——————————————————————————–
Fedora Update Notification
FEDORA-2013-24142
2013-12-31 00:52:06
——————————————————————————–
Name : asterisk
Product : Fedora 18
Version : 11.7.0
Release : 1.fc18
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
——————————————————————————–
Update Information:
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.7.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.7.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.7.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_confbridge: Can now set the language used for announcements
– to the conference.
– (Closes issue ASTERISK-19983. Reported by Jonathan White)
–
– * — app_queue: Fix CLI “queue remove member” queue_log entry.
– (Closes issue ASTERISK-21826. Reported by Oscar Esteve)
–
– * — chan_sip: Do not increment the SDP version between 183 and 200
– responses.
– (Closes issue ASTERISK-21204. Reported by NITESH BANSAL)
–
– * — chan_sip: Allow a sip peer to accept both AVP and AVPF calls
– (Closes issue ASTERISK-22005. Reported by Torrey Searle)
–
– * — chan_sip: Fix Realtime Peer Update Problem When Un-registering
– And Expires Header In 200ok
– (Closes issue ASTERISK-22428. Reported by Ben Smithurst)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
– releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
– 10.12.4-digiumphones, and 11.6.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
– infinite loop could occur which would overwrite memory when a message is
– received into the unpacksms16() function and the length of the message is an
– odd number of bytes.
–
– * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
– now marks certain individual dialplan functions as ‘dangerous’, which will
– inhibit their execution from external sources.
–
– A ‘dangerous’ function is one which results in a privilege escalation. For
– example, if one were to read the channel variable SHELL(rm -rf /) Bad
– Things(TM) could happen; even if the external source has only read
– permissions.
–
– Execution from external sources may be enabled by setting ‘live_dangerously’
– to ‘yes’ in the [options] section of asterisk.conf. Although doing so is not
– recommended.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-006 and AST-2013-007, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.6.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.6.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Confbridge: empty conference not being torn down
– (Closes issue ASTERISK-21859. Reported by Chris Gentle)
–
– * — Let Queue wrap up time influence member availability
– (Closes issue ASTERISK-22189. Reported by Tony Lewis)
–
– * — Fix a longstanding issue with MFC-R2 configuration that
– prevented users
– (Closes issue ASTERISK-21117. Reported by Rafael Angulo)
–
– * — chan_iax2: Fix saving the wrong expiry time in astdb.
– (Closes issue ASTERISK-22504. Reported by Stefan Wachtler)
–
– * — Fix segfault for certain invalid WebSocket input.
– (Closes issue ASTERISK-21825. Reported by Alfred Farrugia)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
——————————————————————————–
ChangeLog:
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.7.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.7.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.7.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_confbridge: Can now set the language used for announcements
– to the conference.
– (Closes issue ASTERISK-19983. Reported by Jonathan White)
–
– * — app_queue: Fix CLI “queue remove member” queue_log entry.
– (Closes issue ASTERISK-21826. Reported by Oscar Esteve)
–
– * — chan_sip: Do not increment the SDP version between 183 and 200
– responses.
– (Closes issue ASTERISK-21204. Reported by NITESH BANSAL)
–
– * — chan_sip: Allow a sip peer to accept both AVP and AVPF calls
– (Closes issue ASTERISK-22005. Reported by Torrey Searle)
–
– * — chan_sip: Fix Realtime Peer Update Problem When Un-registering
– And Expires Header In 200ok
– (Closes issue ASTERISK-22428. Reported by Ben Smithurst)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
– releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
– 10.12.4-digiumphones, and 11.6.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
– infinite loop could occur which would overwrite memory when a message is
– received into the unpacksms16() function and the length of the message is an
– odd number of bytes.
–
– * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
– now marks certain individual dialplan functions as ‘dangerous’, which will
– inhibit their execution from external sources.
–
– A ‘dangerous’ function is one which results in a privilege escalation. For
– example, if one were to read the channel variable SHELL(rm -rf /) Bad
– Things(TM) could happen; even if the external source has only read
– permissions.
–
– Execution from external sources may be enabled by setting ‘live_dangerously’
– to ‘yes’ in the [options] section of asterisk.conf. Although doing so is not
– recommended.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-006 and AST-2013-007, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.6.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.6.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Confbridge: empty conference not being torn down
– (Closes issue ASTERISK-21859. Reported by Chris Gentle)
–
– * — Let Queue wrap up time influence member availability
– (Closes issue ASTERISK-22189. Reported by Tony Lewis)
–
– * — Fix a longstanding issue with MFC-R2 configuration that
– prevented users
– (Closes issue ASTERISK-21117. Reported by Rafael Angulo)
–
– * — chan_iax2: Fix saving the wrong expiry time in astdb.
– (Closes issue ASTERISK-22504. Reported by Stefan Wachtler)
–
– * — Fix segfault for certain invalid WebSocket input.
– (Closes issue ASTERISK-21825. Reported by Alfred Farrugia)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
* Mon Oct 21 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-3:
– Disable hardened build, as it’s apparently causing problems loading modules.
* Thu Aug 29 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-2:
– Enable hardened build BZ#954338
– Significant clean ups
* Thu Aug 29 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security releases
– are released as versions 1.8.15-cert2, 11.2-cert2, 1.8.23.1, 10.12.3, 10.12.3-digiumphones,
– and 11.5.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A remotely exploitable crash vulnerability exists in the SIP channel driver if
– an ACK with SDP is received after the channel has been terminated. The
– handling code incorrectly assumes that the channel will always be present.
–
– * A remotely exploitable crash vulnerability exists in the SIP channel driver if
– an invalid SDP is sent in a SIP request that defines media descriptions before
– connection information. The handling code incorrectly attempts to reference
– the socket address information even though that information has not yet been
– set.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-004 and AST-2013-005, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert3
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert2
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.23.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.5.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-004.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-005.pdf
–
– The Asterisk Development Team has announced the release of Asterisk 11.5.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.5.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Fix Segfault In app_queue When “persistentmembers” Is Enabled
– And Using Realtime
– (Closes issue ASTERISK-21738. Reported by JoshE)
–
– * — IAX2: fix race condition with nativebridge transfers.
– (Closes issue ASTERISK-21409. Reported by alecdavis)
–
– * — Fix The Payload Being Set On CN Packets And Do Not Set Marker
– Bit
– (Closes issue ASTERISK-21246. Reported by Peter Katzmann)
–
– * — Fix One-Way Audio With auto_* NAT Settings When SIP Calls
– Initiated By PBX
– (Closes issue ASTERISK-21374. Reported by Michael L. Young)
–
– * — chan_sip: NOTIFYs for BLF start queuing up and fail to be sent
– out after retries fail
– (Closes issue ASTERISK-21677. Reported by Dan Martens)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.5.0
* Sat Aug 3 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 11.4.0-2.2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> – 11.4.0-2.1
– Perl 5.18 rebuild
* Fri May 24 2013 Rex Dieter <rdieter@fedoraproject.org> 11.4.0-2
– rebuild (libical)
* Mon May 20 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.4.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.4.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.4.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Fix Sorting Order For Parking Lots Stored In Static Realtime
– (Closes issue ASTERISK-21035. Reported by Alex Epshteyn)
–
– * — Fix StopMixMonitor Hanging Up When Unable To Stop MixMonitor On
– A Channel
– (Closes issue ASTERISK-21294. Reported by daroz)
–
– * — When a session timer expires during a T.38 call, re-invite with
– correct SDP
– (Closes issue ASTERISK-21232. Reported by Nitesh Bansal)
–
– * — Fix white noise on SRTP decryption
– (Closes issue ASTERISK-21323. Reported by andrea)
–
– * — Fix reload skinny with active devices.
– (Closes issue ASTERISK-16610. Reported by wedhorn)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.4.0
* Fri May 10 2013 Tom Callaway <spot@fedoraproject.org> – 11.3.0-2:
– fix build with lua 5.2
* Tue Apr 23 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.3.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.3.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.3.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Fix issue where chan_mobile fails to bind to first available
– port
– (Closes issue ASTERISK-16357. Reported by challado)
–
– * — Fix Queue Log Reporting Every Call COMPLETECALLER With “h”
– Extension Present
– (Closes issue ASTERISK-20743. Reported by call)
–
– * — Retain XMPP filters across reconnections so external modules
– continue to function as expected.
– (Closes issue ASTERISK-20916. Reported by kuj)
–
– * — Ensure that a declined media stream is terminated with a ‘\r\n’
– (Closes issue ASTERISK-20908. Reported by Dennis DeDonatis)
–
– * — Fix pjproject compilation in certain circumstances
– (Closes issue ASTERISK-20681. Reported by Dinesh Ramjuttun)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.3.0
* Thu Mar 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.2.2-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security releases
– are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2, 10.12.2-digiumphones,
– and 11.2.2.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A possible buffer overflow during H.264 format negotiation. The format
– attribute resource for H.264 video performs an unsafe read against a media
– attribute when parsing the SDP.
–
– This vulnerability only affected Asterisk 11.
–
– * A denial of service exists in Asterisk’s HTTP server. AST-2012-014, fixed
– in January of this year, contained a fix for Asterisk’s HTTP server for a
– remotely-triggered crash. While the fix prevented the crash from being
– triggered, a denial of service vector still exists with that solution if an
– attacker sends one or more HTTP POST requests with very large Content-Length
– values.
–
– This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11
–
– * A potential username disclosure exists in the SIP channel driver. When
– authenticating a SIP request with alwaysauthreject enabled, allowguest
– disabled, and autocreatepeer disabled, Asterisk discloses whether a user
– exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways.
–
– This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert2
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.20.2
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.2.2
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-003.pdf
* Sun Feb 10 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.2.1-1:
– The Asterisk Development Team has announced the release of Asterisk 11.2.1.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.2.1 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following are the issues resolved in this release:
–
– * — Fix astcanary startup problem due to wrong pid value from before
– daemon call
– (Closes issue ASTERISK-20947. Reported by Jakob Hirsch)
–
– * — Update init.d scripts to handle stderr; readd splash screen for
– remote consoles
– (Closes issue ASTERISK-20945. Reported by Warren Selby)
–
– * — Reset RTP timestamp; sequence number on SSRC change
– (Closes issue ASTERISK-20906. Reported by Eelco Brolman)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.2.1
* Fri Jan 18 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.2.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.2.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.2.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_meetme: Fix channels lingering when hung up under certain
– conditions
– (Closes issue ASTERISK-20486. Reported by Michael Cargile)
–
– * — Fix stuck DTMF when bridge is broken.
– (Closes issue ASTERISK-20492. Reported by Jeremiah Gowdy)
–
– * — Add missing support for “who hung up” to chan_motif.
– (Closes issue ASTERISK-20671. Reported by Matt Jordan)
–
– * — Remove a fixed size limitation for producing SDP and change how
– ICE support is disabled by default.
– (Closes issue ASTERISK-20643. Reported by coopvr)
–
– * — Fix chan_sip websocket payload handling
– (Closes issue ASTERISK-20745. Reported by Iñaki Baz Castillo)
–
– * — Fix pjproject compilation in certain circumstances
– (Closes issue ASTERISK-20681. Reported by Dinesh Ramjuttun)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.2.0
* Thu Jan 3 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.1.2-1:
– The Asterisk Development Team has announced a security release for Asterisk 11,
– Asterisk 11.1.2. This release addresses the security vulnerabilities reported in
– AST-2012-014 and AST-2012-015, and replaces the previous version of Asterisk 11
– released for these security vulnerabilities. The prior release left open a
– vulnerability in res_xmpp that exists only in Asterisk 11; as such, other
– versions of Asterisk were resolved correctly by the previous releases.
–
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following two issues:
–
– * Stack overflows that occur in some portions of Asterisk that manage a TCP
– connection. In SIP, this is exploitable via a remote unauthenticated session;
– in XMPP and HTTP connections, this is exploitable via remote authenticated
– sessions. The vulnerabilities in SIP and HTTP were corrected in a prior
– release of Asterisk; the vulnerability in XMPP is resolved in this release.
–
– * A denial of service vulnerability through exploitation of the device state
– cache. Anonymous calls had the capability to create devices in Asterisk that
– would never be disposed of. Handling the cachability of device states
– aggregated via XMPP is handled in this release.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2012-014 and AST-2012-015.
–
– For a full list of changes in the current release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
– * http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
–
– Thank you for your continued support of Asterisk – and we apologize for having
– to do this twice!
* Wed Jan 2 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.1.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security releases
– are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1, 10.11.1-digiumphones,
– and 11.1.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following two issues:
–
– * Stack overflows that occur in some portions of Asterisk that manage a TCP
– connection. In SIP, this is exploitable via a remote unauthenticated session;
– in XMPP and HTTP connections, this is exploitable via remote authenticated
– sessions.
–
– * A denial of service vulnerability through exploitation of the device state
– cache. Anonymous calls had the capability to create devices in Asterisk that
– would never be disposed of.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2012-014 and AST-2012-015, which were released at the
– same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert10
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.19.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.11.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.11.1-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
– * http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
* Wed Dec 12 2012 Jeffrey Ollie <jeff@ocjtech.us> – 11.1.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.1.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.1.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Fix execution of ‘i’ extension due to uninitialized variable.
– (Closes issue ASTERISK-20455. Reported by Richard Miller)
–
– * — Prevent resetting of NATted realtime peer address on reload.
– (Closes issue ASTERISK-18203. Reported by daren ferreira)
–
– * — Fix ConfBridge crash if no timing module loaded.
– (Closes issue ASTERISK-19448. Reported by feyfre)
–
– * — Fix the Park ‘r’ option when a channel parks itself.
– (Closes issue ASTERISK-19382. Reported by James Stocks)
–
– * — Fix an issue where outgoing calls would fail to establish audio
– due to ICE negotiation failures.
– (Closes issue ASTERISK-20554. Reported by mmichelson)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.1.0
* Fri Dec 7 2012 Jeffrey Ollie <jeff@ocjtech.us> – 11.0.2-1:
– The Asterisk Development Team has announced the release of Asterisk 11.0.2.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.0.2 resolves an issue reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is the issue resolved in this release:
–
– * — chan_local: Fix local_pvt ref leak in local_devicestate().
– (Closes issue ASTERISK-20769. Reported by rmudgett)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.0.2
* Wed Dec 5 2012 Dan Horák <dan[at]danny.cz> – 11.0.1-3
– simplify LDFLAGS setting
* Fri Nov 30 2012 Dennis Gilmore <dennis@ausil.us> – 11.0.1-2
– clean up things to allow building on arm arches
——————————————————————————–
References:
[ 1 ] Bug #1043917 – asterisk: asterisk manager user dialplan permission escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1043917
[ 2 ] Bug #1043918 – CVE-2013-7100 asterisk: buffer overflow when receiving odd length 16 bit SMS message
https://bugzilla.redhat.com/show_bug.cgi?id=1043918
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update asterisk’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
——————————————————————————–
Fedora Update Notification
FEDORA-2013-24119
2013-12-31 00:51:05
——————————————————————————–
Name : asterisk
Product : Fedora 19
Version : 11.7.0
Release : 1.fc19
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
——————————————————————————–
Update Information:
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.7.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.7.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.7.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_confbridge: Can now set the language used for announcements
– to the conference.
– (Closes issue ASTERISK-19983. Reported by Jonathan White)
–
– * — app_queue: Fix CLI “queue remove member” queue_log entry.
– (Closes issue ASTERISK-21826. Reported by Oscar Esteve)
–
– * — chan_sip: Do not increment the SDP version between 183 and 200
– responses.
