Update to 2.6.2.
This update disables the SSLv3 to address the POODLE vulnerability.
Category Archives: Fedora
Fedora – Security Updates
Fedora EPEL 5 Security Update: rubygem-actionpack-2.3.18-1.el5,rubygem-activerecord-2.3.18-1.el5,rubygem-activesupport-2.3.18-1.el5
Resolved Bugs
677626 – CVE-2011-0446 rubygem-actionpack: Multiple XSS flaws via crafted name or email value in the mail_to_helper
677629 – CVE-2011-0446 CVE-2011-0447 rubygem-actionpack various flaws [epel-5]
677631 – CVE-2011-0447 rubygem-actionpack: CSRF flaws due improper validation of HTTP headers containing X-Requested-With header
731435 – CVE-2011-2932 rubygem-activesupport: XSS vulnerability in escaping function (Ruby on Rails)
731438 – CVE-2011-2930 rubygem-activerecord: SQL injection vulnerability in quote_table_name (Ruby on Rails)
731450 – rubygem-activesupport: XSS vulnerability in escaping function (Ruby on Rails) [epel-5]
731453 – rubygem-activerecord: SQL injection vulnerability in quote_table_name (Ruby on Rails) [epel-5]
744706 – CVE-2010-3933 rubygem-activerecord: Improper nested attributes management
831583 – CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661) [epel-5]
843924 – CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest [epel-5]
847202 – CVE-2012-3463 CVE-2012-3464 CVE-2012-3465 CVE-2013-0156 rubygem-actionpack various flaws [epel-5]
891468 – CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection [epel-5]
905373 – CVE-2013-0333 rubygem-activesupport: json to yaml parsing [epel-5]
921329 – CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
924297 – CVE-2013-1855 CVE-2013-1857 rubygem-actionpack various flaws [epel-5]
924318 – CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability [epel-5]
948706 – CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected [epel-5]
1095122 – CVE-2014-0130 rubygem-actionpack: Ruby on Rails: directory traversal issue [epel-5]
1095125 – CVE-2014-0130 rubygem-activerecord: Ruby on Rails: directory traversal issue [epel-5]<br
Rebase to 2.3.18 in EPEL5. This is a security rollup.
– Bug 1095122 – CVE-2014-0130
– Bug 1095125 – CVE-2014-0130
– Bug 677626 – CVE-2011-0446
– Bug 677629 – CVE-2011-0446, CVE-2011-0447
– Bug 677631 – CVE-2011-0447
– Bug 731435 – CVE-2011-2932
– Bug 731438 – CVE-2011-2930
– Bug 731450 – CVE-2011-2932
– Bug 731453 – CVE-2011-2930
– Bug 744706 – CVE-2010-3933
– Bug 831583 – CVE-2012-2695
– Bug 843924 – CVE-2012-3424
– Bug 847202 – CVE-2013-0156
– Bug 891468 – CVE-2012-5664
– Bug 905373 – CVE-2013-0333
– Bug 921329 – CVE-2013-1854
– Bug 924297 – CVE-2013-1855, CVE-2013-1857
– Bug 924318 – CVE-2013-1854
– Bug 948706 – CVE-2013-0276
Fedora EPEL 6 Security Update: phpMyAdmin-4.0.10.5-1.el6
Resolved Bugs
1155362 – CVE-2014-8326 phpmyadmin: cross-site scripting (XSS) flaw fixed in versions 4.0.10.5, 4.1.14.6, and 4.2.10.1 (PMASA-2014-12)
1155366 – CVE-2014-8326 phpmyadmin: cross-site scripting (XSS) flaw fixed in versions 4.0.10.5, 4.1.14.6, and 4.2.10.1 (PMASA-2014-12) [epel-6]<br
phpMyAdmin 4.0.10.5 (2014-10-21)
================================
– [security] XSS in debug SQL output
– [security] XSS in monitor query analyzer
Fedora EPEL 7 Security Update: phpMyAdmin-4.2.10.1-1.el7
Resolved Bugs
1155272 – phpMyAdmin-4.2.10.1 is available
1155362 – CVE-2014-8326 phpmyadmin: cross-site scripting (XSS) flaw fixed in versions 4.0.10.5, 4.1.14.6, and 4.2.10.1 (PMASA-2014-12)
1155367 – CVE-2014-8326 phpmyadmin: cross-site scripting (XSS) flaw fixed in versions 4.0.10.5, 4.1.14.6, and 4.2.10.1 (PMASA-2014-12) [epel-7]<br
phpMyAdmin 4.2.10.1 (2014-10-21)
================================
– [security] XSS in debug SQL output
– [security] XSS in monitor query analyzer
Fedora EPEL 6 Security Update: asterisk-1.8.31.1-1.el6
Resolved Bugs
1154895 – asterisk vulnerable to CVE-2014-3566/POODLE (AST-2014-011)<br
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.31.1-1:
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,
11.13.1, 12.6.1, and 13.0.0-beta3.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Asterisk is susceptible to the POODLE vulnerability in two ways:
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
encrypted connections.
