Asterisk News

Security Release: Asterisk 1.8.15-cert5, 1.8.26.1, 11.6-cert2, 11.8.1, 12.1.1 Now Available

Mar 10, 2014

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1, and 12.1.1.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following issues:

  • AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
    Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. Another vulnerability along similar lines is any HTTP request with a ridiculous number of headers in the request could exhaust system memory.
  • AST-2014-002: chan_sip: Exit early on bad session timers request.
    This change allows chan_sip to avoid creation of the channel and consumption of associated file descriptors altogether if the inbound request is going to be rejected anyway.

Additionally, the release of 12.1.1 resolves the following issue:

  • AST-2014-003: res_pjsip: When handling 401/407 responses don't assume a request will have an endpoint.
    This change removes the assumption that an outgoing request will always have an endpoint and makes the authenticate_qualify option work once again.

Finally, a security advisory, AST-2014-004, was released for a vulnerability fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to 12.1.1 to resolve both vulnerabilities. These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004, which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

The security advisories are available at:

Thank you for your continued support of Asterisk!


Asterisk 12.1.0 Now Available

Mar 3, 2014

The Asterisk Development Team has announced the release of Asterisk 12.1.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 12.1.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bugs

  • [ASTERISK-17138] - [patch] Asterisk not re-registering after it receives "Forbidden - wrong password on authentication"
  • [ASTERISK-17727] - [patch] TLS doesn't get all certificate chain
  • [ASTERISK-17837] - extconfig.conf - Maximum Include level (1) exceeded
  • [ASTERISK-19773] - Asterisk crash on issuing Asterisk-CLI 'reload' command multiple times on cli_aliases
  • [ASTERISK-22486] - ARI: TCP Reset after 204 response
  • [ASTERISK-22662] - Documentation fix? - queues.conf says persistentmembers defaults to yes, it appears to lie
  • [ASTERISK-22757] - segfault in res_clialiases.so on reload when mapping "module reload" command
  • [ASTERISK-22790] - check_modem_rate() may return incorrect rate for V.27
  • [ASTERISK-22854] - [patch] - Deadlock between cel_pgsql unload and core_event_dispatcher taskprocessor thread
  • [ASTERISK-22861] - [patch]Specifying a null time as parameter to GotoIfTime or ExecIfTime causes segmentation fault
  • [ASTERISK-22871] - cel_pgsql module not loading after "reload" or "reload cel_pgsql.so" command
  • [ASTERISK-22884] - hangup_handler end with h extension: tests currently fail in Asterisk 12 +
  • [ASTERISK-22910] - [patch] - REPLACE() calls strcpy on overlapping memory when <replace-char> is empty
  • [ASTERISK-22924] - PJSIP MESSAGE support does not present the contact information on outbound messages
  • [ASTERISK-22946] - Local From tag regression with sipgate.de
  • [ASTERISK-22952] - res_pjsip_pubsub: crash when subscription_destructor is terminated from a non-PJSIP thread
  • [ASTERISK-22962] - performance spike on Local channels originated using ARI
  • [ASTERISK-22988] - [patch]T38 , SIP 488 after Rejecting image media offer due to invalid or unsupported syntax
  • [ASTERISK-23008] - Local channels loose CALLERID name when DAHDI channel connects
  • [ASTERISK-23011] - [patch]configure.ac and pbx_lua don't support lua 5.2
  • [ASTERISK-23018] - PJSip 'allow=all' results in failed SDP negotiation
  • [ASTERISK-23027] - [patch] Spelling typo "transfered" instead of "transferred"
  • [ASTERISK-23028] - [patch] Asterisk man pages contains unquoted minus signs
  • [ASTERISK-23034] - [patch] manager Originate doesn't abort on failed format_cap allocation
  • [ASTERISK-23046] - Custom CDR fields set during a GoSUB called from app_queue are not inserted
  • [ASTERISK-23051] - ARI: channel variables in JSON breaks passing parameters in JSON
  • [ASTERISK-23053] - The users of ao2_iterator_cleanup() are violating the ao2_iterator opacity.
  • [ASTERISK-23056] - [patch]INFINITY and NAN undefined
  • [ASTERISK-23061] - [Patch] 'textsupport' setting not mentioned in sip.conf.sample
  • [ASTERISK-23062] - res_pjsip AOR config option qualify_frequency is inconsistently respected
  • [ASTERISK-23065] - On Asterisk start, device state is INVALID for previously registered PJSIP endpoints, despite re-registrations
  • [ASTERISK-23071] - pjsip: mailboxes documentation is lacking
  • [ASTERISK-23072] - MWI subscription from Cisco SPA fails with PJSIP
  • [ASTERISK-23074] - Crash in ChanIsAvail app
  • [ASTERISK-23081] - PJSip Tab Expansion erroring
  • [ASTERISK-23082] - Including g722 in pjsip codec configuration results in unexpected SDP offers
  • [ASTERISK-23084] - [patch]rasterisk needlessly prints the AST-2013-007 warning
  • [ASTERISK-23100] - [patch] In chan_mgcp the ident in transmitted request and request queue may differ - fix for locking
  • [ASTERISK-23101] - pjsip: crash when parsing scheme from SIP URI
  • [ASTERISK-23106] - pjsip: ACK to 200 OK sent to private IP address on outbound channel's INVITE request
  • [ASTERISK-23128] - res_ari: Memory leak on response headers and some JSON response messages
  • [ASTERISK-23129] - segfault in res_pjsip_pubsub.so
  • [ASTERISK-23134] - [patch] res_rtp_asterisk port selection cannot handle selinux port restrictions
  • [ASTERISK-23143] - ARI: subscribing to an already subscribed resource returns a 500 error
  • [ASTERISK-23164] - CDRs: mid-call/pre-dial handlers perturb context/exten/app/data fields during Dial
  • [ASTERISK-23168] - Overriding outbound_auth in a pjsip registration causes ERROR, assert failure.
  • [ASTERISK-23177] - [patch] RealTime cant update sipbuddies table when registering or updating friend
  • [ASTERISK-23178] - devicestate.h: device state setting functions are documented with the wrong return values
  • [ASTERISK-23213] - SIP over WS: Audio problems when upgrading to 11.8 from 11.7 with endpoints behind NAT
  • [ASTERISK-23220] - STACK_PEEK function with no arguments causes crash/core dump
  • [ASTERISK-23231] - Since 405693 If we have res_fax.conf file set to minrate=2400, then res_fax refuse to load
  • [ASTERISK-23249] - Skinny subchannel locking issues
  • [ASTERISK-23250] - CDR(start) function is broken due to sizeof dereference

Improvements

New Features

  • [ASTERISK-23038] - Need config option to enable PJSIP logger at load time

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.1.0

Thank you for your continued support of Asterisk!


Asterisk 11.8.0 Now Available

Mar 3, 2014

The Asterisk Development Team has announced the release of Asterisk 11.8.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.8.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bugs

  • [ASTERISK-12117] - chan_sip creates a new local tag (from-tag) for every register message
  • [ASTERISK-17138] - [patch] Asterisk not re-registering after it receives "Forbidden - wrong password on authentication"
  • [ASTERISK-20862] - Asterisk min and max member penalties not honored when set with 0
  • [ASTERISK-21242] - Segfault when T.38 re-invite retransmission receives 200 OK
  • [ASTERISK-21383] - STUN Binding Requests Not Being Sent Back from Asterisk to Chrome
  • [ASTERISK-21960] - ooh323 channels stuck
  • [ASTERISK-22350] - DUNDI - core dump on shutdown - segfault in sqlite3_reset from /usr/lib/libsqlite3.so.0
  • [ASTERISK-22478] - [patch]Can't use pound(hash) symbol for custom DTMF menus in ConfBridge (processed as directive)
  • [ASTERISK-22544] - Italian prompt vm-options has advertisement in it
  • [ASTERISK-22590] - BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms
  • [ASTERISK-22746] - [patch]Crash in chan_dahdi during caller id read
  • [ASTERISK-22788] - [patch] main/translate.c: access to variable f after free in ast_translate()
  • [ASTERISK-22834] - Parking by blind transfer when lot full orphans channels
  • [ASTERISK-22854] - [patch] - Deadlock between cel_pgsql unload and core_event_dispatcher taskprocessor thread
  • [ASTERISK-22856] - [patch]SayUnixTime in polish reads minutes instead of seconds
  • [ASTERISK-22871] - cel_pgsql module not loading after "reload" or "reload cel_pgsql.so" command
  • [ASTERISK-22905] - Prevent Asterisk functions that are 'dangerous' from being executed from external interfaces
  • [ASTERISK-22910] - [patch] - REPLACE() calls strcpy on overlapping memory when <replace-char> is empty
  • [ASTERISK-22942] - [patch] - Asterisk crashed after Set(FAXOPT(faxdetect)=t38)
  • [ASTERISK-22946] - Local From tag regression with sipgate.de
  • [ASTERISK-22970] - [patch]Documentation fix for QUOTE()
  • [ASTERISK-23010] - No BYE message sent when sip INVITE is received
  • [ASTERISK-23011] - [patch]configure.ac and pbx_lua don't support lua 5.2
  • [ASTERISK-23021] - Typos in code : "avaliable" instead of "available"
  • [ASTERISK-23047] - Orphaned (stuck) channel occurs during a failed SIP transfer to parking space
  • [ASTERISK-23084] - [patch]rasterisk needlessly prints the AST-2013-007 warning
  • [ASTERISK-23135] - Crash - segfault in ast_channel_hangupcause_set - probably introduced in 11.7.0
  • [ASTERISK-23213] - SIP over WS: Audio problems when upgrading to 11.8 from 11.7 with endpoints behind NAT

Improvements

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.8.0

Thank you for your continued support of Asterisk!


Asterisk 1.8.26.0 Now Available

Mar 3, 2014

The Asterisk Development Team has announced the release of Asterisk 1.8.26.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.26.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bugs

  • [ASTERISK-12117] - chan_sip creates a new local tag (from-tag) for every register message
  • [ASTERISK-17138] - [patch] Asterisk not re-registering after it receives "Forbidden - wrong password on authentication"
  • [ASTERISK-20862] - Asterisk min and max member penalties not honored when set with 0
  • [ASTERISK-21242] - Segfault when T.38 re-invite retransmission receives 200 OK
  • [ASTERISK-22544] - Italian prompt vm-options has advertisement in it
  • [ASTERISK-22590] - BufferOverflow in unpacksms16() when receiving 16 bit multipart SMS with app_sms
  • [ASTERISK-22746] - [patch]Crash in chan_dahdi during caller id read
  • [ASTERISK-22788] - [patch] main/translate.c: access to variable f after free in ast_translate()
  • [ASTERISK-22834] - Parking by blind transfer when lot full orphans channels
  • [ASTERISK-22854] - [patch] - Deadlock between cel_pgsql unload and core_event_dispatcher taskprocessor thread
  • [ASTERISK-22856] - [patch]SayUnixTime in polish reads minutes instead of seconds
  • [ASTERISK-22871] - cel_pgsql module not loading after "reload" or "reload cel_pgsql.so" command
  • [ASTERISK-22905] - Prevent Asterisk functions that are 'dangerous' from being executed from external interfaces
  • [ASTERISK-22910] - [patch] - REPLACE() calls strcpy on overlapping memory when <replace-char> is empty
  • [ASTERISK-22946] - Local From tag regression with sipgate.de
  • [ASTERISK-22970] - [patch]Documentation fix for QUOTE()
  • [ASTERISK-23010] - No BYE message sent when sip INVITE is received
  • [ASTERISK-23011] - [patch]configure.ac and pbx_lua don't support lua 5.2
  • [ASTERISK-23021] - Typos in code : "avaliable" instead of "available"
  • [ASTERISK-23047] - Orphaned (stuck) channel occurs during a failed SIP transfer to parking space
  • [ASTERISK-23084] - [patch]rasterisk needlessly prints the AST-2013-007 warning

Improvements:

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.26.0

Thank you for your continued support of Asterisk!


Asterisk 12.1.0-rc3 Now Available

Mar 1, 2014

The Asterisk Development Team has announced the third release candidate of Asterisk 12.1.0. This release candidate is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 12.1.0-rc3 resolves an issue reported by the community and would have not been possible without your participation.

Thank you!

The following is the issue resolved in this release candidate:

  • chan_sip: Fix crash in ast_channel_hangupcause_set().
    (Closes issue ASTERISK-23135. Reported by OK)

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.1.0-rc3

Thank you for your continued support of Asterisk!


Pages

Subscribe to