Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] Asterisk 11.6-cert15, 11.23.1, 13.8-cert3, 13.11.1 Now Available (Security Release)


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
asteriskteam at digium...
Guest





PostPosted: Thu Sep 08, 2016 3:25 pm    Post subject: [asterisk-users] Asterisk 11.6-cert15, 11.23.1, 13.8-cert3, Reply with quote

The Asterisk Development Team has announced security releases for
Certified Asterisk 11.6, Asterisk 11, Certified Asterisk 13.8 and
Asterisk 13.


The available security releases are released as versions 11.6-cert15,
11.23.1, 13.8-cert3 and 13.11.1.


These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases


The release of these versions resolves the following security
vulnerabilities:


* AST-2016-006: Crash on ACK from unknown endpoint


  Asterisk can be crashed remotely by sending an ACK to it from an 
  endpoint username that Asterisk does not recognize. Most SIP request 
  types result in an "artificial" endpoint being looked up, but ACKs 
  bypass this lookup. The resulting NULL pointer results in a crash 
  when attempting to determine if ACLs should be applied.
                                                                              
  This issue was introduced in the Asterisk 13.10 release and only 
  affects that release and later releases.
                                                                              
  This issue only affects users using the PJSIP stack with Asterisk. 
  Those users that use chan_sip are unaffected.


* AST-2016-007: RTP Resource Exhaustion
 
 The overlap dialing feature in chan_sip allows chan_sip to report to a 
 device that the number that has been dialed is incomplete and more 
 digits are required. If this functionality is used with a device that 
 has performed username/password authentication RTP resources are 
 leaked. This occurs because the code fails to release the old RTP 
 resources before allocating new ones in this scenario. If all 
 resources are used then RTP port exhaustion will occur and no RTP 
 sessions are able to be set up.


For a full list of changes in the current releases, please see the
ChangeLogs:


http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert15
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.23.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.8-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.11.1


The security advisories are available at:


 * http://downloads.asterisk.org/pub/security/AST-2016-006.pdf
 * http://downloads.asterisk.org/pub/security/AST-2016-007.pdf


Thank you for your continued support of Asterisk!
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services