2) The core TLS handling in Asterisk, which is used by the chan_sip channel
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
default allow a TLS connection to fallback to SSLv3. This allows for a
MITM to potentially force a connection to fallback to SSLv3, exposing it
to the POODLE vulnerability.
These issues have been resolved in the versions released in conjunction with
this security advisory.
For more information about the details of this vulnerability, please read
security advisory AST-2014-011, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-011.pdf
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.31.0-1:
The Asterisk Development Team has announced the release of Asterisk 1.8.31.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 1.8.31.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-24032 – Gentoo compilation emits warning:
“_FORTIFY_SOURCE” redefined (Reported by Kilburn)
* ASTERISK-24225 – Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 – [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-24019 – When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-24211 – testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 – SIP debugs do not stop (Reported by Avinash
Mohod)
Improvements made in this release:
———————————–
* ASTERISK-24171 – [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.31.0
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.30.0-1:
The Asterisk Development Team has announced the release of Asterisk 1.8.30.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 1.8.30.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-23911 – URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23814 – No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 – [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 – [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 – Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
Improvements made in this release:
———————————–
* ASTERISK-21178 – Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.30.0
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.29.0-1:
The Asterisk Development Team has announced the release of Asterisk 1.8.29.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 1.8.29.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-22551 – Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23582 – [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 – AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 – ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki CÃvico)
* ASTERISK-23683 – #includes – wildcard character in a path more
than one directory deep – results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 – autoservice thread doesn’t exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23814 – No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-23673 – Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 – DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 – [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23667 – features.conf.sample is unclear as to which
options can or cannot be set in the general section (Reported by
David Brillert)
* ASTERISK-23790 – [patch] – SIP From headers longer than 256
characters result in dropped call and ‘No closing bracket’
warnings. (Reported by uniken1)
* ASTERISK-23908 – [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 – refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 – REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23984 – Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 – [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)
Improvements made in this release:
———————————–
* ASTERISK-23564 – [patch]TLS/SRTP status of channel not currently
available in a CLI command (Reported by Patrick Laimbock)
* ASTERISK-23492 – Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.29.0
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.28.2-1:
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
releases are released as versions 1.8.15-cert7, 11.6-cert4, 1.8.28.2, 11.10.2,
and 12.3.2.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
These releases resolve security vulnerabilities that were previously fixed in
1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1. Unfortunately, the fix
for AST-2014-007 inadvertently introduced a regression in Asterisk’s TCP and TLS
handling that prevented Asterisk from sending data over these transports. This
regression and the security vulnerabilities have been fixed in the versions
specified in this release announcement.
The security patches for AST-2014-007 have been updated with the fix for the
regression, and are available at http://downloads.asterisk.org/pub/security
Please note that the release of these versions resolves the following security
vulnerabilities:
* AST-2014-005: Remote Crash in PJSIP Channel Driver’s Publish/Subscribe
Framework
* AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
Shell Access
* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
Connections
* AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008,
which were released with the previous versions that addressed these
vulnerabilities.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert4
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.2
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-005.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-008.pdf
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.28.1-1:
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1,
and 12.3.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following issue:
* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
Connections
Establishing a TCP or TLS connection to the configured HTTP or HTTPS port
respectively in http.conf and then not sending or completing a HTTP request
will tie up a HTTP session. By doing this repeatedly until the maximum number
of open HTTP sessions is reached, legitimate requests are blocked.
Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the
following issue:
* AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
Shell Access
Manager users can execute arbitrary shell commands with the MixMonitor manager
action. Asterisk does not require system class authorization for a manager
user to use the MixMonitor action, so any manager user who is permitted to use
manager commands can potentially execute shell commands as the user executing
the Asterisk process.
Additionally, the release of 12.3.1 resolves the following issues:
* AST-2014-005: Remote Crash in PJSIP Channel Driver’s Publish/Subscribe
Framework
A remotely exploitable crash vulnerability exists in the PJSIP channel
driver’s pub/sub framework. If an attempt is made to unsubscribe when not
currently subscribed and the endpoint’s âsub_min_expiryâ is set to zero,
Asterisk tries to create an expiration timer with zero seconds, which is not
allowed, so an assertion raised.
* AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions
When a SIP transaction timeout caused a subscription to be terminated, the
action taken by Asterisk was guaranteed to deadlock the thread on which SIP
requests are serviced. Note that this behavior could only happen on
established subscriptions, meaning that this could only be exploited if an
attacker bypassed authentication and successfully subscribed to a real
resource on the Asterisk server.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-005.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-008.pdf
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.28.0-1:
The Asterisk Development Team has announced the release of Asterisk 1.8.28.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 1.8.28.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-23547 – [patch] app_queue removing callers from queue
when reloading (Reported by Italo Rossi)
* ASTERISK-22846 – testsuite: masquerade super test fails on all
branches (still) (Reported by Matt Jordan)
* ASTERISK-23546 – CB_ADD_LEN does not do what you’d think
(Reported by Walter Doekes)
* ASTERISK-23620 – Code path in app_stack fails to unlock list
(Reported by Bradley Watkins)
* ASTERISK-18331 – app_sms failure (Reported by David Woodhouse)
* ASTERISK-19465 – P-Asserted-Identity Privacy (Reported by
Krzysztof Chmielewski)
* ASTERISK-23707 – Realtime Contacts: Apparent mismatch between
PGSQL database state and Asterisk state (Reported by Mark
Michelson)
* ASTERISK-23665 – Wrong mime type for codec H263-1998 (h263+)
(Reported by Guillaume Maudoux)
* ASTERISK-22977 – chan_sip+CEL: missing ANSWER and PICKUP event
for INVITE/w/replaces pickup (Reported by Walter Doekes)
* ASTERISK-23709 – Regression in Dahdi/Analog/waitfordialtone
(Reported by Steve Davies)
* ASTERISK-23650 – Intermittent segfault in string functions
(Reported by Roel van Meer)
Improvements made in this release:
———————————–
* ASTERISK-23754 – [patch] Use var/lib directory for log file
configured in asterisk.conf (Reported by Igor Goncharovsky)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.28.0
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.27.0-1:
The Asterisk Development Team has announced the release of Asterisk 1.8.27.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 1.8.27.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-22790 – check_modem_rate() may return incorrect rate
for V.27 (Reported by Paolo Compagnini)
* ASTERISK-23061 – [Patch] ‘textsupport’ setting not mentioned in
sip.conf.sample (Reported by Eugene)
* ASTERISK-23028 – [patch] Asterisk man pages contains unquoted
minus signs (Reported by Jeremy Lainé)
* ASTERISK-23046 – Custom CDR fields set during a GoSUB called
from app_queue are not inserted (Reported by Denis Pantsyrev)
* ASTERISK-23027 – [patch] Spelling typo “transfered” instead of
“transferred” (Reported by Jeremy Lainé)
* ASTERISK-23008 – Local channels loose CALLERID name when DAHDI
channel connects (Reported by Michael Cargile)
* ASTERISK-23100 – [patch] In chan_mgcp the ident in transmitted
request and request queue may differ – fix for locking (Reported
by adomjan)
* ASTERISK-22988 – [patch]T38 , SIP 488 after Rejecting image
media offer due to invalid or unsupported syntax (Reported by
adomjan)
* ASTERISK-22861 – [patch]Specifying a null time as parameter to
GotoIfTime or ExecIfTime causes segmentation fault (Reported by
Sebastian Murray-Roberts)
* ASTERISK-17837 – extconfig.conf – Maximum Include level (1)
exceeded (Reported by pz)
* ASTERISK-22662 – Documentation fix? – queues.conf says
persistentmembers defaults to yes, it appears to lie (Reported
by Rusty Newton)
* ASTERISK-23134 – [patch] res_rtp_asterisk port selection cannot
handle selinux port restrictions (Reported by Corey Farrell)
* ASTERISK-23220 – STACK_PEEK function with no arguments causes
crash/core dump (Reported by James Sharp)
* ASTERISK-19773 – Asterisk crash on issuing Asterisk-CLI ‘reload’
command multiple times on cli_aliases (Reported by Joel Vandal)
* ASTERISK-22757 – segfault in res_clialiases.so on reload when
mapping “module reload” command (Reported by Gareth Blades)
* ASTERISK-17727 – [patch] TLS doesn’t get all certificate chain
(Reported by LN)
* ASTERISK-23178 – devicestate.h: device state setting functions
are documented with the wrong return values (Reported by
Jonathan Rose)
* ASTERISK-23297 – Asterisk 12, pbx_config.so segfaults if
res_parking.so is not loaded, or if res_parking.conf has no
configuration (Reported by CJ Oster)
* ASTERISK-23069 – Custom CDR variable not recorded when set in
macro called from app_queue (Reported by Bryan Anderson)
* ASTERISK-19499 – ConfBridge MOH is not working for transferee
after attended transfer (Reported by Timo Teräs)
* ASTERISK-23261 – [patch]Output mixup in
${CHANNEL(rtpqos,audio,all)} (Reported by rsw686)
* ASTERISK-23260 – [patch]ForkCDR v option does not keep CDR
variables for subsequent records (Reported by zvision)
* ASTERISK-23141 – Asterisk crashes on Dial(), in
pbx_find_extension at pbx.c (Reported by Maxim)
* ASTERISK-23231 – Since 405693 If we have res_fax.conf file set
to minrate=2400, then res_fax refuse to load (Reported by David
Brillert)
* ASTERISK-23135 – Crash – segfault in ast_channel_hangupcause_set
– probably introduced in 11.7.0 (Reported by OK)
* ASTERISK-23323 – [patch]chan_sip: missing p->owner checks in
handle_response_invite (Reported by Walter Doekes)
* ASTERISK-23382 – [patch]Build System: make -qp can corrupt
menuselect-tree and related files (Reported by Corey Farrell)
* ASTERISK-23406 – [patch]Fix typo in “sip show peer” (Reported by
ibercom)
* ASTERISK-23310 – bridged channel crashes in bridge_p2p_rtp_write
(Reported by Jeremy Lainé)
* ASTERISK-23104 – Specifying the SetVar AMI without a Channel
cause Asterisk to crash (Reported by Joel Vandal)
* ASTERISK-23383 – Wrong sense test on stat return code causes
unchanged config check to break with include files. (Reported by
David Woolley)
* ASTERISK-17523 – Qualify for static realtime peers does not work
(Reported by Maciej Krajewski)
* ASTERISK-21406 – [patch] chan_sip deadlock on monlock between
unload_module and do_monitor (Reported by Corey Farrell)
* ASTERISK-23373 – [patch]Security: Open FD exhaustion with
chan_sip Session-Timers (Reported by Corey Farrell)
* ASTERISK-23340 – Security Vulnerability: stack allocation of
cookie headers in loop allows for unauthenticated remote denial
of service attack (Reported by Matt Jordan)
* ASTERISK-23488 – Logic error in callerid checksum processing
(Reported by Russ Meyerriecks)
* ASTERISK-20841 – fromdomain not honored on outbound INVITE
request (Reported by Kelly Goedert)
* ASTERISK-22079 – Segfault: INTERNAL_OBJ (user_data=0x6374652f)
at astobj2.c:120 (Reported by Jamuel Starkey)
* ASTERISK-23509 – [patch]SayNumber for Polish language tries to
play empty files for numbers divisible by 100 (Reported by
zvision)
* ASTERISK-23391 – Audit dialplan function usage of channel
variable (Reported by Corey Farrell)
* ASTERISK-23548 – POST to ARI sometimes returns no body on
success (Reported by Scott Griepentrog)
Improvements made in this release:
———————————–
* ASTERISK-22980 – [patch]Allow building cdr_radius and cel_radius
against libfreeradius-client (Reported by Jeremy Lainé)
* ASTERISK-22661 – Unable to exit ChanSpy if spied channel does
not have a call in progress (Reported by Chris Hillman)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.27.0
Fedora 19 Security Update: webkitgtk3-2.0.4-4.fc19
Disable the SSLv3 to address the POODLE vulnerability
Fedora 20 Security Update: webkitgtk3-2.2.8-2.fc20
Disable the SSLv3 to address the POODLE vulnerability
Fedora 21 Security Update: asterisk-11.13.1-1.fc21
Resolved Bugs
1154894 – asterisk vulnerable to CVE-2014-3566/POODLE (AST-2014-011)<br
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.13.1-1
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,
11.13.1, 12.6.1, and 13.0.0-beta3.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Asterisk is susceptible to the POODLE vulnerability in two ways:
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
encrypted connections.
2) The core TLS handling in Asterisk, which is used by the chan_sip channel
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
default allow a TLS connection to fallback to SSLv3. This allows for a
MITM to potentially force a connection to fallback to SSLv3, exposing it
to the POODLE vulnerability.
These issues have been resolved in the versions released in conjunction with
this security advisory.
For more information about the details of this vulnerability, please read
security advisory AST-2014-011, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-011.pdf
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.13.0-1
The Asterisk Development Team has announced the release of Asterisk 11.13.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-24032 – Gentoo compilation emits warning:
“_FORTIFY_SOURCE” redefined (Reported by Kilburn)
* ASTERISK-24225 – Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 – [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 – res_musiconhold cleanup – REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23997 – chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24019 – When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 – [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24211 – testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 – SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 – res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 – With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24301 – Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
Improvements made in this release:
———————————–
* ASTERISK-24171 – [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.12.1-1
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11 and 12. The available security releases are
released as versions 11.6-cert6, 11.12.1, and 12.5.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
Please note that the release of these versions resolves the following security
vulnerability:
* AST-2014-010: Remote Crash when Handling Out of Call Message in Certain
Dialplan Configurations
Additionally, the release of Asterisk 12.5.1 resolves the following security
vulnerability:
* AST-2014-009: Remote Crash Based on Malformed SIP Subscription Requests
Note that the crash described in AST-2014-010 can be worked around through
dialplan configuration. Given the likelihood of the issue, an advisory was
deemed to be warranted.
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-009 and AST-2014-010, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert6
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.12.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.5.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-009.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-010.pdf
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.12.0-1
The Asterisk Development Team has announced the release of Asterisk 11.12.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.12.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-23911 – URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 – PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 – No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 – [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 – [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 – Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
Improvements made in this release:
———————————–
* ASTERISK-21178 – Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.12.0
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.11.0-1
The Asterisk Development Team has announced the release of Asterisk 11.11.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.11.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-22551 – Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23792 – Mutex left locked in chan_unistim.c (Reported
by Peter Whisker)
* ASTERISK-23582 – [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 – AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 – ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki CÃvico)
* ASTERISK-23824 – ConfBridge: Users cannot be muted via CLI or
AMI when waiting to enter a conference (Reported by Matt Jordan)
* ASTERISK-23683 – #includes – wildcard character in a path more
than one directory deep – results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 – autoservice thread doesn’t exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23609 – Security: AMI action MixMonitor allows
arbitrary programs to be run (Reported by Corey Farrell)
* ASTERISK-23673 – Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 – DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 – [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23844 – Load of pbx_lua fails on sample extensions.lua
with Lua 5.2 or greater due to addition of goto statement
(Reported by Rusty Newton)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23834 – res_rtp_asterisk debug message gives wrong
length if ICE (Reported by Richard Kenner)
* ASTERISK-23790 – [patch] – SIP From headers longer than 256
characters result in dropped call and ‘No closing bracket’
warnings. (Reported by uniken1)
* ASTERISK-23917 – res_http_websocket: Delay in client processing
large streams of data causes disconnect and stuck socket
(Reported by Matt Jordan)
* ASTERISK-23908 – [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 – refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 – REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23916 – [patch]SIP/SDP fmtp line may include whitespace
between attributes (Reported by Alexander Traud)
* ASTERISK-23984 – Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 – [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)
Improvements made in this release:
———————————–
* ASTERISK-23492 – Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
* ASTERISK-22961 – [patch] DTLS-SRTP not working with SHA-256
(Reported by Jay Jideliov)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.11.0
Fedora 20 Security Update: asterisk-11.13.1-1.fc20
Resolved Bugs
1154894 – asterisk vulnerable to CVE-2014-3566/POODLE (AST-2014-011)<br
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.13.1-1
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,
11.13.1, 12.6.1, and 13.0.0-beta3.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Asterisk is susceptible to the POODLE vulnerability in two ways:
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
encrypted connections.
