[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-dev
Subject: [asterisk-dev] Asterisk 11.6-cert15, 11.23.1, 13.8-cert3, 13.11.1 Now Available (Security Release)
From: George Joseph <gjoseph () digium ! com>
Date: 2016-09-08 20:26:33
Message-ID: CAP=uFEvKFP1F9njoGm8eVO-xRvXRgAUjH_-H3aNtqSThLmxbWw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The Asterisk Development Team has announced security releases for
Certified Asterisk 11.6, Asterisk 11, Certified Asterisk 13.8 and
Asterisk 13.
The available security releases are released as versions 11.6-cert15,
11.23.1, 13.8-cert3 and 13.11.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security
vulnerabilities:
* AST-2016-006: Crash on ACK from unknown endpoint
Asterisk can be crashed remotely by sending an ACK to it from an
endpoint username that Asterisk does not recognize. Most SIP request
types result in an "artificial" endpoint being looked up, but ACKs
bypass this lookup. The resulting NULL pointer results in a crash
when attempting to determine if ACLs should be applied.
This issue was introduced in the Asterisk 13.10 release and only
affects that release and later releases.
This issue only affects users using the PJSIP stack with Asterisk.
Those users that use chan_sip are unaffected.
* AST-2016-007: RTP Resource Exhaustion
The overlap dialing feature in chan_sip allows chan_sip to report to a
device that the number that has been dialed is incomplete and more
digits are required. If this functionality is used with a device that
has performed username/password authentication RTP resources are
leaked. This occurs because the code fails to release the old RTP
resources before allocating new ones in this scenario. If all
resources are used then RTP port exhaustion will occur and no RTP
sessions are able to be set up.
For a full list of changes in the current releases, please see the
ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asteri
sk/releases/ChangeLog-certified-11.6-cert15
http://downloads.asterisk.org/pub/telephony/asterisk/release
s/ChangeLog-11.23.1
http://downloads.asterisk.org/pub/telephony/certified-asteri
sk/releases/ChangeLog-certified-13.8-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/release
s/ChangeLog-13.11.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2016-006.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-007.pdf
Thank you for your continued support of Asterisk!
--
George Joseph
Digium, Inc. | Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org
[Attachment #5 (text/html)]
<div dir="ltr"><div style="font-size:12.8px">The Asterisk Development Team has \
announced security releases for</div><div style="font-size:12.8px">Certified Asterisk \
11.6, Asterisk 11, Certified Asterisk 13.8 and</div><div \
style="font-size:12.8px">Asterisk 13.</div><div \
style="font-size:12.8px"><br></div><div style="font-size:12.8px">The available \
security releases are released as versions 11.6-cert15,</div><div \
style="font-size:12.8px">11.23.1, 13.8-cert3 and 13.11.1.</div><div \
style="font-size:12.8px"><br></div><div style="font-size:12.8px">These releases are \
available for immediate download at</div><div style="font-size:12.8px"><a \
href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" \
target="_blank">http://downloads.asterisk.org/<wbr>pub/telephony/asterisk/release<wbr>s</a></div><div \
style="font-size:12.8px"><br></div><div style="font-size:12.8px">The release of these \
versions resolves the following security</div><div \
style="font-size:12.8px">vulnerabilities:</div><div \
style="font-size:12.8px"><br></div><div style="font-size:12.8px">* AST-2016-006: \
Crash on ACK from unknown endpoint</div><div style="font-size:12.8px"><br></div><div \
style="font-size:12.8px"> Asterisk can be crashed remotely by sending an ACK to it \
from an </div><div style="font-size:12.8px"> endpoint username that Asterisk does \
not recognize. Most SIP request </div><div style="font-size:12.8px"> types result \
in an "artificial" endpoint being looked up, but ACKs </div><div \
style="font-size:12.8px"> bypass this lookup. The resulting NULL pointer results in \
a crash </div><div style="font-size:12.8px"> when attempting to determine if ACLs \
should be applied.</div><div style="font-size:12.8px"> \
</div><div style="font-size:12.8px"> This issue was introduced in the Asterisk \
13.10 release and only </div><div style="font-size:12.8px"> affects that release \
and later releases.</div><div style="font-size:12.8px"> \
</div><div style="font-size:12.8px"> This issue only affects users using the PJSIP \
stack with Asterisk. </div><div style="font-size:12.8px"> Those users that use \
chan_sip are unaffected.</div><div style="font-size:12.8px"><br></div><div \
style="font-size:12.8px">* AST-2016-007: RTP Resource Exhaustion</div><div \
style="font-size:12.8px"> </div><div style="font-size:12.8px"> The overlap dialing \
feature in chan_sip allows chan_sip to report to a </div><div \
style="font-size:12.8px"> device that the number that has been dialed is incomplete \
and more </div><div style="font-size:12.8px"> digits are required. If this \
functionality is used with a device that </div><div style="font-size:12.8px"> has \
performed username/password authentication RTP resources are </div><div \
style="font-size:12.8px"> leaked. This occurs because the code fails to release the \
old RTP </div><div style="font-size:12.8px"> resources before allocating new ones \
in this scenario. If all </div><div style="font-size:12.8px"> resources are used \
then RTP port exhaustion will occur and no RTP </div><div style="font-size:12.8px"> \
sessions are able to be set up.</div><div style="font-size:12.8px"><br></div><div \
style="font-size:12.8px">For a full list of changes in the current releases, please \
see the</div><div style="font-size:12.8px">ChangeLogs:</div><div \
style="font-size:12.8px"><br></div><div style="font-size:12.8px"><a \
href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert15" \
target="_blank">http://downloads.asterisk.org/<wbr>pub/telephony/certified-asteri<wbr>sk/releases/ChangeLog-certifie<wbr>d-11.6-cert15</a></div><div \
style="font-size:12.8px"><a \
href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.23.1" \
target="_blank">http://downloads.asterisk.org/<wbr>pub/telephony/asterisk/release<wbr>s/ChangeLog-11.23.1</a></div><div \
style="font-size:12.8px"><a \
href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.8-cert3" \
target="_blank">http://downloads.asterisk.org/<wbr>pub/telephony/certified-asteri<wbr>sk/releases/ChangeLog-certifie<wbr>d-13.8-cert3</a></div><div \
style="font-size:12.8px"><a \
href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.11.1" \
target="_blank">http://downloads.asterisk.org/<wbr>pub/telephony/asterisk/release<wbr>s/ChangeLog-13.11.1</a></div><div \
style="font-size:12.8px"><br></div><div style="font-size:12.8px">The security \
advisories are available at:</div><div style="font-size:12.8px"><br></div><div \
style="font-size:12.8px"> * <a \
href="http://downloads.asterisk.org/pub/security/AST-2016-006.pdf" \
target="_blank">http://downloads.asterisk.<wbr>org/pub/security/AST-2016-006.<wbr>pdf</a></div><div \
style="font-size:12.8px"> * <a \
href="http://downloads.asterisk.org/pub/security/AST-2016-007.pdf" \
target="_blank">http://downloads.asterisk.<wbr>org/pub/security/AST-2016-007.<wbr>pdf</a></div><div \
style="font-size:12.8px"><br></div><div style="font-size:12.8px">Thank you for your \
continued support of Asterisk!</div><div><br></div>-- <br><div \
class="gmail_signature"><div dir="ltr"><span style="font-size:12.8px">George \
Joseph</span><br style="font-size:12.8px"><span style="font-size:12.8px">Digium, Inc. \
| Software Developer</span><span style="font-size:12.8px"><br>445 Jan Davis Drive NW \
- Huntsville, AL 35806 - US<br></span><span style="font-size:12.8px">Check us out at: \
</span><a href="http://www.digium.com/" rel="noreferrer" \
style="color:rgb(17,85,204);font-size:12.8px" target="_blank">www.digium.com</a><span \
style="font-size:12.8px"> & </span><a href="http://www.asterisk.org/" \
rel="noreferrer" style="color:rgb(17,85,204);font-size:12.8px" \
target="_blank">www.asterisk.org</a><br><div><br></div></div></div> </div>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic