[asterisk-users] AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during handshake
Asterisk Project Security Advisory - AST-2021-009 ProductAsterisk Summarypjproject/pjsip: crash when SSL socket destroyed during handshake Nature of Advisory Denial of service SusceptibilityRemote unauthenticated sessions Severity Major Exploits KnownYes Reported On May 5, 2021 Reported By Andrew Yager Posted On Last Updated OnJuly 6, 2021 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2021-32686 Description Depending on the timing, itâs possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake. Modules Affected bundled pjproject Resolution If you use âwith-pjproject-bundledâ then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 13.38.3, 16.19.1, 17.9.4, 18.5.1 Certified Asterisk 16.8-cert10 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-009-13.diff Asterisk 13 https://downloads.digium.com/pub/security/AST-2021-009-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-009-17.diff Asterisk 17 https://downloads.digium.com/pub/security/AST-2021-009-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2021-009-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29415 https://downloads.asterisk.org/pub/security/AST-2021-009.html https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-009.pdf and https://downloads.digium.com/pub/security/AST-2021-009.html Revision History Date Editor Revisions Made June 14, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-009 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered
[asterisk-users] AST-2021-008: Remote crash when using IAX2 channel driver
Asterisk Project Security Advisory - AST-2021-008 Product Asterisk Summary Remote crash when using IAX2 channel driver Nature of Advisory Denial of service Susceptibility Remote unauthenticated sessions SeverityMajor Exploits Known No Reported On April 13, 2021 Reported By Michael Welk Posted On Last Updated On July 6, 2021 Advisory Contactkharwell AT sangoma DOT com CVE NameCVE-2021-32558 Description If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk. Modules Affected chan_iax2.c Resolution Checks are now in place that make it so packets containing unsupported media formats are ignored/dropped in the IAX2 channel driver. This ensures Asterisk no longer crashes. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.8 All versions Corrected In Product Release Asterisk Open Source 13.38.3, 16.19.1, 17.9.4, 18.5.1 Certified Asterisk 16.8-cert10 Patches Patch URL Revision http://downloads.digium.com/pub/security/AST-2021-008-13.diff Asterisk 13 http://downloads.digium.com/pub/security/AST-2021-008-16.diff Asterisk 16 http://downloads.digium.com/pub/security/AST-2021-008-17.diff Asterisk 17 http://downloads.digium.com/pub/security/AST-2021-008-18.diff Asterisk 18 http://downloads.digium.com/pub/security/AST-2021-008-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29392 https://downloads.asterisk.org/pub/security/AST-2021-008.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2021-008.pdf and http://downloads.digium.com/pub/security/AST-2021-008.html Revision History Date Editor Revisions Made May 10, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-008 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit:
[asterisk-users] AST-2021-007: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2021-007 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Authenticated Sessions SeverityModerate Exploits Known No Reported On April 6, 2021 Reported By Ivan Poddubny Posted On Last Updated OnJuly 6, 2021 Advisory ContactJcolp AT sangoma DOT com CVE NameCVE-2021-31878 Description When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is. Modules Affected res_pjsip_session.c Resolution Upgrade to one of the fixed versions of Asterisk or apply the appropriate patch. Affected Versions Product Release Series Asterisk Open Source 16.x 16.17.0, 16.18.0, 16.19.0 Asterisk Open Source 18.x 18.3.0, 18.4.0, 18.5.0 Corrected In Product Release Asterisk Open Source 16.19.1, 18.5.1 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-007-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-007-18.diff Asterisk 18 Links https://issues.asterisk.org/jira/browse/ASTERISK-29381 https://downloads.asterisk.org/pub/security/AST-2021-007.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-007.pdf and https://downloads.digium.com/pub/security/AST-2021-007.html Revision History Date Editor Revisions Made April 28, 2021 Joshua Colp Initial revision Asterisk Project Security Advisory - AST-2021-007 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk 13.38.3, 16.19.1, 17.9.4, 18.5.1 and 16.8-cert10 Now Available (Security)
The Asterisk Development Team would like to announce security releases for Asterisk 13, 16, 17 and 18, and Certified Asterisk 16.8. The available releases are released as versions 13.38.3, 16.19.1, 17.9.4, 18.5.1 and 16.8-cert10. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2021-007: Remote Crash Vulnerability in PJSIP channel driver When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is. * AST-2021-008: Remote crash when using IAX2 channel driver If the IAX2 channel driver receives a packet that contains an * AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during handshake Depending on the timing, itâs possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.38.3 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.19.1 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-17.9.4 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.5.1 https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-16.8-cert10 The security advisories are available at: https://downloads.asterisk.org/pub/security/AST-2021-007.pdf https://downloads.asterisk.org/pub/security/AST-2021-008.pdf https://downloads.asterisk.org/pub/security/AST-2021-009.pdf Thank you for your continued support of Asterisk!-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Delay when dialing...
I started noticing a few days ago that whenever I dial any number or extension there is a delay of 5 to 10 seconds before Asterisk reacts. I see nothing on the CLI for that time and then the call goes through. I have checked my network to make sure there is nothing slowing down packets between the phones and the server. Any settings I should check on the Asterisk side? This is happening with all phones (several brands). -- Telecomunicaciones Abiertas de México S.A. de C.V. Carlos Chávez +52 (55)8116-9161 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Patch to remove numbers from the logs
On Wed, Jul 21, 2021 at 8:18 PM Steve Edwards wrote: > Please don't top-post. > > On Thu, 22 Jul 2021, Patrick Wakano wrote: > > > If you need something quick you could create a batch script with sed or > > awk to remove the log lines you want and attach it to the prerotate > > script of logrotate (in case you use any of these in your env). > > Certainly this is not a final solution but it is already something that > > doesn't depend on an asterisk patch. > > > > On Thu, Jul 8, 2021 at 3:58 PM Dovid Bender wrote: > > > > We have a project where people will be making payments over the phone. I > > would like block Asterisk from logging any time the system is processing > > a card. So be it SayDigits(123456789), when the user enters DTMF or when > > I pass a card number as a variable to an AGI etc. I assume this affects > > others and I would like to have the patch created in a way that a. will > > be accepted by Sangoma and b. will work for anyone else that has this > > issue. > > I suspect the concern is having credit card numbers anywhere on disk, > anytime. > > Your post suggests an alternative method that may be workable... > > rsyslog has a module, 'omprog' -- "This module permits to integrate > arbitrary external programs into rsyslog's logging" > > I've never used it, but the description implies you could configure > Asterisk to log to syslog, and then use rsyslog+omprog to pipe the > messages through a script to filter out '16 digit numbers starting with > 456' or '15 digit numbers starting with 3.' > > I thought about that. The issue that I have is say with for example "Playing 'digits/3.ulaw'" in the logs. It can be a credit card number OR it could be telling them how much money they are paying. If the latter I want to keep it. If it's repeating a credit card I don't. > Way back in the day (before PCI), we used to keep the first 6 digits (the > BIN) and the last 4 digits and replace the rest with x. We used to call > the result a 'span.' I have no idea if this is current practice. > > -- > Thanks in advance, > - > Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST > https://www.linkedin.com/in/steve-edwards-4244281-- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users