– (Closes issue ASTERISK-21204. Reported by NITESH BANSAL)
–
– * — chan_sip: Allow a sip peer to accept both AVP and AVPF calls
– (Closes issue ASTERISK-22005. Reported by Torrey Searle)
–
– * — chan_sip: Fix Realtime Peer Update Problem When Un-registering
– And Expires Header In 200ok
– (Closes issue ASTERISK-22428. Reported by Ben Smithurst)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
– releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
– 10.12.4-digiumphones, and 11.6.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
– infinite loop could occur which would overwrite memory when a message is
– received into the unpacksms16() function and the length of the message is an
– odd number of bytes.
–
– * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
– now marks certain individual dialplan functions as ‘dangerous’, which will
– inhibit their execution from external sources.
–
– A ‘dangerous’ function is one which results in a privilege escalation. For
– example, if one were to read the channel variable SHELL(rm -rf /) Bad
– Things(TM) could happen; even if the external source has only read
– permissions.
–
– Execution from external sources may be enabled by setting ‘live_dangerously’
– to ‘yes’ in the [options] section of asterisk.conf. Although doing so is not
– recommended.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-006 and AST-2013-007, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.6.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.6.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Confbridge: empty conference not being torn down
– (Closes issue ASTERISK-21859. Reported by Chris Gentle)
–
– * — Let Queue wrap up time influence member availability
– (Closes issue ASTERISK-22189. Reported by Tony Lewis)
–
– * — Fix a longstanding issue with MFC-R2 configuration that
– prevented users
– (Closes issue ASTERISK-21117. Reported by Rafael Angulo)
–
– * — chan_iax2: Fix saving the wrong expiry time in astdb.
– (Closes issue ASTERISK-22504. Reported by Stefan Wachtler)
–
– * — Fix segfault for certain invalid WebSocket input.
– (Closes issue ASTERISK-21825. Reported by Alfred Farrugia)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
——————————————————————————–
ChangeLog:
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.7.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.7.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.7.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_confbridge: Can now set the language used for announcements
– to the conference.
– (Closes issue ASTERISK-19983. Reported by Jonathan White)
–
– * — app_queue: Fix CLI “queue remove member” queue_log entry.
– (Closes issue ASTERISK-21826. Reported by Oscar Esteve)
–
– * — chan_sip: Do not increment the SDP version between 183 and 200
– responses.
– (Closes issue ASTERISK-21204. Reported by NITESH BANSAL)
–
– * — chan_sip: Allow a sip peer to accept both AVP and AVPF calls
– (Closes issue ASTERISK-22005. Reported by Torrey Searle)
–
– * — chan_sip: Fix Realtime Peer Update Problem When Un-registering
– And Expires Header In 200ok
– (Closes issue ASTERISK-22428. Reported by Ben Smithurst)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
– releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
– 10.12.4-digiumphones, and 11.6.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
– infinite loop could occur which would overwrite memory when a message is
– received into the unpacksms16() function and the length of the message is an
– odd number of bytes.
–
– * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
– now marks certain individual dialplan functions as ‘dangerous’, which will
– inhibit their execution from external sources.
–
– A ‘dangerous’ function is one which results in a privilege escalation. For
– example, if one were to read the channel variable SHELL(rm -rf /) Bad
– Things(TM) could happen; even if the external source has only read
– permissions.
–
– Execution from external sources may be enabled by setting ‘live_dangerously’
– to ‘yes’ in the [options] section of asterisk.conf. Although doing so is not
– recommended.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-006 and AST-2013-007, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.6.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.6.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Confbridge: empty conference not being torn down
– (Closes issue ASTERISK-21859. Reported by Chris Gentle)
–
– * — Let Queue wrap up time influence member availability
– (Closes issue ASTERISK-22189. Reported by Tony Lewis)
–
– * — Fix a longstanding issue with MFC-R2 configuration that
– prevented users
– (Closes issue ASTERISK-21117. Reported by Rafael Angulo)
–
– * — chan_iax2: Fix saving the wrong expiry time in astdb.
– (Closes issue ASTERISK-22504. Reported by Stefan Wachtler)
–
– * — Fix segfault for certain invalid WebSocket input.
– (Closes issue ASTERISK-21825. Reported by Alfred Farrugia)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
* Mon Oct 21 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-3:
– Disable hardened build, as it’s apparently causing problems loading modules.
* Thu Aug 29 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-2:
– Enable hardened build BZ#954338
– Significant clean ups
* Thu Aug 29 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security releases
– are released as versions 1.8.15-cert2, 11.2-cert2, 1.8.23.1, 10.12.3, 10.12.3-digiumphones,
– and 11.5.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A remotely exploitable crash vulnerability exists in the SIP channel driver if
– an ACK with SDP is received after the channel has been terminated. The
– handling code incorrectly assumes that the channel will always be present.
–
– * A remotely exploitable crash vulnerability exists in the SIP channel driver if
– an invalid SDP is sent in a SIP request that defines media descriptions before
– connection information. The handling code incorrectly attempts to reference
– the socket address information even though that information has not yet been
– set.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-004 and AST-2013-005, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert3
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert2
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.23.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.5.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-004.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-005.pdf
–
– The Asterisk Development Team has announced the release of Asterisk 11.5.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.5.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Fix Segfault In app_queue When “persistentmembers” Is Enabled
– And Using Realtime
– (Closes issue ASTERISK-21738. Reported by JoshE)
–
– * — IAX2: fix race condition with nativebridge transfers.
– (Closes issue ASTERISK-21409. Reported by alecdavis)
–
– * — Fix The Payload Being Set On CN Packets And Do Not Set Marker
– Bit
– (Closes issue ASTERISK-21246. Reported by Peter Katzmann)
–
– * — Fix One-Way Audio With auto_* NAT Settings When SIP Calls
– Initiated By PBX
– (Closes issue ASTERISK-21374. Reported by Michael L. Young)
–
– * — chan_sip: NOTIFYs for BLF start queuing up and fail to be sent
– out after retries fail
– (Closes issue ASTERISK-21677. Reported by Dan Martens)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.5.0
* Sat Aug 3 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 11.4.0-2.2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> – 11.4.0-2.1
– Perl 5.18 rebuild
* Fri May 24 2013 Rex Dieter <rdieter@fedoraproject.org> 11.4.0-2
– rebuild (libical)
——————————————————————————–
References:
[ 1 ] Bug #1043917 – asterisk: asterisk manager user dialplan permission escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1043917
[ 2 ] Bug #1043918 – CVE-2013-7100 asterisk: buffer overflow when receiving odd length 16 bit SMS message
https://bugzilla.redhat.com/show_bug.cgi?id=1043918
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update asterisk’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
——————————————————————————–
Fedora Update Notification
FEDORA-2013-24108
2013-12-31 00:50:43
——————————————————————————–
Name : asterisk
Product : Fedora 20
Version : 11.7.0
Release : 1.fc20
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
——————————————————————————–
Update Information:
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.7.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.7.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.7.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_confbridge: Can now set the language used for announcements
– to the conference.
– (Closes issue ASTERISK-19983. Reported by Jonathan White)
–
– * — app_queue: Fix CLI “queue remove member” queue_log entry.
– (Closes issue ASTERISK-21826. Reported by Oscar Esteve)
–
– * — chan_sip: Do not increment the SDP version between 183 and 200
– responses.
– (Closes issue ASTERISK-21204. Reported by NITESH BANSAL)
–
– * — chan_sip: Allow a sip peer to accept both AVP and AVPF calls
– (Closes issue ASTERISK-22005. Reported by Torrey Searle)
–
– * — chan_sip: Fix Realtime Peer Update Problem When Un-registering
– And Expires Header In 200ok
– (Closes issue ASTERISK-22428. Reported by Ben Smithurst)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
– releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
– 10.12.4-digiumphones, and 11.6.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
– infinite loop could occur which would overwrite memory when a message is
– received into the unpacksms16() function and the length of the message is an
– odd number of bytes.
–
– * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
– now marks certain individual dialplan functions as ‘dangerous’, which will
– inhibit their execution from external sources.
–
– A ‘dangerous’ function is one which results in a privilege escalation. For
– example, if one were to read the channel variable SHELL(rm -rf /) Bad
– Things(TM) could happen; even if the external source has only read
– permissions.
