------------------------------------------------------------------------------- - Fedora Update Notification FEDORA-2011-0794 2011-01-26 20:37:21 ------------------------------------------------------------------------------- -
Name : asterisk Product : Fedora 13 Version : 1.6.2.16.1 Release : 1.fc13 URL : http://www.asterisk.org/ Summary : The Open Source PBX Description : Asterisk is a complete PBX in software. It runs on Linux and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in three protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware.
------------------------------------------------------------------------------- - Update Information:
Update to 1.6.2.16.1 to fix CVE-2011-0495. ------------------------------------------------------------------------------- - ChangeLog:
* Tue Jan 25 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.16.1-1 - - The Asterisk Development Team has announced security releases for the following - versions of Asterisk: - - * 1.4.38.1 - * 1.4.39.1 - * 1.6.1.21 - * 1.6.2.15.1 - * 1.6.2.16.1 - * 1.8.1.2 - * 1.8.2.1 - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2, - 1.8.1.2, and 1.8.2.1 resolve an issue when forming an outgoing SIP request while - in pedantic mode, which can cause a stack buffer to be made to overflow if - supplied with carefully crafted caller ID information. The issue and resolution - are described in the AST-2011-001 security advisory. - - For more information about the details of this vulnerability, please read the - security advisory AST-2011-001, which was released at the same time as this - announcement. - - For a full list of changes in the current releases, please see the ChangeLog: - - ChangeLog-1.4.38.1 - ChangeLog-1.4.39.1 - ChangeLog-1.6.1.21 - ChangeLog-1.6.2.15.1 - ChangeLog-1.6.2.16.1 - ChangeLog-1.8.1.2 - ChangeLog-1.8.2.1 - - Security advisory AST-2011-001 is available at: - - http://downloads.asterisk.org/pub/security/AST-2011-001.pdf * Tue Jan 25 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.16.1-1 - - The Asterisk Development Team has announced the release of Asterisk 1.6.2.16. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.6.2.16 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * Fix cache of device state changes for multiple servers. - (Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested - by russellb) - - * Resolve issue where channel redirect function (CLI or AMI) hangs up the call - instead of redirecting the call. - (Closes issue #18171. Reported by: SantaFox) - (Closes issue #18185. Reported by: kwemheuer) - (Closes issue #18211. Reported by: zahir_koradia) - (Closes issue #18230. Reported by: vmarrone) - (Closes issue #18299. Reported by: mbrevda) - (Closes issue #18322. Reported by: nerbos) - - * Linux and *BSD disagree on the elements within the ucred structure. Detect - which one is in use on the system. - (Closes issue #18384. Reported, patched, tested by bjm, tilghman) - - * app_followme: Don't create a Local channel if the target extension does not - exist. - (Closes issue #18126. Reported, patched by junky) - - * Revert code that changed SSRC for DTMF. - (Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686. - Tested by cmbaker82) - - * Resolve issue where REGISTER request with a Call-ID matching an existing - transaction is received it was possible that the REGISTER request would - overwrite the initreq of the private structure. - (Closes issue #18051. Reported by eeman. Patched, tested by twilson) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16 * Tue Jan 25 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.16.1-1 - - The Asterisk Development Team has announced the release of Asterisk 1.6.2.15. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.6.2.15 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * When using chan_skinny, don't crash when parking a non-bridged call. - (Closes issue #17680. Reported, tested by jmhunter. Patched, tested by DEA) - - * Add ability for Asterisk to try both the encoded and unencoded subscription - URI for a match in hints. - (Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman) - - * Set the caller id on CDRs when it is set on the parent channel. - (Closes issue #17569. Reported, patched by tbelder) - - * Ensure user portion of SIP URI matches dialplan when using encoded characters - (Closes issue #17892. Reported by wdoekes. Patched by jpeeler) - - * Resolve issue where Party A in an analog 3-way call would continue to hear - ringback after party C answers. - (Patched by rmudgett) - - * Fix problem with qualify option packets for realtime peers never stopping. - The option packets not only never stopped, but if a realtime peer was not in - the peer list multiple options dialogs could accumulate over time. - (Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by - jpeeler) - - * Multiple fixes related to Local channels. - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.15 * Tue Jan 25 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.16.1-1 - - The Asterisk Development Team has announced the release of Asterisk - 1.6.2.14. This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.6.2.14 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * Fix issue where session timers would be advertised as supported even - when session-timers=refuse was set in sip.conf. Also fix - interoperability problems with session timer behavior in Asterisk. - (Closes issue #17005. Reported by alexcarey. Patched by dvossel) - - * Parse all "Accept" headers for SIP SUBSCRIBE requests. - (Closes issue #17758. Reported by ibc. Patched by dvossel) - - * Fix issue where queue stats would be reset on reload. - (Closes issue #17535. Reported by raarts. Patched by tilghman) - - * Fix issue where MoH files were no longer rescanned on during a - reload. - (Closes issue #16744. Reported by pj. Patched by Qwell) - - * Fix issue with dialplan pattern matching where the specificity for - pattern ranges and pattern characters was inconsistent. - (Closes issue #16903. Reported, patched by Nick_Lewis) - - For a full list of changes in the current release, please see the - ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.14 * Fri Oct 8 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.14-0.1.rc1 - The release of Asterisk 1.6.2.14-rc1 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * Fix issue where session timers would be advertised as supported even when - session-timers=refuse was set in sip.conf. Also fix interoperability - problems with session timer behavior in Asterisk. - (Closes issue #17005. Reported by alexcarey. Patched by dvossel) - - * Fix issue with decoding ^-escaped characters in realtime (res_pgsql). - (Closes issue #17790. Reported by denzs. Patched by Qwell) - - * Parse all "Accept" headers for SIP SUBSCRIBE requests. - (Closes issue #17758. Reported by ibc. Patched by dvossel) - - * Fix issue where queue stats would be reset on reload. - (Closes issue #17535. Reported by raarts. Patched by tilghman) - - * Fix issue where MoH files were no longer rescanned on during a reload. - (Closes issue #16744. Reported by pj. Patched by Qwell) - - * Fix issue with dialplan pattern matching where the specificity for pattern - ranges and pattern characters was inconsistent. - (Closes issue #16903. Reported, patched by Nick_Lewis) - - For a full list of changes in the current release candidate, please see the - ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.14-rc1
- This release resolves an issue where the .version and ChangeLog files were not - updated for 1.6.2.12. Asterisk 1.6.2.13 has no additional changes from 1.6.2.12 - other than the .version, ChangeLog and summary files. - - For a full list of changes in the current release, please see the - ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.13
- The release of Asterisk 1.6.2.12 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * Fix issue where DNID does not get cleared on a new call when using - immediate=yes with ISDN signaling. - (Closes issue #17568. Reported by wuwu. Patched by rmudgett) - * Several updates to res_config_ldap. - (Closes issue #13573. Reported by navkumar. Patched by navkumar, bencer. - Tested by suretec) - * Prevent loss of Caller ID information set on local channel after masquerade. - (Closes issue #17138. Reported by kobaz, patched by jpeeler) - * Fix SIP peers memory leak. - (Closes issue #17774. Reported, patched by kkm) - * Add Danish support to say.conf.sample - (Closes issue #17836. Reported, patched by RoadKill) - * Ensure SSRC is changed when media source is changed to resolve audio delay. - (Closes issue #17404. Reported, tested by sdolloff. Patched by jpeeler) - * Only do magic pickup when notifycid is enabled. - A new way of doing BLF pickup was introduced into 1.6.2. This feature adds a - call-id value into the XML of a SIP_NOTIFY message sent to alert a subscriber - that a device is ringing. This option should only be enabled when the new - 'notifycid' option is set, but this was not the case. Instead the call-id - value was included for every RINGING Notify message, which caused a - regression for people who used other methods for call pickup. - (Closes issue #17633. Reported, patched by urosh. Patched by dvossel. - Tested by: dvossel, urosh, okrief, alecdavis) - - For a full list of changes in the current release, please see the - ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.12 * Tue Aug 24 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.12-0.1.rc1 - The release of Asterisk 1.6.2.12-RC1 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * Fix issue where DNID does not get cleared on a new call when using - immediate=yes with ISDN signaling. - (Closes issue #17568. Reported by wuwu. Patched by rmudgett) - - * Several updates to res_config_ldap. - (Closes issue #13573. Reported by navkumar. Patched by navkumar, bencer. - Tested by suretec) - - * Prevent loss of Caller ID information set on local channel after masquerade. - (Closes issue #17138. Reported by kobaz, patched by jpeeler) - - * Fix SIP peers memory leak. - (Closes issue #17774. Reported, patched by kkm) - - * Add Danish support to say.conf.sample - (Closes issue #17836. Reported, patched by RoadKill) - - * Ensure SSRC is changed when media source is changed to resolve audio delay. - (Closes issue #17404. Reported, tested by sdolloff. Patched by jpeeler) - - * Only do magic pickup when notifycid is enabled. - A new way of doing BLF pickup was introduced into 1.6.2. This feature adds a - call-id value into the XML of a SIP_NOTIFY message sent to alert a subscriber - that a device is ringing. This option should only be enabled when the new - 'notifycid' option is set, but this was not the case. Instead the call-id - value was included for every RINGING Notify message, which caused a - regression for people who used other methods for call pickup. - (Closes issue #17633. Reported, patched by urosh. Patched by dvossel. - Tested by: dvossel, urosh, okrief, alecdavis) - - For a full list of changes in the current release, please see the - ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.12-rc1 * Wed Aug 11 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.11-1 - - The following are a few of the issues resolved by community developers: - - * Send DialPlanComplete as a response, not as a separate event. Otherwise, it - goes to all manager sessions and may exclude the current session, if the - Events mask excludes it. - (Closes issue #17504. Reported, patched by rrb3942) - - * Allow the "useragent" value to be restored into memory from the realtime - backend. This value is purely informational. It does not alter configuration - at all. - (Closes issue #16029. Reported, patched by Guggemand) - - * Fix rt(c)p set debug ip taking wrong argument Also clean up some coding - errors. - (Closes issue #17469. Reported, patched by wdoekes) - - * Ensure channel placed in meetme in ringing state is properly hung up. An - outgoing channel placed in meetme while still ringing which was then hung up - would not exit meetme and the channel was not properly destroyed. - (Closes issue #15871. Reported, patched by Ivan) - - * Correct how 100, 200, 300, etc. is said. Also add the crazy British numbers. - (Closes issue #16102. Reported, patched by Delvar) - - * cdr_pgsql does not detect when a table is found. This change adds an ERROR - message to let you know when a failure exists to get the columns from the - pgsql database, which typically means that the table does not exist. - (Closes issue #17478. Reported, patched by kobaz) - - * Avoid crashing when installing a duplicate translation path with a lower - cost. - (Closes issue #17092. Reported, patched by moy) - - * Add missing handling for ringing state for use with queue empty options. - (Closes issue #17471. Reported, patched by jazzy) - - * Fix reporting estimated queue hold time. Just say the number of seconds - (after minutes) rather than doing some incorrect calculation with respect to - minutes. - (Closes issue #17498. Reported, patched by corruptor) - - For a full list of changes in the current release, please see the - ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.11 * Sat Jul 31 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.10-1 - - The following are a few of the issues resolved by community developers: - - * Allow users to specify a port for DUNDI peers. - (Closes issue #17056. Reported, patched by klaus3000) - - * Decrease the module ref count in sip_hangup when SIP_DEFER_BYE_ON_TRANSFER is - set. - (Closes issue #16815. Reported, patched by rain) - - * If there is realtime configuration, it does not get re-read on reload unless - the config file also changes. - (Closes issue #16982. Reported, patched by dmitri) - - * Send AgentComplete manager event for attended transfers. - (Closes issue #16819. Reported, patched by elbriga) - - * Correct manager variable 'EventList' case. - (Closes issue #17520. Reported, patched by kobaz) - - In addition, changes to res_timing_pthread that should make it more stable have - also been implemented. - - For a full list of changes in the current release, please see the - ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.10 * Wed Jul 14 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.8-0.3.rc1 - Add patch to remove requirement on latex2html * Tue Jun 1 2010 Marcela Maslanova <mmaslano@redhat.com> - 1.6.2.8-0.2.rc1 - Mass rebuild with perl-5.12.0 * Tue May 4 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.7-1 - * Fix building CDR and CEL SQLite3 modules. - (Closes issue #17017. Reported by alephlg. Patched by seanbright) - - * Resolve crash in SLAtrunk when the specified trunk doesn't exist. - (Reported in #asterisk-dev by philipp64. Patched by seanbright) - - * Include an extra newline after "Aliased CLI command" to get back the prompt. - (Issue #16978. Reported by jw-asterisk. Tested, patched by seanbright) - - * Prevent segfault if bad magic number is encountered. - (Issue #17037. Reported, patched by alecdavis) - - * Update code to reflect that handle_speechset has 4 arguments. - (Closes issue #17093. Reported, patched by gpatri. Tested by pabelanger, - mmichelson) - - * Resolve a deadlock in chan_local. - (Closes issue #16840. Reported, patched by bzing2, russell. Tested by bzing2) * Mon May 3 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.7-0.2.rc3 - Update to 1.6.2.7-rc3 * Thu Apr 15 2010 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.6.2.7-0.1.rc2 - Update to 1.6.2.7-rc2 ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #670777 - CVE-2011-0495 Asterisk: Stack-based buffer overflow by forming an outgoing SIP request with specially-crafted caller ID information (AST-2011-001) https://bugzilla.redhat.com/show_bug.cgi?id=670777 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update asterisk' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|