Psc ---------- Mensagem encaminhada ---------- De: "Asterisk Development Team" <[email protected]> Data: 28/01/2015 21:14 Assunto: [asterisk-dev] Asterisk 1.8.28-cert4, 1.8.32.2, 11.6-cert10, 11.15.1, 12.8.1, 13.1.1 Now Available (Security Release) Para: <[email protected]> Cc:
The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10, 11.15.1, 12.8.1, and 13.1.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of these versions resolves the following security vulnerabilities: * AST-2015-001: File descriptor leak when incompatible codecs are offered Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed. This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected. * AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules. Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150. For more information about the details of these vulnerabilities, please read security advisory AST-2015-001 and AST-2015-002, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2 http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1 The security advisories are available at: * http://downloads.asterisk.org/pub/security/AST-2015-001.pdf * http://downloads.asterisk.org/pub/security/AST-2015-002.pdf Thank you for your continued support of Asterisk! -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
_______________________________________________ KHOMP: completa linha de placas externas FXO, FXS, GSM e E1 Media Gateways de 1 a 64 E1s para SIP com R2, ISDN e SS7 Intercomunicadores para acesso remoto via rede IP e telefones IP Conheça todo o portfólio em www.Khomp.com _______________________________________________ ALIGERA Fabricante e desenvolvedor nacional de Soluções para telefonia IP . Gateway Sip, Placas de 1E1, 2E1, 4E1 e 8E1 para PCI ou PCI Express. Banco de Canais Analógicos Appliance Asterisk Acesse www.aligera.com.br _______________________________________________ DIGIVOICE: Fabricante pioneiro em Banco de Canais e Placas E1, GSM, FXO e FXS para Asterisk e Elastix. Temos Cursos de Telefonia IP e Asterisk. Construa soluções de PABX IP com produtos DigiVoice - visite www.digivoice.com.br _______________________________________________ Para remover seu email desta lista, basta enviar um email em branco para [email protected]
