VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
asteriskteam at digium...
Guest
|
 Posted: Mon Mar 10, 2014 4:12 pm Post subject: [asterisk-users] Asterisk 1.8.15-cert5, 1.8.26.1, 11.6-cert2 |
 |
|
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1,
and 12.1.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolve the following issues:
* AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
Sending a HTTP request that is handled by Asterisk with a large number of
Cookie headers could overflow the stack.
Another vulnerability along similar lines is any HTTP request with a
ridiculous number of headers in the request could exhaust system memory.
* AST-2014-002: chan_sip: Exit early on bad session timers request
This change allows chan_sip to avoid creation of the channel and
consumption of associated file descriptors altogether if the inbound
request is going to be rejected anyway.
Additionally, the release of 12.1.1 resolves the following issue:
* AST-2014-003: res_pjsip: When handling 401/407 responses don't assume a
request will have an endpoint.
This change removes the assumption that an outgoing request will always
have an endpoint and makes the authenticate_qualify option work once again.
Finally, a security advisory, AST-2014-004, was released for a vulnerability
fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to
12.1.1 to resolve both vulnerabilities.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert5
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.26.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.8.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.1.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-003.pdf
* http://downloads.asterisk.org/pub/security/AST-2014-004.pdf
Thank you for your continued support of Asterisk!
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
 |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
