Asterisk The Open Source PBX & Telephony Platform

The Asterisk Development Team has announced security releases for Asterisk as the following versions:

• 1.6.0.22
• 1.6.1.14
• 1.6.2.2

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/

The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix described in security advisory AST-2010-001.

The issue is that an attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash will occur when the FaxMaxDatagram field is omitted from the SDP, as well.

For more information about the details of this vulnerability, please read the security advisory AST-2010-001, which was released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

• http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.22
• http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14
• http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.2

Security advisory AST-2010-001 is available at:
http://asterisk.net.ru/en/2010/02/03/asterisk-security-advisory-ast-2010-001-t-38-remote-crash-vulnerability/

Thank you for your continued support of Asterisk!