VoIP Mailing List Archives :: View topic - [asterisk-users] Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1 Now Available (Security Release)

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1 Now Available (Security Release)

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

asteriskteam at digium...
Guest

Posted: Wed Feb 03, 2016 8:56 pm Post subject: [asterisk-users] Asterisk 11.6-cert12, 11.21.1, 13.1-cert3,

The Asterisk Development Team has announced security releases for Certified Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security releases are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of these versions resolves the following security vulnerabilities: * AST-2016-001: BEAST vulnerability in HTTP server The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it. * AST-2016-002: File descriptor exhaustion in chan_sip Setting the sip.conf timert1 value to a value higher than 1245 can cause an integer overflow and result in large retransmit timeout times. These large timeout values hold system file descriptors hostage and can cause the system to run out of file descriptors. * AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data. If no UDPTL packets are lost there is no problem. However, a lost packet causes Asterisk to use the available error correcting redundancy packets. If those redundancy packets have zero length then Asterisk uses an uninitialized buffer pointer and length value which can cause invalid memory accesses later when the packet is copied. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert12 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1 http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert3 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.7.1 The security advisories are available at: * http://downloads.asterisk.org/pub/security/AST-2016-001.pdf * http://downloads.asterisk.org/pub/security/AST-2016-002.pdf * http://downloads.asterisk.org/pub/security/AST-2016-003.pdf Thank you for your continued support of Asterisk! -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum