-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-3724 2010-03-06 02:55:32 --------------------------------------------------------------------------------
Name : asterisk Product : Fedora 11 Version : 1.6.1.17 Release : 1.fc11 URL : http://www.asterisk.org/ Summary : The Open Source PBX Description : Asterisk is a complete PBX in software. It runs on Linux and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in three protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. -------------------------------------------------------------------------------- Update Information: Update to 1.6.1.17 * AST-2010-003: Invalid parsing of ACL rules can compromise security * AST-2010-002: This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers. * AST-2010-001: An attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash occurs when the FaxMaxDatagram field is omitted from the SDP as well. -------------------------------------------------------------------------------- ChangeLog: * Mon Mar 1 2010 Jeffrey C. Ollie <[email protected]> - 1.6.1.17-1 - Update to 1.6.1.17 - - * AST-2010-003: Invalid parsing of ACL rules can compromise security - * AST-2010-002: This security release is intended to raise awareness - of how it is possible to insert malicious strings into dialplans, - and to advise developers to read the best practices documents so - that they may easily avoid these dangers. - * AST-2010-001: An attacker attempting to negotiate T.38 over SIP can - remotely crash Asterisk by modifying the FaxMaxDatagram field of - the SDP to contain either a negative or exceptionally large value. - The same crash occurs when the FaxMaxDatagram field is omitted from - the SDP as well. * Mon Dec 21 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.12-1 - Update to 1.6.1.12 * Mon Nov 30 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.11-1 - Update to 1.6.1.11 to fix AST-2009-010/CVE-2009-4055 * Thu Nov 19 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.10-1 - Update to 1.6.1.10 - Drop unneeded patch to get Lua extensions building * Wed Nov 4 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.9-1 - Update to 1.6.1.9 to fix AST-2009-009/CVE-2008-7220 and AST-2009-008 - Fix obsoletes for firmware subpackage * Tue Oct 27 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.8-1 - Update to 1.6.1.8 to fix bug 531199: - - http://downloads.asterisk.org/pub/security/AST-2009-007.html - - A missing ACL check for handling SIP INVITEs allows a device to make - calls on networks intended to be prohibited as defined by the "deny" - and "permit" lines in sip.conf. The ACL check for handling SIP - registrations was not affected. * Sat Oct 24 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.7-0.4.rc2 - Add an AST_EXTRA_ARGS option to the init script - have the init script to cd to /var/spool/asterisk to prevent annoying message * Sat Oct 24 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.7-0.3.rc2 - Compile against gmime 2.2 instead of gmime 2.4 because the patch to convert the API calls from 2.2 to 2.4 caused crashes. * Fri Oct 9 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.7-0.2.rc2 - Require latex2html used in static-http documents * Thu Oct 8 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.7-0.1.rc2 - Update to 1.6.1.7-rc2 - Merge firmware subpackage back into main package - No longer need to strip tarball since it no longer contains any non-free items - Tighten up permissions/ownership of config files. - Fix up some more paths - Drop unneeded patch * Wed Sep 9 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.6-2 - Enable building of API docs. - Depend on version 1.2 or newer of speex * Sun Sep 6 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1.6-1 - Update to 1.6.1.6 - Drop patches that are too troublesome to maintain anymore or have been integrated upstream. * Tue Sep 1 2009 Jeffrey C. Ollie <[email protected]> - 1.6.1-0.26.rc1 - Add a patch from Quentin Armitage and rebuld. * Fri Aug 21 2009 Tomas Mraz <[email protected]> - 1.6.1-0.25.rc1 - rebuilt with new openssl * Fri Jul 24 2009 Fedora Release Engineering <[email protected]> - 1.6.1-0.24.rc1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #561332 - CVE-2010-0441 Asterisk: Remote DoS via specially-crafted FaxMaxDatagram SDP packets (AST-2010-001) https://bugzilla.redhat.com/show_bug.cgi?id=561332 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update asterisk' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
