-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-0992 2013-01-20 02:00:30 --------------------------------------------------------------------------------
Name : asterisk Product : Fedora 16 Version : 1.8.20.0 Release : 1.fc16 URL : http://www.asterisk.org/ Summary : The Open Source PBX Description : Asterisk is a complete PBX in software. It runs on Linux and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in three protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. -------------------------------------------------------------------------------- Update Information: The Asterisk Development Team has announced the release of Asterisk 1.8.20.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 1.8.20.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following is a sample of the issues resolved in this release: * --- app_meetme: Fix channels lingering when hung up under certain conditions (Closes issue ASTERISK-20486. Reported by Michael Cargile) * --- Fix stuck DTMF when bridge is broken. (Closes issue ASTERISK-20492. Reported by Jeremiah Gowdy) * --- Improve Code Readability And Fix Setting natdetected Flag (Closes issue ASTERISK-20724. Reported by Michael L. Young) * --- Fix extension matching with the '-' char. (Closes issue ASTERISK-19205. Reported by Philippe Lindheimer, Birger "WIMPy" Harzenetter) * --- Fix call files when astspooldir is relative. (Closes issue ASTERISK-20593. Reported by James Le Cuirot) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.20.0 -------------------------------------------------------------------------------- ChangeLog: * Fri Jan 18 2013 Jeffrey Ollie <[email protected]> - 1.8.19.0-1: - The Asterisk Development Team has announced the release of Asterisk 1.8.20.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.20.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- app_meetme: Fix channels lingering when hung up under certain - conditions - (Closes issue ASTERISK-20486. Reported by Michael Cargile) - - * --- Fix stuck DTMF when bridge is broken. - (Closes issue ASTERISK-20492. Reported by Jeremiah Gowdy) - - * --- Improve Code Readability And Fix Setting natdetected Flag - (Closes issue ASTERISK-20724. Reported by Michael L. Young) - - * --- Fix extension matching with the '-' char. - (Closes issue ASTERISK-19205. Reported by Philippe Lindheimer, Birger "WIMPy" Harzenetter) - - * --- Fix call files when astspooldir is relative. - (Closes issue ASTERISK-20593. Reported by James Le Cuirot) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.20.0 * Wed Dec 19 2012 Jeffrey Ollie <[email protected]> - 1.8.19.0-1: - The Asterisk Development Team has announced the release of Asterisk 1.8.19.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.19.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Prevent resetting of NATted realtime peer address on reload. - (Closes issue ASTERISK-18203. Reported by daren ferreira) - - * --- Do not use a FILE handle when doing SIP TCP reads. - (Closes issue ASTERISK-20212. Reported by Phil Ciccone) - - * --- Fix execution of 'i' extension due to uninitialized variable. - (Closes issue ASTERISK-20455. Reported by Richard Miller) - - * --- Ensure that the Queue application tracks busy members in off - nominal situations - (Closes issue ASTERISK-20623. Reported by Bryan Walters) - - * --- Properly extract the Body information of an EWS calendar item - (Closes issue ASTERISK-19738. Reported by Dmitry Burilov) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.19.0 * Fri Dec 7 2012 Jeffrey Ollie <[email protected]> - 1.8.18.1-1: - The Asterisk Development Team has announced the release of Asterisk 1.8.18.1. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.18.1 resolves an issue reported by the - community and would have not been possible without your participation. - Thank you! - - The following is the issue resolved in this release: - - * --- chan_local: Fix local_pvt ref leak in local_devicestate(). - (Closes issue ASTERISK-20769. Reported by rmudgett) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.18.1 * Wed Nov 7 2012 Jeffrey Ollie <[email protected]> - 1.8.18.0-1: - The Asterisk Development Team has announced the release of Asterisk 1.8.18.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.18.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- dsp.c User Configurable DTMF_HITS_TO_BEGIN and - DTMF_MISSES_TO_END - (Closes issue ASTERISK-17493. Reported by alecdavis) - - * --- Fix error where improper IMAP greetings would be deleted. - (Closes issue ASTERISK-20435. Reported by fhackenberger) - - * --- iax2-provision: Fix improper return on failed cache retrieval - (Closes issue ASTERISK-20337. Reported by John Covert) - - * --- Fix T.38 support when used with chan_local in between. - (Closes issue ASTERISK-20229. Reported by wdoekes) - - * --- Fix an issue where media would not flow for situations where the - legacy STUN code is in use. - (Closes issue ASTERISK-20415. Reported by Michele Cicciotti) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.18.0 * Tue Oct 9 2012 Jeffrey Ollie <[email protected]> - 1.8.17.0-1: - The Asterisk Development Team has announced the release of Asterisk 1.8.17.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.17.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Fix channel reference leak in ChanSpy. - (Closes issue ASTERISK-19461. Reported by Irontec) - - * --- dsp.c: Fix multiple issues when no-interdigit delay is present, - and fast DTMF 50ms/50ms - (Closes issue ASTERISK-19610. Reported by Jean-Philippe Lord) - - * --- Fix bug where final queue member would not be removed from - memory. - (Closes issue ASTERISK-19793. Reported by Marcus Haas) - - * --- Fix memory leak when CEL is successfully written to PostgreSQL - database - (Closes issue ASTERISK-19991. Reported by Etienne Lessard) - - * --- Fix DUNDi message routing bug when neighboring peer is - unreachable - (Closes issue ASTERISK-19309. Reported by Peter Racz) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.17.0 * Wed Sep 26 2012 Jeffrey Ollie <[email protected]> - 1.8.16.0-1 - The Asterisk Development Team has announced the release of Asterisk 1.8.16.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.16.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- AST-2012-012: Resolve AMI User Unauthorized Shell Access through - ExternalIVR - (Closes issue ASTERISK-20132. Reported by Zubair Ashraf of IBM X-Force Research) - - * --- AST-2012-013: Resolve ACL rules being ignored during calls by - some IAX2 peers - (Closes issue ASTERISK-20186. Reported by Alan Frisch) - - * --- Handle extremely out of order RFC 2833 DTMF - (Closes issue ASTERISK-18404. Reported by Stephane Chazelas) - - * --- Resolve severe memory leak in CEL logging modules. - (Closes issue AST-916. Reported by Thomas Arimont) - - * --- Only re-create an SRTP session when needed; respond with correct - crypto policy - (Issue ASTERISK-20194. Reported by Nicolo Mazzon) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.16.0 * Tue Sep 4 2012 Jeffrey Ollie <[email protected]> - 1.8.15.1-1 - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are - released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones - resolve the following two issues: - - * A permission escalation vulnerability in Asterisk Manager Interface. This - would potentially allow remote authenticated users the ability to execute - commands on the system shell with the privileges of the user running the - Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt - file delivered with Asterisk has been updated due to this and other related - vulnerabilities fixed in previous versions of Asterisk. - - * When an IAX2 call is made using the credentials of a peer defined in a - dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that - peer are not applied to the call attempt. This allows for a remote attacker - who is aware of a peer's credentials to bypass the ACL rules set for that - peer. - - These issues and their resolutions are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2012-012 and AST-2012-013, which were released at the - same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2012-012.pdf - * http://downloads.asterisk.org/pub/security/AST-2012-013.pdf * Tue Sep 4 2012 Jeffrey Ollie <[email protected]> - 1.8.15.0-1 - The Asterisk Development Team has announced the release of Asterisk 1.8.15.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.15.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Fix deadlock potential with ast_set_hangupsource() calls. - (Closes issue ASTERISK-19801. Reported by Alec Davis) - - * --- Fix request routing issue when outboundproxy is used. - (Closes issue ASTERISK-20008. Reported by Marcus Hunger) - - * --- Make the address family filter specific to the transport. - (Closes issue ASTERISK-16618. Reported by Leif Madsen) - - * --- Fix NULL pointer segfault in ast_sockaddr_parse() - (Closes issue ASTERISK-20006. Reported by Michael L. Young) - - * --- Do not perform install on existing directories - (Closes issue ASTERISK-19492. Reported by Karl Fife) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.15.0 * Tue Sep 4 2012 Jeffrey Ollie <[email protected]> - 1.8.14.1-1 - The Asterisk Development Team has announced the release of Asterisk 1.8.14.1. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.14.1 resolves an issue reported by the - community and would have not been possible without your participation. - Thank you! - - The following is the issue resolved in this release: - - * --- Remove a superfluous and dangerous freeing of an SSL_CTX. - (Closes issue ASTERISK-20074. Reported by Trevor Helmsley) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.14.1 * Tue Sep 4 2012 Jeffrey Ollie <[email protected]> - 1.8.14.0-1 - The Asterisk Development Team has announced the release of Asterisk 1.8.14.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.14.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- format_mp3: Fix a possible crash in mp3_read(). - (Closes issue ASTERISK-19761. Reported by Chris Maciejewsk) - - * --- Fix local channel chains optimizing themselves out of a call. - (Closes issue ASTERISK-16711. Reported by Alec Davis) - - * --- Update a peer's LastMsgsSent when the peer is notified of - waiting messages - (Closes issue ASTERISK-17866. Reported by Steve Davies) - - * --- Prevent sip_pvt refleak when an ast_channel outlasts its - corresponding sip_pvt. - (Closes issue ASTERISK-19425. Reported by David Cunningham) - - * --- Send more accurate identification information in dialog-info SIP - NOTIFYs. - (Closes issue ASTERISK-16735. Reported by Maciej Krajewski) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.14.0 * Tue Sep 4 2012 Jeffrey Ollie <[email protected]> - 1.8.13.1-1 - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are - released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones - resolve the following two issues: - - * If Asterisk sends a re-invite and an endpoint responds to the re-invite with - a provisional response but never sends a final response, then the SIP dialog - structure is never freed and the RTP ports for the call are never released. If - an attacker has the ability to place a call, they could create a denial of - service by using all available RTP ports. - - * If a single voicemail account is manipulated by two parties simultaneously, - a condition can occur where memory is freed twice causing a crash. - - These issues and their resolution are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2012-010 and AST-2012-011, which were released at the - same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert4 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.13.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2-digiumphones - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2012-010.pdf - * http://downloads.asterisk.org/pub/security/AST-2012-011.pdf * Tue Sep 4 2012 Jeffrey Ollie <[email protected]> - 1.8.13.0-1 - The Asterisk Development Team has announced the release of Asterisk 1.8.13.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.13.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Turn off warning message when bind address is set to any. - (Closes issue ASTERISK-19456. Reported by Michael L. Young) - - * --- Prevent overflow in calculation in ast_tvdiff_ms on 32-bit - machines - (Closes issue ASTERISK-19727. Reported by Ben Klang) - - * --- Make DAHDISendCallreroutingFacility wait 5 seconds for a reply - before disconnecting the call. - (Closes issue ASTERISK-19708. Reported by mehdi Shirazi) - - * --- Fix recalled party B feature flags for a failed DTMF atxfer. - (Closes issue ASTERISK-19383. Reported by lgfsantos) - - * --- Fix DTMF atxfer running h exten after the wrong bridge ends. - (Closes issue ASTERISK-19717. Reported by Mario) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.13.0 * Wed May 30 2012 Jeffrey Ollie <[email protected]> - 1.8.12.2-1 - The Asterisk Development Team has announced the release of Asterisk 1.8.12.2. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.12.2 resolves an issue reported by the - community and would have not been possible without your participation. - Thank you! - - The following is the issue resolved in this release: - - * --- Resolve crash in subscribing for MWI notifications - (Closes issue ASTERISK-19827. Reported by B. R) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.2 * Wed May 30 2012 Jeffrey Ollie <[email protected]> - 1.8.12.1-1: - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are - released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following - two issues: - - * A remotely exploitable crash vulnerability exists in the IAX2 channel - driver if an established call is placed on hold without a suggested music - class. Asterisk will attempt to use an invalid pointer to the music - on hold class name, potentially causing a crash. - - * A remotely exploitable crash vulnerability was found in the Skinny (SCCP) - Channel driver. When an SCCP client closes its connection to the server, - a pointer in a structure is set to NULL. If the client was not in the - on-hook state at the time the connection was closed, this pointer is later - dereferenced. This allows remote authenticated connections the ability to - cause a crash in the server, denying services to legitimate users. - - These issues and their resolution are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2012-007 and AST-2012-008, which were released at the - same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert2 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.12.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.4.1 - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2012-007.pdf - * http://downloads.asterisk.org/pub/security/AST-2012-008.pdf * Thu May 3 2012 Jeffrey Ollie <[email protected]> - 1.8.12.0-1: - The Asterisk Development Team has announced the release of Asterisk 1.8.12.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 1.8.12.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following are the issues resolved in this release: - - * --- Prevent chanspy from binding to zombie channels - (Closes issue ASTERISK-19493. Reported by lvl) - - * --- Fix Dial m and r options and forked calls generating warnings - for voice frames. - (Closes issue ASTERISK-16901. Reported by Chris Gentle) - - * --- Remove ISDN hold restriction for non-bridged calls. - (Closes issue ASTERISK-19388. Reported by Birger Harzenetter) - - * --- Fix copying of CDR(accountcode) to local channels. - (Closes issue ASTERISK-19384. Reported by jamicque) - - * --- Ensure Asterisk acknowledges ACKs to 4xx on Replaces errors - (Closes issue ASTERISK-19303. Reported by Jon Tsiros) - - * --- Eliminate double close of file descriptor in manager.c - (Closes issue ASTERISK-18453. Reported by Jaco Kroon) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.0 * Tue Apr 24 2012 Jeffrey Ollie <[email protected]> - 1.8.11.1-1: - The Asterisk Development Team has announced security releases for Asterisk 1.6.2, - 1.8, and 10. The available security releases are released as versions 1.6.2.24, - 1.8.11.1, and 10.3.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the following two - issues: - - * A permission escalation vulnerability in Asterisk Manager Interface. This - would potentially allow remote authenticated users the ability to execute - commands on the system shell with the privileges of the user running the - Asterisk application. - - * A heap overflow vulnerability in the Skinny Channel driver. The keypad - button message event failed to check the length of a fixed length buffer - before appending a received digit to the end of that buffer. A remote - authenticated user could send sufficient keypad button message events that the - buffer would be overrun. - - In addition, the release of Asterisk 1.8.11.1 and 10.3.1 resolve the following - issue: - - * A remote crash vulnerability in the SIP channel driver when processing UPDATE - requests. If a SIP UPDATE request was received indicating a connected line - update after a channel was terminated but before the final destruction of the - associated SIP dialog, Asterisk would attempt a connected line update on a - non-existing channel, causing a crash. - - These issues and their resolution are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2012-004, AST-2012-005, and AST-2012-006, which were - released at the same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.24 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.11.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.3.1 - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2012-004.pdf - * http://downloads.asterisk.org/pub/security/AST-2012-005.pdf - * http://downloads.asterisk.org/pub/security/AST-2012-006.pdf * Fri Mar 30 2012 Russell Bryant <[email protected]> - 1.8.11.0-1 - Update to 1.8.11.0 * Sat Mar 17 2012 Russell Bryant <[email protected]> - 1.8.10.1-1 - Update to 1.8.10.1 from upstream. - Fix remote stack overflow in app_milliwatt. - Fix remote stack overflow, including possible code injection, in HTTP digest authentication handling. - Diable build of SRTP on ppc64, as it doesn't build right now. - Resolves: rhbz#804045, rhbz#804038, rhbz#804042 * Fri Dec 9 2011 Jeffrey C. Ollie <[email protected]> - 1.8.7.2-1 - The Asterisk Development Team has announced security releases for Asterisk 1.4, - 1.6.2 and 1.8. The available security releases are released as versions 1.4.43, - 1.6.2.21 and 1.8.7.2. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of Asterisk versions 1.4.43, 1.6.2.21, and 1.8.7.2 resolves an issue - with possible remote enumeration of SIP endpoints with differing NAT settings. - - The release of Asterisk versions 1.6.2.21 and 1.8.7.2 resolves a remote crash - possibility with SIP when the "automon" feature is enabled. - - The issues and resolutions are described in the AST-2011-013 and AST-2011-014 - security advisories. - - For more information about the details of these vulnerabilities, please read the - security advisories AST-2011-013 and AST-2011-014, which were released at the - same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.43 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.21 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.2 - - Security advisory AST-2011-013 is available at: - - * http://downloads.asterisk.org/pub/security/AST-2011-013.pdf - - Security advisory AST-2011-014 is available at: - - * http://downloads.asterisk.org/pub/security/AST-2011-014.pdf * Thu Nov 17 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.4.rc4 - The Asterisk Development Team has announced the fourth release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc4 resolves a particular issue with BLF - subscriptions. A change in Asterisk 1.8.8.0-rc3 had the potential to cause a - segfault, and this release candidate was created to resolve that. - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc4 * Thu Nov 10 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.3.rc3 - The Asterisk Development Team has announced the third release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc3 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * Prevent BLF subscriptions from causing deadlocks. - (Closes issue ASTERISK-18663) - Review: https://reviewboard.asterisk.org/r/1563/ - - * Fix deadlock if peer is destroyed while sending MWI notice. - (Closes issue ASTERISK-18747) - Reported by: Gregory Hinton Nietsky - - * Fix issue with setting defaultenabled on categories that are already enabled - by default. - (Closes issue ASTERISK-18738) - Reported by: Paul Belanger - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc3 * Tue Nov 8 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.2.rc2 - The Asterisk Development Team has announced the second release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc2 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * --- Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012) --- - http://downloads.asterisk.org/pub/security/AST-2011-012.pdf - - * --- Fix locking order in app_queue.c which caused deadlocks --- - (Closes issue ASTERISK-18101. Reported by Paul Rolfe, patched by Gregory Nietsky) - (Closes issue ASTERISK-18487. Reported by Jason Legault, patched by Gregory - Nietsky) - - * --- Fix regression in configure script for libpri capability checks --- - (Closes issue ASTERISK-18687. Reported by norbert, patched by Richard Mudgett) - - * --- Properly ignore AST_CONTROL_UPDATE_RTP_PEER in more places --- - (Closes issue ASTERISK-18610. Reported by Kristijan_Vrban, patched by Terry - Wilson, and again by Kristijan_Vrban) - - * --- Fix issue with removing peers by IP --- - (Closes issue ASTERISK-18696. Reported by rsw686, patched by Terry Wilson) - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc2 * Tue Nov 8 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.1.rc1 - The Asterisk Development Team announces the first release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc1 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * Updated SIP 484 handling; added Incomplete control frame - When a SIP phone uses the dial application and receives a 484 Address - Incomplete response, if overlapped dialing is enabled for SIP, then the 484 - Address Incomplete is forwarded back to the SIP phone and the HANGUPCAUSE - channel variable is set to 28. Previously, the Incomplete application - dialplan logic was automatically triggered; now, explicit dialplan usage of - the application is required. - (Closes ASTERISK-17288. Reported by: Mikael Carlsson Tested by: Matthew - Jordan Review: https://reviewboard.asterisk.org/r/1416/) - - * Prevent IAX2 from getting IPv6 addresses via DNS IAX2 does not support IPv6 - and getting such addresses from DNS can cause error messages on the remote - end involving bad IPv4 address casts in the presence of IPv6/IPv4 tunnels. - (Closes issue ASTERISK-18090. Patched by Kinsey Moore) - - * Fix bad RTP media bridges in directmedia calls on peers separated by multiple - Asterisk nodes. - (Closes issue ASTERISK-18340. Reported by: Thomas Arimont. Closes issue - ASTERISK-17725. Reported by: kwk. Tested by: twilson, jrose) - - * Fix crashes in ast_rtcp_write() - (Closes issue ASTERISK-18570) - Related issues that look like they are the same problem: - (Issue ASTERISK-17560, ASTERISK-15406, ASTERISK-15257, ASTERISK-13334, - ASTERISK-9977, ASTERISK-9716) - Review: https://reviewboard.asterisk.org/r/1444/ - Patched by: Russell Bryant - - * Fix for incorrect voicemail duration in external notifications. - This patch fixes an issue where the voicemail duration was being reported - with a duration significantly less than the actual sound file duration. - (Closes ASTERISK-16981. Reported by: Mary Ciuciu, Byron Clark, Brad House, - Karsten Wemheuer, KevinH Tested by: Matt Jordan - Review: https://reviewboard.asterisk.org/r/1443) - - * Prevent segfault if call arrives before Asterisk is fully booted. - (Patched by alecdavis. https://reviewboard.asterisk.org/r/1407/) - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc1 * Mon Oct 17 2011 Jeffrey C. Ollie <[email protected]> - 1.8.7.1-1 - The Asterisk Development Team has announced a security release for Asterisk 1.8. - The available security release is released as version 1.8.7.1. - - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which can - lead to a remotely exploitable crash: - - Remote Crash Vulnerability in SIP channel driver (AST-2011-012) - - The issue and resolution is described in the AST-2011-012 security - advisory. - - For more information about the details of this vulnerability, please read the - security advisory AST-2011-012, which was released at the same time as this - announcement. - - For a full list of changes in the current release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #891646 - CVE-2012-5976 asterisk: Crashes due to large stack allocations when using TCP (AST-2012-014) https://bugzilla.redhat.com/show_bug.cgi?id=891646 [ 2 ] Bug #891649 - CVE-2012-5977 asterisk: Denial of service through exploitation of device state caching (AST-2012-015) https://bugzilla.redhat.com/show_bug.cgi?id=891649 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update asterisk' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