2) The core TLS handling in Asterisk, which is used by the chan_sip channel
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
default allow a TLS connection to fallback to SSLv3. This allows for a
MITM to potentially force a connection to fallback to SSLv3, exposing it
to the POODLE vulnerability.
These issues have been resolved in the versions released in conjunction with
this security advisory.
For more information about the details of this vulnerability, please read
security advisory AST-2014-011, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-011.pdf
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.13.0-1
The Asterisk Development Team has announced the release of Asterisk 11.13.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-24032 – Gentoo compilation emits warning:
“_FORTIFY_SOURCE” redefined (Reported by Kilburn)
* ASTERISK-24225 – Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 – [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 – res_musiconhold cleanup – REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23997 – chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24019 – When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 – [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24211 – testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 – SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 – res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 – With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24301 – Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
Improvements made in this release:
———————————–
* ASTERISK-24171 – [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.12.1-1
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11 and 12. The available security releases are
released as versions 11.6-cert6, 11.12.1, and 12.5.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
Please note that the release of these versions resolves the following security
vulnerability:
* AST-2014-010: Remote Crash when Handling Out of Call Message in Certain
Dialplan Configurations
Additionally, the release of Asterisk 12.5.1 resolves the following security
vulnerability:
* AST-2014-009: Remote Crash Based on Malformed SIP Subscription Requests
Note that the crash described in AST-2014-010 can be worked around through
dialplan configuration. Given the likelihood of the issue, an advisory was
deemed to be warranted.
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-009 and AST-2014-010, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert6
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.12.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.5.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-009.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-010.pdf
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.12.0-1
The Asterisk Development Team has announced the release of Asterisk 11.12.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.12.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-23911 – URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 – PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 – No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 – [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 – [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 – Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
Improvements made in this release:
———————————–
* ASTERISK-21178 – Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.12.0
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.11.0-1
The Asterisk Development Team has announced the release of Asterisk 11.11.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.11.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-22551 – Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23792 – Mutex left locked in chan_unistim.c (Reported
by Peter Whisker)
* ASTERISK-23582 – [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 – AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 – ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki CÃvico)
* ASTERISK-23824 – ConfBridge: Users cannot be muted via CLI or
AMI when waiting to enter a conference (Reported by Matt Jordan)
* ASTERISK-23683 – #includes – wildcard character in a path more
than one directory deep – results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 – autoservice thread doesn’t exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23609 – Security: AMI action MixMonitor allows
arbitrary programs to be run (Reported by Corey Farrell)
* ASTERISK-23673 – Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 – DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 – [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23844 – Load of pbx_lua fails on sample extensions.lua
with Lua 5.2 or greater due to addition of goto statement
(Reported by Rusty Newton)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23834 – res_rtp_asterisk debug message gives wrong
length if ICE (Reported by Richard Kenner)
* ASTERISK-23790 – [patch] – SIP From headers longer than 256
characters result in dropped call and ‘No closing bracket’
warnings. (Reported by uniken1)
* ASTERISK-23917 – res_http_websocket: Delay in client processing
large streams of data causes disconnect and stuck socket
(Reported by Matt Jordan)
* ASTERISK-23908 – [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 – refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 – REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23916 – [patch]SIP/SDP fmtp line may include whitespace
between attributes (Reported by Alexander Traud)
* ASTERISK-23984 – Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 – [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)
Improvements made in this release:
———————————–
* ASTERISK-23492 – Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
* ASTERISK-22961 – [patch] DTLS-SRTP not working with SHA-256
(Reported by Jay Jideliov)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.11.0
Fedora 19 Security Update: asterisk-11.13.1-1.fc19
Resolved Bugs
1154894 – asterisk vulnerable to CVE-2014-3566/POODLE (AST-2014-011)<br
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.13.1-1
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,
11.13.1, 12.6.1, and 13.0.0-beta3.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Asterisk is susceptible to the POODLE vulnerability in two ways:
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
encrypted connections.
2) The core TLS handling in Asterisk, which is used by the chan_sip channel
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
default allow a TLS connection to fallback to SSLv3. This allows for a
MITM to potentially force a connection to fallback to SSLv3, exposing it
to the POODLE vulnerability.
These issues have been resolved in the versions released in conjunction with
this security advisory.
For more information about the details of this vulnerability, please read
security advisory AST-2014-011, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-011.pdf
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.13.0-1
The Asterisk Development Team has announced the release of Asterisk 11.13.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-24032 – Gentoo compilation emits warning:
“_FORTIFY_SOURCE” redefined (Reported by Kilburn)
* ASTERISK-24225 – Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 – [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 – res_musiconhold cleanup – REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23997 – chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24019 – When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 – [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24211 – testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 – SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 – res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 – With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24301 – Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
Improvements made in this release:
———————————–
* ASTERISK-24171 – [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.12.1-1
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11 and 12. The available security releases are
released as versions 11.6-cert6, 11.12.1, and 12.5.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
Please note that the release of these versions resolves the following security
vulnerability:
* AST-2014-010: Remote Crash when Handling Out of Call Message in Certain
Dialplan Configurations
Additionally, the release of Asterisk 12.5.1 resolves the following security
vulnerability:
* AST-2014-009: Remote Crash Based on Malformed SIP Subscription Requests
Note that the crash described in AST-2014-010 can be worked around through
dialplan configuration. Given the likelihood of the issue, an advisory was
deemed to be warranted.
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-009 and AST-2014-010, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert6
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.12.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.5.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-009.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-010.pdf
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.12.0-1
The Asterisk Development Team has announced the release of Asterisk 11.12.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.12.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-23911 – URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 – PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 – No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 – [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 – [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 – Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
Improvements made in this release:
———————————–
* ASTERISK-21178 – Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.12.0
* Mon Oct 20 2014 Jeffrey C. Ollie – 11.11.0-1
The Asterisk Development Team has announced the release of Asterisk 11.11.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk
The release of Asterisk 11.11.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
———————————–
* ASTERISK-22551 – Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23792 – Mutex left locked in chan_unistim.c (Reported
by Peter Whisker)
* ASTERISK-23582 – [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 – AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 – ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki CÃvico)
* ASTERISK-23824 – ConfBridge: Users cannot be muted via CLI or
AMI when waiting to enter a conference (Reported by Matt Jordan)
* ASTERISK-23683 – #includes – wildcard character in a path more
than one directory deep – results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 – autoservice thread doesn’t exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23609 – Security: AMI action MixMonitor allows
arbitrary programs to be run (Reported by Corey Farrell)
* ASTERISK-23673 – Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 – DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 – [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23844 – Load of pbx_lua fails on sample extensions.lua
with Lua 5.2 or greater due to addition of goto statement
(Reported by Rusty Newton)
* ASTERISK-23818 – PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23834 – res_rtp_asterisk debug message gives wrong
length if ICE (Reported by Richard Kenner)
* ASTERISK-23790 – [patch] – SIP From headers longer than 256
characters result in dropped call and ‘No closing bracket’
warnings. (Reported by uniken1)
* ASTERISK-23917 – res_http_websocket: Delay in client processing
large streams of data causes disconnect and stuck socket
(Reported by Matt Jordan)
* ASTERISK-23908 – [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 – refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 – REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23916 – [patch]SIP/SDP fmtp line may include whitespace
between attributes (Reported by Alexander Traud)
* ASTERISK-23984 – Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 – [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)
Improvements made in this release:
———————————–
* ASTERISK-23492 – Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
* ASTERISK-22961 – [patch] DTLS-SRTP not working with SHA-256
(Reported by Jay Jideliov)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.11.0