Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] Asterisk 1.8.28-cert3, 1.8.32.1, 11.6-cert8, 11.14.1, 12.7.1, 13.0.1 Now Available (Security Release)


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
asteriskteam at digium...
Guest





PostPosted: Thu Nov 20, 2014 7:13 pm    Post subject: [asterisk-users] Asterisk 1.8.28-cert3, 1.8.32.1, 11.6-cert8 Reply with quote

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
11.14.1, 12.7.1, and 13.0.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerabilities:

* AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
address families

Many modules in Asterisk that service incoming IP traffic have ACL options
("permit" and "deny") that can be used to whitelist or blacklist address
ranges. A bug has been discovered where the address family of incoming
packets is only compared to the IP address family of the first entry in the
list of access control rules. If the source IP address for an incoming
packet is not of the same address as the first ACL entry, that packet
bypasses all ACL rules.

* AST-2014-018: Permission Escalation through DB dialplan function

The DB dialplan function when executed from an external protocol, such as AMI,
could result in a privilege escalation. Users with a lower class authorization
in AMI can access the internal Asterisk database without the required SYSTEM
class authorization.

In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
security vulnerability:

* AST-2014-014: High call load with ConfBridge can result in resource exhaustion

The ConfBridge application uses an internal bridging API to implement
conference bridges. This internal API uses a state model for channels within
the conference bridge and transitions between states as different things
occur. Unload load it is possible for some state transitions to be delayed
causing the channel to transition from being hung up to waiting for media. As
the channel has been hung up remotely no further media will arrive and the
channel will stay within ConfBridge indefinitely.

In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
the following security vulnerability:

* AST-2014-017: Permission Escalation via ConfBridge dialplan function and
AMI ConfbridgeStartRecord Action

The CONFBRIDGE dialplan function when executed from an external protocol (such
as AMI) can result in a privilege escalation as certain options within that
function can affect the underlying system. Additionally, the AMI
ConfbridgeStartRecord action has options that would allow modification of the
underlying system, and does not require SYSTEM class authorization in AMI.

Finally, the release of 12.7.1 and 13.0.1 resolves the following security
vulnerabilities:

* AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack

The Asterisk module res_pjsip provides the ability to configure ACLs that may
be used to reject SIP requests from various hosts. However, the module
currently fails to create and apply the ACLs defined in its configuration
file on initial module load.

* AST-2014-015: Remote crash vulnerability in PJSIP channel driver

The chan_pjsip channel driver uses a queue approach for relating to SIP
sessions. There exists a race condition where actions may be queued to answer
a session or send ringing after a SIP session has been terminated using a
CANCEL request. The code will incorrectly assume that the SIP session is still
active and attempt to send the SIP response. The PJSIP library does not
expect the SIP session to be in the disconnected state when sending the
response and asserts.

* AST-2014-016: Remote crash vulnerability in PJSIP channel driver

When handling an INVITE with Replaces message the res_pjsip_refer module
incorrectly assumes that it will be operating on a channel that has just been
created. If the INVITE with Replaces message is sent in-dialog after a session
has been established this assumption will be incorrect. The res_pjsip_refer
module will then hang up a channel that is actually owned by another thread.
When this other thread attempts to use the just hung up channel it will end up
using a freed channel which will likely result in a crash.

For more information about the details of these vulnerabilities, please read
security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf

Thank you for your continued support of Asterisk!



--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services