbright.) - Try a test compile to see if PTHREAD_ONCE_INIT requires extra braces (for Solaris 10).
(Patched by seanbright.) - Allow “REMAINDER” to function properly in expressions.
(Closes issue #16427. Reported, Patched by wdoekes.) - Shut down the SIP session timers more gracefully, in order to prevent a possible crash.
(Reported, Tested by corruptor. Patched by tilghman.) - Fix channel name comparison for Bridge() application.
(Closes issue #16528. Reported, Patched by telecos82.)
A summary of changes in this release can be found in the release summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.0.21-summary.txt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.21
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Asterisk 1.4.29 Now Available
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the release of Asterisk 1.4.29.
This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.4.29 resolved several issues reported by the community, and would have not been possible without your participation. Thank you!
- Fix to Monitor which previously assumed the file to write to did not contain pathing.
(Closes issue #16377, #16376. Reported by bcnit. Patched by dant. - Propertly set T.38 attributes and don’t return before T.38 ports are configured when T.38 is found but no audio stream is found.
(Closes issue #16318. Reported by bird_of_Luck. Tested by vrban, mihaill. Patched by vrban, mnicholson.) - Avoid crashes with large numbers of MeetMe conferences.
(Closes issue #16509. Reported by Kashif Raza. Tested, Patched by seanbright.) - Change in ’sip show channels’ display format allowing more digits for CID.
(Closes issue #16459. Reported, Patched by Rzadzins. - Revise documentation on disposition values to the actual values used.
(Closes issue #16289. Reported by wdoekes.)
A summary of changes in this release can be found in the release summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.4.29-summary.txt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29
Thank you for your continued support of Asterisk!
Read the rest of this entry »
Asterisk Security Advisory – AST-2009-005: Remote Crash Vulnerability in SIP channel driver
Posted by admin in Asterisk Security Advisories, Security Advisories, asterisk, sip on August 11, 2009
Asterisk The Open Source PBX & Telephony Platform
Additionally note that while this can crash Asterisk, execution of arbitrary code is not possible with this vector.
Upgrade Asterisk to one of the releases listed below.
|
Product |
Asterisk |
|
Summary |
Remote Crash Vulnerability in SIP channel driver |
|
Nature of Advisory |
Denial of Service |
|
Susceptibility |
Remote Unauthenticated Sessions |
|
Severity |
Critical in 1.6.1; minor in lesser versions |
|
Exploits Known |
No |
|
Reported On |
July 28, 2009 |
|
Reported By |
Nick Baggott < nbaggott AT mudynamics DOT com > |
|
Posted On |
August 10, 2009 |
|
Last Updated On |
August 10, 2009 |
|
Advisory Contact |
Tilghman Lesher < tlesher AT digium DOT com > |
|
CVE Name |
CVE-2009-2726 |
Asterisk 1.2.34, Asterisk 1.4.26.1, Asterisk 1.6.0.13, and Asterisk 1.6.1.4 released
Posted by admin in Asterisk Security Advisories, Releases, Security Advisories, asterisk on August 11, 2009
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team is pleased to announce the releases of 1.2.34, 1.4.26.1, 1.6.0.13, and 1.6.1.4. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
The release of 1.6.1.4 fixes a remote crash security vulnerability in the SIP stack. Although this crash was not demonstrated in any other version, the details of the vulnerability suggested the possibility that related attacks might be possible in the future. We therefore opted to release new versions of all current releases with these fixes applied. For more information about the details of this vulnerability, please read the security advisory AST-2009-005, which was released at the same time as this announcement.
In addition, Asterisk users may notice that we skipped the version numbers 1.6.0.11 and 1.6.1.3. This was intentional, in an effort to avoid confusion about what a particular release contains. Both of those version numbers had candidates for releases made, so backtracking on those changes in a release with the same version number might be confusing. Those release candidates will be reissued with additional bugfixes, as 1.6.0.14-rc1 and 1.6.1.5-rc1, respectively.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.2.34
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.26.1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.13
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.4
Thank you for your continued support of Asterisk!
Asterisk 1.4.26-rc6 released
Asterisk The Open Source PBX & Telephony Platform
The Asterisk Development Team has announced the sixth release candidate of Asterisk 1.4.26. Asterisk 1.4.26-rc6 is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/
This release resolves the following issues, in addition to some minor issues:
- Properly ACK 487 responses to canceled INVITEs. Reviewboard https://reviewboard.asterisk.org/r/308
- SIP registration authorization loop caused by stale nonce (issue #15102)
- Ensure outbound NOTIFY requests are properly routed through stateful proxies
(issue #14725) - Resolve no audio on chan_dahdi calls until DTMF is sent by caller (issues #15416, #15389, #15205)
- Removed confusing warning message in chan_misdn (issue #11974)
For a full list of changes in this release candidate, please see the ChangeLog: http://svn.asterisk.org/svn/asterisk/tags/1.4.26-rc6/ChangeLog
Issues found in this release candidate can be reported at https://issues.asterisk.org
Thank you for your continued support of Asterisk!
Fax For Asterisk
T.38 fax for Asterisk
Digium’s Fax For Asterisk is a commercial facsimile (Fax) termination and origination solution designed to enhance the capabilities of Open Source and commercial Asterisk as well as Switchvox. Fax For Asterisk bundles a suite of user-friendly Asterisk applications and a licensed version of the industry’s leading fax modem software from Commetrex. Fax For Asterisk provides low speed (14400bps) PSTN faxing via DAHDI-compatible telephony boards as well as VoIP faxing to T.38-compatible SIP endpoints and service providers. Licensed on a per-channel basis, Digium’s Fax For Asterisk provides a complete, cost-effective, commercial fax solution for Asterisk users.
Fax For Asterisk provides two components: res_fax and res_fax_digium. Res_fax is an Asterisk resource module that adds fax termination and origination functionality in Asterisk. It provides Asterisk dialplan functions and dialplan applications to enable the user to build highly-customizable fax solutions. Res_fax_digium provides core fax processing functionality in the form of several supported fax modems — V.21, V.27ter, V.29, and V.17 — to achieve speeds up to 14400bps.
Asterisk says Hello to Fax
If you ask Google about faxing for Asterisk, with the search keywords asterisk and fax, and you ask Google to omit similar entries, you’ll end up with 52 pages of results.
If you ask Google how many times fax has been mentioned on an Asterisk mailing list, by setting the site parameter to lists.digium.com, then Google tells you there are 1120 utterances.
Yesterday, if you asked Digium for help in faxing documents through Asterisk, we’d have apologized and said that we didn’t offer a fax solution for Asterisk.
That was yesterday.
Today, Digium is pleased to announce Fax For Asterisk.
Fax For Asterisk is a commercial facsimile (Fax) termination and origination solution designed to enhance the capabilities of Open Source and commercial Asterisk as well as Switchvox. Fax For Asterisk bundles a suite of user-friendly Asterisk applications and a licensed version of the industry’s leading fax modem software from Commetrex. Fax For Asterisk provides low speed (14400bps) PSTN faxing via DAHDI-compatible telephony boards as well as VoIP faxing to T.38-compatible SIP endpoints and service providers. Licensed on a per-channel basis, Digium’s Fax For Asterisk provides a complete, cost-effective, commercial fax solution for Asterisk users.
Wait, I’ve forgotten something…okay, not really. There’s also Free Fax For Asterisk. Free Fax For Asterisk provides a single-channel only, per Asterisk, version of Fax For Asterisk, for free. Want to use Free Fax For Asterisk now? Visit the Digium webstore and get a license, free of charge.