–
– Execution from external sources may be enabled by setting ‘live_dangerously’
– to ‘yes’ in the [options] section of asterisk.conf. Although doing so is not
– recommended.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-006 and AST-2013-007, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.6.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.6.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Confbridge: empty conference not being torn down
– (Closes issue ASTERISK-21859. Reported by Chris Gentle)
–
– * — Let Queue wrap up time influence member availability
– (Closes issue ASTERISK-22189. Reported by Tony Lewis)
–
– * — Fix a longstanding issue with MFC-R2 configuration that
– prevented users
– (Closes issue ASTERISK-21117. Reported by Rafael Angulo)
–
– * — chan_iax2: Fix saving the wrong expiry time in astdb.
– (Closes issue ASTERISK-22504. Reported by Stefan Wachtler)
–
– * — Fix segfault for certain invalid WebSocket input.
– (Closes issue ASTERISK-21825. Reported by Alfred Farrugia)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
——————————————————————————–
ChangeLog:
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.7.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.7.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.7.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — app_confbridge: Can now set the language used for announcements
– to the conference.
– (Closes issue ASTERISK-19983. Reported by Jonathan White)
–
– * — app_queue: Fix CLI “queue remove member” queue_log entry.
– (Closes issue ASTERISK-21826. Reported by Oscar Esteve)
–
– * — chan_sip: Do not increment the SDP version between 183 and 200
– responses.
– (Closes issue ASTERISK-21204. Reported by NITESH BANSAL)
–
– * — chan_sip: Allow a sip peer to accept both AVP and AVPF calls
– (Closes issue ASTERISK-22005. Reported by Torrey Searle)
–
– * — chan_sip: Fix Realtime Peer Update Problem When Un-registering
– And Expires Header In 200ok
– (Closes issue ASTERISK-22428. Reported by Ben Smithurst)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
– releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
– 10.12.4-digiumphones, and 11.6.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolve the following issues:
–
– * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
– infinite loop could occur which would overwrite memory when a message is
– received into the unpacksms16() function and the length of the message is an
– odd number of bytes.
–
– * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
– now marks certain individual dialplan functions as ‘dangerous’, which will
– inhibit their execution from external sources.
–
– A ‘dangerous’ function is one which results in a privilege escalation. For
– example, if one were to read the channel variable SHELL(rm -rf /) Bad
– Things(TM) could happen; even if the external source has only read
– permissions.
–
– Execution from external sources may be enabled by setting ‘live_dangerously’
– to ‘yes’ in the [options] section of asterisk.conf. Although doing so is not
– recommended.
–
– These issues and their resolutions are described in the security advisories.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2013-006 and AST-2013-007, which were
– released at the same time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
– * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
* Sat Dec 28 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.6.0-1:
– The Asterisk Development Team has announced the release of Asterisk 11.6.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.6.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following is a sample of the issues resolved in this release:
–
– * — Confbridge: empty conference not being torn down
– (Closes issue ASTERISK-21859. Reported by Chris Gentle)
–
– * — Let Queue wrap up time influence member availability
– (Closes issue ASTERISK-22189. Reported by Tony Lewis)
–
– * — Fix a longstanding issue with MFC-R2 configuration that
– prevented users
– (Closes issue ASTERISK-21117. Reported by Rafael Angulo)
–
– * — chan_iax2: Fix saving the wrong expiry time in astdb.
– (Closes issue ASTERISK-22504. Reported by Stefan Wachtler)
–
– * — Fix segfault for certain invalid WebSocket input.
– (Closes issue ASTERISK-21825. Reported by Alfred Farrugia)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0
* Mon Oct 21 2013 Jeffrey Ollie <jeff@ocjtech.us> – 11.5.1-3:
– Disable hardened build, as it’s apparently causing problems loading modules.
——————————————————————————–
References:
[ 1 ] Bug #1043917 – asterisk: asterisk manager user dialplan permission escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1043917
[ 2 ] Bug #1043918 – CVE-2013-7100 asterisk: buffer overflow when receiving odd length 16 bit SMS message
——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update asterisk’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce