Login
Newsletter
Werbung

Sicherheit: Denial of Service in Asterisk
Aktuelle Meldungen Distributionen
Name: Denial of Service in Asterisk
ID: FEDORA-2011-8319
Distribution: Fedora
Plattformen: Fedora 15
Datum: Sa, 25. Juni 2011, 22:47
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2216
Applikationen: Asterisk

Originalnachricht

Name        : asterisk
Product : Fedora 15
Version : 1.8.4.2
Release : 1.fc15.1
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

-------------------------------------------------------------------------------
-
Update Information:

The Asterisk Development Team has announced the release of Asterisk
version 1.8.4.2, which is a security release for Asterisk 1.8.

This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.8.4.2 resolves an issue with SIP URI
parsing which can lead to a remotely exploitable crash:

Remote Crash Vulnerability in SIP channel driver (AST-2011-007)

The issue and resolution is described in the AST-2011-007 security
advisory.

For more information about the details of this vulnerability, please
read the security advisory AST-2011-007, which was released at the
same time as this announcement.

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.2

Security advisory AST-2011-007 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-007.pdf

The Asterisk Development Team has announced the release of Asterisk 1.8.4.1.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/

The release of Asterisk 1.8.4.1 resolves several issues reported by the
community. Without your help this release would not have been possible.
Thank you!

Below is a list of issues resolved in this release:

* Fix our compliance with RFC 3261 section 18.2.2. (aka Cisco phone fix)
(Closes issue #18951. Reported by jmls. Patched by wdoekes)

* Resolve a change in IPv6 header parsing due to the Cisco phone fix issue.
This issue was found and reported by the Asterisk test suite.
(Closes issue #18951. Patched by mnicholson)

* Resolve potential crash when using SIP TLS support.
(Closes issue #19192. Reported by stknob. Patched by Chainsaw. Tested by
vois, Chainsaw)

* Improve reliability when using SIP TLS.
(Closes issue #19182. Reported by st. Patched by mnicholson)


For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4.1

The Asterisk Development Team has announced the release of Asterisk 1.8.4. This
release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/

The release of Asterisk 1.8.4 resolves several issues reported by the
community.
Without your help this release would not have been possible. Thank you!

Below is a sample of the issues resolved in this release:

* Use SSLv23_client_method instead of old SSLv2 only.
(Closes issue #19095, #19138. Reported, patched by tzafrir. Tested by russell
and chazzam.

* Resolve crash in ast_mutex_init()
(Patched by twilson)

* Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)

NOTE: Be sure to read the ChangeLog for more information about these changes.

* Resolve deadlocks related to device states in chan_sip
(Closes issue #18310. Reported, patched by one47. Patched by jpeeler)

* Resolve an issue with the Asterisk manager interface leaking memory when
disabled.
(Reported internally by kmorgan. Patched by russellb)

* Support greetingsfolder as documented in voicemail.conf.sample.
(Closes issue #17870. Reported by edhorton. Patched by seanbright)

* Fix channel redirect out of MeetMe() and other issues with channel
softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb)

* Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler)

* Set hangup cause in local_hangup so the proper return code of 486 instead of
503 when using Local channels when the far sides returns a busy. Also affects
CCSS in Asterisk 1.8+.
(Patched by twilson)

* Fix issues with verbose messages not being output to the console.
(Closes issue #18580. Reported by pabelanger. Patched by qwell)

* Fix Deadlock with attended transfer of SIP call
(Closes issue #18837. Reported, patched by alecdavis. Tested by
alecdavid, Irontec, ZX81, cmaj)

Includes changes per AST-2011-005 and AST-2011-006
For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4

Information about the security releases are available at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

-------------------------------------------------------------------------------
-
ChangeLog:

* Fri Jun 10 2011 Marcela Mašláňová <mmaslano@redhat.com> - 1.8.4.2-1.1
- Perl 5.14 mass rebuild
* Fri Jun 3 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.8.4.2-1:
-
- The Asterisk Development Team has announced the release of Asterisk
- version 1.8.4.2, which is a security release for Asterisk 1.8.
-
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.4.2 resolves an issue with SIP URI
- parsing which can lead to a remotely exploitable crash:
-
- Remote Crash Vulnerability in SIP channel driver (AST-2011-007)
-
- The issue and resolution is described in the AST-2011-007 security
- advisory.
-
- For more information about the details of this vulnerability, please
- read the security advisory AST-2011-007, which was released at the
- same time as this announcement.
-
- For a full list of changes in the current release, please see the ChangeLog:
-
- ChangeLog-1.8.4.2
-
- Security advisory AST-2011-007 is available at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-007.pdf
-
- The Asterisk Development Team has announced the release of Asterisk 1.8.4.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.4.1 resolves several issues reported by the
- community. Without your help this release would not have been possible.
- Thank you!
-
- Below is a list of issues resolved in this release:
-
- * Fix our compliance with RFC 3261 section 18.2.2. (aka Cisco phone fix)
- (Closes issue #18951. Reported by jmls. Patched by wdoekes)
-
- * Resolve a change in IPv6 header parsing due to the Cisco phone fix issue.
- This issue was found and reported by the Asterisk test suite.
- (Closes issue #18951. Patched by mnicholson)
-
- * Resolve potential crash when using SIP TLS support.
- (Closes issue #19192. Reported by stknob. Patched by Chainsaw. Tested by
- vois, Chainsaw)
-
- * Improve reliability when using SIP TLS.
- (Closes issue #19182. Reported by st. Patched by mnicholson)
-
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4.1

- The Asterisk Development Team has announced the release of Asterisk 1.8.4.
This
- release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.4 resolves several issues reported by the
community.
- Without your help this release would not have been possible. Thank you!
-
- Below is a sample of the issues resolved in this release:
-
- * Use SSLv23_client_method instead of old SSLv2 only.
- (Closes issue #19095, #19138. Reported, patched by tzafrir. Tested by
russell
- and chazzam.
-
- * Resolve crash in ast_mutex_init()
- (Patched by twilson)
-
- * Resolution of several DTMF based attended transfer issues.
- (Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
- shihchuan, grecco. Patched by rmudgett)
-
- NOTE: Be sure to read the ChangeLog for more information about these
changes.
-
- * Resolve deadlocks related to device states in chan_sip
- (Closes issue #18310. Reported, patched by one47. Patched by jpeeler)
-
- * Resolve an issue with the Asterisk manager interface leaking memory when
- disabled.
- (Reported internally by kmorgan. Patched by russellb)
-
- * Support greetingsfolder as documented in voicemail.conf.sample.
- (Closes issue #17870. Reported by edhorton. Patched by seanbright)
-
- * Fix channel redirect out of MeetMe() and other issues with channel
softhangup
- (Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
- Patched by russellb)
-
- * Fix voicemail sequencing for file based storage.
- (Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
- jpeeler)
-
- * Set hangup cause in local_hangup so the proper return code of 486 instead
of
- 503 when using Local channels when the far sides returns a busy. Also
affects
- CCSS in Asterisk 1.8+.
- (Patched by twilson)
-
- * Fix issues with verbose messages not being output to the console.
- (Closes issue #18580. Reported by pabelanger. Patched by qwell)
-
- * Fix Deadlock with attended transfer of SIP call
- (Closes issue #18837. Reported, patched by alecdavis. Tested by
- alecdavid, Irontec, ZX81, cmaj)
-
- Includes changes per AST-2011-005 and AST-2011-006
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4
-
- Information about the security releases are available at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-006.pdf
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #710441 - CVE-2011-2216 Asterisk: Remote DoS (crash) in SIP channel
driver (AST-2011-007)
https://bugzilla.redhat.com/show_bug.cgi?id=710441
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung