Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in Asterisk
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in Asterisk
ID: FEDORA-2012-4318
Distribution: Fedora
Plattformen: Fedora 16
Datum: Sa, 31. März 2012, 21:59
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1184
Applikationen: Asterisk

Originalnachricht

Name        : asterisk
Product : Fedora 16
Version : 1.8.10.1
Release : 1.fc16
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

-------------------------------------------------------------------------------
-
Update Information:

Update to 1.8.10.1, which fixes 2 security vulnerabilities.
-------------------------------------------------------------------------------
-
ChangeLog:

* Sat Mar 17 2012 Russell Bryant <russell@russellbryant.net> - 1.8.10.1-1
- Update to 1.8.10.1 from upstream.
- Fix remote stack overflow in app_milliwatt.
- Fix remote stack overflow, including possible code injection, in HTTP digest
authentication handling.
- Resolves: rhbz#804045, rhbz#804038, rhbz#804042
* Thu Nov 17 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.8.8.0-0.4.rc4
- The Asterisk Development Team has announced the fourth release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download
at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc4 resolves a particular issue with BLF
- subscriptions. A change in Asterisk 1.8.8.0-rc3 had the potential to cause a
- segfault, and this release candidate was created to resolve that.
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc4
* Thu Nov 10 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.8.8.0-0.3.rc3
- The Asterisk Development Team has announced the third release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download
at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc3 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * Prevent BLF subscriptions from causing deadlocks.
- (Closes issue ASTERISK-18663)
- Review: https://reviewboard.asterisk.org/r/1563/
-
- * Fix deadlock if peer is destroyed while sending MWI notice.
- (Closes issue ASTERISK-18747)
- Reported by: Gregory Hinton Nietsky
-
- * Fix issue with setting defaultenabled on categories that are already
enabled
- by default.
- (Closes issue ASTERISK-18738)
- Reported by: Paul Belanger
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc3
* Tue Nov 8 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.8.8.0-0.2.rc2
- The Asterisk Development Team has announced the second release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download
at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc2 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * --- Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012) ---
- http://downloads.asterisk.org/pub/security/AST-2011-012.pdf
-
- * --- Fix locking order in app_queue.c which caused deadlocks ---
- (Closes issue ASTERISK-18101. Reported by Paul Rolfe, patched by Gregory
Nietsky)
- (Closes issue ASTERISK-18487. Reported by Jason Legault, patched by Gregory
- Nietsky)
-
- * --- Fix regression in configure script for libpri capability checks ---
- (Closes issue ASTERISK-18687. Reported by norbert, patched by Richard
Mudgett)
-
- * --- Properly ignore AST_CONTROL_UPDATE_RTP_PEER in more places ---
- (Closes issue ASTERISK-18610. Reported by Kristijan_Vrban, patched by Terry
- Wilson, and again by Kristijan_Vrban)
-
- * --- Fix issue with removing peers by IP ---
- (Closes issue ASTERISK-18696. Reported by rsw686, patched by Terry Wilson)
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc2
* Tue Nov 8 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.8.8.0-0.1.rc1
- The Asterisk Development Team announces the first release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download
at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * Updated SIP 484 handling; added Incomplete control frame
- When a SIP phone uses the dial application and receives a 484 Address
- Incomplete response, if overlapped dialing is enabled for SIP, then the 484
- Address Incomplete is forwarded back to the SIP phone and the HANGUPCAUSE
- channel variable is set to 28. Previously, the Incomplete application
- dialplan logic was automatically triggered; now, explicit dialplan usage of
- the application is required.
- (Closes ASTERISK-17288. Reported by: Mikael Carlsson Tested by: Matthew
- Jordan Review: https://reviewboard.asterisk.org/r/1416/)
-
- * Prevent IAX2 from getting IPv6 addresses via DNS IAX2 does not support
IPv6
- and getting such addresses from DNS can cause error messages on the remote
- end involving bad IPv4 address casts in the presence of IPv6/IPv4 tunnels.
- (Closes issue ASTERISK-18090. Patched by Kinsey Moore)
-
- * Fix bad RTP media bridges in directmedia calls on peers separated by
multiple
- Asterisk nodes.
- (Closes issue ASTERISK-18340. Reported by: Thomas Arimont. Closes issue
- ASTERISK-17725. Reported by: kwk. Tested by: twilson, jrose)
-
- * Fix crashes in ast_rtcp_write()
- (Closes issue ASTERISK-18570)
- Related issues that look like they are the same problem:
- (Issue ASTERISK-17560, ASTERISK-15406, ASTERISK-15257, ASTERISK-13334,
- ASTERISK-9977, ASTERISK-9716)
- Review: https://reviewboard.asterisk.org/r/1444/
- Patched by: Russell Bryant
-
- * Fix for incorrect voicemail duration in external notifications.
- This patch fixes an issue where the voicemail duration was being reported
- with a duration significantly less than the actual sound file duration.
- (Closes ASTERISK-16981. Reported by: Mary Ciuciu, Byron Clark, Brad House,
- Karsten Wemheuer, KevinH Tested by: Matt Jordan
- Review: https://reviewboard.asterisk.org/r/1443)
-
- * Prevent segfault if call arrives before Asterisk is fully booted.
- (Patched by alecdavis. https://reviewboard.asterisk.org/r/1407/)
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc1
* Mon Oct 17 2011 Jeffrey C. Ollie <jeff@ocjtech.us> - 1.8.7.1-1
- The Asterisk Development Team has announced a security release for Asterisk
1.8.
- The available security release is released as version 1.8.7.1.
-
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which
can
- lead to a remotely exploitable crash:
-
- Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
-
- The issue and resolution is described in the AST-2011-012 security
- advisory.
-
- For more information about the details of this vulnerability, please read the
- security advisory AST-2011-012, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current release, please see the ChangeLog:
-
- ChangeLog-1.8.7.1
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #804038 - CVE-2012-1183 asterisk: Stack-based buffer overwrite by
processing large audio packet in Miliwatt application (AST-2012-002)
https://bugzilla.redhat.com/show_bug.cgi?id=804038
[ 2 ] Bug #804042 - CVE-2012-1184 asterisk: Stack-based buffer overflow by
processing certain HTTP Digest Authentication headers (AST-2012-003)
https://bugzilla.redhat.com/show_bug.cgi?id=804042
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung