Re: [asterisk-users] Asterisk 13.19.0 Now Available
On 12.01.2018 20:27, Joshua Colp wrote: >> I highly respect your work and don't want to steal your time since I >> have probably seriously misunderstood something, but could you please >> shortly explain what the string "Security: " (aka "(Security)" and with >> other wordings) at the beginning of the short explanation text for an >> issue exactly means? > > If you check those specific issues on JIRA you can see the specific releases > they went into. They were also done in 14 as part of the past security > releases so they were still fixed there. The script just may not have been > run with the proper arguments to generate things correctly. I see. Thank you very much for explaining! I wish you a pleasant weekend, Binarus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 13.19.0 Now Available
On Fri, Jan 12, 2018, at 3:02 PM, Binarus wrote: > Thanks for taking the time, but ... > > On 12.01.2018 12:04, Joshua Colp wrote: > > >> Could this be one of the rare cases where 13 and 15 needed security > >> fixes, but 14 didn't? > > > > These are normal bug fix releases, not security releases. As such 14 did > > not receive a release. > > > > Interesting. The announcements for 13.19.0 and 15.2.0 you have made here > both list all issues which have been fixed in the section "Bugs fixed in > this release". However, > > ASTERISK-27480 > ASTERISK-27452 > ASTERISK-27337 > ASTERISK-27319 > > seem to be security related (according to the short explanation texts in > the announcements) and have been fixed both in 15.2.0 and 13.19.0. > > I am wondering why 14 does not suffer from them, or -if it suffers from > them- why they are not considered security related there. > > I highly respect your work and don't want to steal your time since I > have probably seriously misunderstood something, but could you please > shortly explain what the string "Security: " (aka "(Security)" and with > other wordings) at the beginning of the short explanation text for an > issue exactly means? If you check those specific issues on JIRA you can see the specific releases they went into. They were also done in 14 as part of the past security releases so they were still fixed there. The script just may not have been run with the proper arguments to generate things correctly. -- Joshua Colp Digium, Inc. | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 13.19.0 Now Available
See https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions for information regarding the release cycle. It shows v14 went into security fix only mode on Sept 26 2017. On 01/12/2018 02:02 PM, Binarus wrote: Thanks for taking the time, but ... On 12.01.2018 12:04, Joshua Colp wrote: Could this be one of the rare cases where 13 and 15 needed security fixes, but 14 didn't? These are normal bug fix releases, not security releases. As such 14 did not receive a release. Interesting. The announcements for 13.19.0 and 15.2.0 you have made here both list all issues which have been fixed in the section "Bugs fixed in this release". However, ASTERISK-27480 ASTERISK-27452 ASTERISK-27337 ASTERISK-27319 seem to be security related (according to the short explanation texts in the announcements) and have been fixed both in 15.2.0 and 13.19.0. I am wondering why 14 does not suffer from them, or -if it suffers from them- why they are not considered security related there. I highly respect your work and don't want to steal your time since I have probably seriously misunderstood something, but could you please shortly explain what the string "Security: " (aka "(Security)" and with other wordings) at the beginning of the short explanation text for an issue exactly means? Thank you very much, Binarus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 13.19.0 Now Available
Thanks for taking the time, but ... On 12.01.2018 12:04, Joshua Colp wrote: >> Could this be one of the rare cases where 13 and 15 needed security >> fixes, but 14 didn't? > > These are normal bug fix releases, not security releases. As such 14 did not > receive a release. > Interesting. The announcements for 13.19.0 and 15.2.0 you have made here both list all issues which have been fixed in the section "Bugs fixed in this release". However, ASTERISK-27480 ASTERISK-27452 ASTERISK-27337 ASTERISK-27319 seem to be security related (according to the short explanation texts in the announcements) and have been fixed both in 15.2.0 and 13.19.0. I am wondering why 14 does not suffer from them, or -if it suffers from them- why they are not considered security related there. I highly respect your work and don't want to steal your time since I have probably seriously misunderstood something, but could you please shortly explain what the string "Security: " (aka "(Security)" and with other wordings) at the beginning of the short explanation text for an issue exactly means? Thank you very much, Binarus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 13.19.0 Now Available
On Fri, Jan 12, 2018, at 2:51 AM, Binarus wrote: > On 11.01.2018 20:51, Asterisk Development Team wrote: > > The Asterisk Development Team would like to announce the release of > > Asterisk 13.19.0. > > This release is available for immediate download at > > http://downloads.asterisk.org/pub/telephony/asterisk > > > > The release of Asterisk 13.19.0 resolves several issues reported by the > > community and would have not been possible without your participation. > > > > *Thank you!* > > Thank you very much for caring so much about security and bug fixes! > > But in this case, I am slightly worried. I saw the announcements for > version 13 and version 15, but no announcement for version 14 yet. The > website currently still offers 14.7.5 for download. > > Could this be one of the rare cases where 13 and 15 needed security > fixes, but 14 didn't? These are normal bug fix releases, not security releases. As such 14 did not receive a release. -- Joshua Colp Digium, Inc. | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 13.19.0 Now Available
On 11.01.2018 20:51, Asterisk Development Team wrote: > The Asterisk Development Team would like to announce the release of > Asterisk 13.19.0. > This release is available for immediate download at > http://downloads.asterisk.org/pub/telephony/asterisk > > The release of Asterisk 13.19.0 resolves several issues reported by the > community and would have not been possible without your participation. > > *Thank you!* Thank you very much for caring so much about security and bug fixes! But in this case, I am slightly worried. I saw the announcements for version 13 and version 15, but no announcement for version 14 yet. The website currently still offers 14.7.5 for download. Could this be one of the rare cases where 13 and 15 needed security fixes, but 14 didn't? Thank you very much, Binarus -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk 13.19.0 Now Available
The Asterisk Development Team would like to announce the release of Asterisk 13.19.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 13.19.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following issues are resolved in this release: New Features made in this release: --- * ASTERISK-27478 - PJSIP: Add CHANNEL(pjsip,request_uri) to get incoming INVITE Request-URI. (Reported by Richard Mudgett) * ASTERISK-27413 - Add cache_media_frames debugging option. (Reported by Richard Mudgett) * ASTERISK-27206 - res_pjsip: No mechanism exists to limit endpoint identification to IP only (Reported by Ben Merrills) Bugs fixed in this release: --- * ASTERISK-27531 - Compiler optimizations can break module load sequence. (Reported by abelbeck) * ASTERISK-27480 - Security: Authenticated SUBSCRIBE without Contact crashes asterisk (Reported by Ross Beer) * ASTERISK-27299 - Asterisk Hangs with Bad file descriptor on read() (Reported by Abhay Gupta) * ASTERISK-25079 - AMI bridge of channels results in MOH not destroyed and robotic audio on one channel (Reported by Zane Conkle) * ASTERISK-27490 - chan_console: 'set active' fails to work (Reported by Tzafrir Cohen) * ASTERISK-24756 - ConfBridge sound_muted does not work from CLI or AMI (Reported by Thomas Frederiksen) * ASTERISK-25649 - Transfer application does not work with Local channels - documentation misleading (Reported by Ivan Ullmann) * ASTERISK-25869 - chan_sip: "rejected because extension not found" should be logged as a security event (Reported by Brian J. Murrell) * ASTERISK-27440 - Strictrtp has issues to qualify video rtp streams (Reported by Wim De Vlaminck) * ASTERISK-24329 - Music On Hold announcement cuts intro of music the first time it is played (Reported by Thomas Frederiksen) * ASTERISK-19657 - Coverity Report: Fix issues for error type CHAR_IO (Reported by Matt Jordan) * ASTERISK-27175 - iax.conf demo peer is invalid (Reported by Tzafrir Cohen) * ASTERISK-27430 - README refers to security documents that do not exist. (Reported by Corey Farrell) * ASTERISK-20281 - "core set verbose" behaves strangely, can't alias it, cli.conf example broken (Reported by Tim Ringenbach at Asteria Solutions Group) * ASTERISK-27382 - crash after an invalid rtcp packet from GT48 FXS gateway (Reported by Tzafrir Cohen) * ASTERISK-27429 - res_rtp_asterisk: Multiple reports in an RTCP packet will write past where it should (Reported by Vitezslav Novy) * ASTERISK-27408 - Identify causes and fix pjsip/resolver/srv/failover/in_dialog/transport_tcp (Reported by Corey Farrell) * ASTERISK-18411 - Queue members with hints for state_interface get stuck in "In Use" state. (Reported by Steven T. Wheeler) * ASTERISK-26131 - chan_sip: Crash Asterisk (in sip_request_call at chan_sip.c) by making a call to a single character in a dot pattern match (Reported by Dwayne Hubbard) * ASTERISK-27475 - codec_opus requires libcurl (Reported by Samuel For) * ASTERISK-27467 - pjsip_options: qualify_frequency sometimes not applied on reload (Reported by John Bigelow) * ASTERISK-27465 - CLI Completion Not Working (Reported by Ross Beer) * ASTERISK-27460 - CDR: Deadlock using AMI Originate with Variable CDR(amaflags)=... (Reported by Richard Mudgett) * ASTERISK-27453 - RTP: Blind transfer direct media scenario results in one way audio. (Reported by Richard Mudgett) * ASTERISK-20643 - SIP ICE support - remove hardcoded limitation on SDP size, make ICE support disabled by default in SIP, maybe provide a better warning message (Reported by Roy) * ASTERISK-26980 - pjsip: Clean up WebRTC disables (Reported by abelbeck) * ASTERISK-27452 - Security: chan_skinny: Memory exhaustion if flooded with unauthenticated requests (Reported by George Joseph) * ASTERISK-27454 - res_http_post: Don't require GMIME_MAJOR_VERSION (Reported by Joshua Colp) * ASTERISK-23735 - Transcoding makes bad choice in high-rate translations (Reported by Richard Kenner) * ASTERISK-27445 - ARI: Updating a bridge gives wrong error message. (Reported by Frank Durden) * ASTERISK-24662 - [patch] column and row headers for Signed Linear format variants in output of 'core show translation' are ambiguous (Reported by Rusty Newton) * ASTERISK-27353 - H323 audio starts with a delay of 2 seconds.