Asterisk News

Asterisk Releases

Asterisk 1.8.29.0-rc1 Now Available

Jul 8, 2014

The Asterisk Development Team has announced the first release candidate of Asterisk 1.8.29.0. This release candidate is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.29.0-rc1 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release candidate:

Bug

  • [ASTERISK-18230] - sometimes dialplan switches disappear when merging contexts between pbx_lua and pbx_config
  • [ASTERISK-22551] - Session timer : UAS (Asterisk) starts counting at Invite, UAC starts counting at 200 OK.
  • [ASTERISK-23035] - ConfBridge with name longer than max (32 chars) results in several bridges with same conf_name
  • [ASTERISK-23246] - DEBUG messages in sdp_crypto.c display despite a DEBUG level of zero
  • [ASTERISK-23582] - [patch]Inconsistent column length in *odbc
  • [ASTERISK-23667] - features.conf.sample is unclear as to which options can or cannot be set in the general section
  • [ASTERISK-23673] - Security: DOS by consuming the number of allowed HTTP connections.
  • [ASTERISK-23683] - #includes - wildcard character in a path more than one directory deep - results in no config parsing on module reload
  • [ASTERISK-23766] - [patch] Specify timeout for database write in SQLite
  • [ASTERISK-23790] - [patch] - SIP From headers longer than 256 characters result in dropped call and 'No closing bracket' warnings.
  • [ASTERISK-23803] - AMI action UpdateConfig EmptyCat clears all categories but the requested one
  • [ASTERISK-23814] - No call started after peer dialed
  • [ASTERISK-23818] - PBX_Lua: after asterisk startup module is loaded, but dialplan not available
  • [ASTERISK-23827] - autoservice thread doesn't exit at shutdown
  • [ASTERISK-23844] - Load of pbx_lua fails on sample extensions.lua with Lua 5.2 or greater due to addition of goto statement
  • [ASTERISK-23897] - [patch]Change in SETUP ACK handling (checking PI) in revision 413765 breaks working environments
  • [ASTERISK-23908] - [patch]When using FEC error correction, asterisk tries considers negative sequence numbers as missing
  • [ASTERISK-23921] - refcounter.py uses excessive ram for large refs files
  • [ASTERISK-23948] - REF_DEBUG fails to record ao2_ref against objects that were already freed
  • [ASTERISK-23984] - Infinite loop possible in ast_careful_fwrite()

Improvement

  • [ASTERISK-23492] - Add option to safe_asterisk to disable backgrounding
  • [ASTERISK-23564] - [patch]TLS/SRTP status of channel not currently available in a CLI command

 

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.29.0-rc1

Thank you for your continued support of Asterisk!


Asterisk 1.8.15-cert7, 1.8.28.2, 11.6-cert4, 11.10.2, 12.3.2 Now Available (Security/Regression Release)

Jun 13, 2014

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert7, 11.6-cert4, 1.8.28.2, 11.10.2, and 12.3.2.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

These releases resolve security vulnerabilities that were previously fixed in 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1. Unfortunately, the fix for AST-2014-007 inadvertently introduced a regression in Asterisk's TCP and TLS handling that prevented Asterisk from sending data over these transports. This regression and the security vulnerabilities have been fixed in the versions specified in this release announcement. The security patches for AST-2014-007 have been updated with the fix for the regression, and are available at http://downloads.asterisk.org/pub/security

Please note that the release of these versions resolves the following security vulnerabilities:

  • AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework
  • AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized Shell Access
  • AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP Connections
  • AST-2014-008 : Denial of Service in PJSIP Channel Driver Subscriptions

For more information about the details of these vulnerabilities, please read security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008, which were released with the previous versions that addressed these vulnerabilities. For a full list of changes in the current releases, please see the ChangeLogs:

The security advisories are available at:

Thank you for your continued support of Asterisk!

 

Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1 Now Available (Security Release)

Jun 12, 2014

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following issue:

  • AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP Connections Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked.

Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the following issue:

  • AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized Shell Access Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process.

Additionally, the release of 12.3.1 resolves the following issues:

  • AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's “sub_min_expiry” is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised.
  • AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server.

These issues and their resolutions are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs:

The security advisories are available at:

Thank you for your continued support of Asterisk!


Asterisk 12.3.0 Now Available

May 29, 2014

The Asterisk Development Team has announced the release of Asterisk 12.3.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 12.3.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bug

  • [ASTERISK-18331] - app_sms failure
  • [ASTERISK-19465] - P-Asserted-Identity Privacy
  • [ASTERISK-22372] - res_corosync: Compilation errors and functionality broken in Asterisk 12
  • [ASTERISK-22677] - Playbacks on bridge via ARI are not queued
  • [ASTERISK-22846] - testsuite: masquerade super test fails on all branches (still)
  • [ASTERISK-22904] - bridges: lock the bridge when creating bridge snapshots
  • [ASTERISK-22912] - res_corosync doesn't build in Asterisk 12 beta2
  • [ASTERISK-23282] - Documentation - Tab completion and CLI usage documentation do not indicate that 'all' is accepted for 'confbridge kick all'
  • [ASTERISK-23381] - [patch]ChanSpy- Barge only works on the initial 'spy', if the spied-on channel makes a new call, unable to barge.
  • [ASTERISK-23390] - NewExten Event with application AGI shows up before and after AGI runs
  • [ASTERISK-23487] - features.conf cant load from realtime because features_config.c starts before loader.c
  • [ASTERISK-23497] - chan_sip SIP protocol attended transfer, with directmedia=yes results in a simple bridge, typically with no audio
  • [ASTERISK-23498] - Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported
  • [ASTERISK-23501] - Copy 'Referred-By' header to outgoing INVITE
  • [ASTERISK-23502] - Channel variable SIPREFERTOHDR not being set during blind transfer
  • [ASTERISK-23514] - The pjsip.conf aor qualify contact parameters are not updated on reload.
  • [ASTERISK-23545] - Confbridge talker detection settings configuration load bug
  • [ASTERISK-23546] - CB_ADD_LEN does not do what you'd think
  • [ASTERISK-23547] - [patch] app_queue removing callers from queue when reloading
  • [ASTERISK-23550] - Newer sound sets don't show up in menuselect
  • [ASTERISK-23560] - [ARI] MOH doesn't indicate progress
  • [ASTERISK-23573] - Crash when transferring unbridged call - in bridge_app_subscribed at stasis/app.c
  • [ASTERISK-23576] - Build failure on SmartOS / Illumos / SunOS
  • [ASTERISK-23584] - PJSIP 'Unable to create channel' when attempting to call from endpoint with UDP transport to one using WebSockets
  • [ASTERISK-23588] - ARI: Crash when unsubscribing from bridge
  • [ASTERISK-23605] - res_http_websocket: Race condition in shutting down websocket causes crash
  • [ASTERISK-23616] - Big memory leak in logger.c
  • [ASTERISK-23620] - Code path in app_stack fails to unlock list
  • [ASTERISK-23639] - PJSIP Realtime: Alembic migration needed in order to widen some string columns
  • [ASTERISK-23664] - Incorrect H264 specification in SDP.
  • [ASTERISK-23665] - Wrong mime type for codec H263-1998 (h263+)
  • [ASTERISK-23672] - PJSIP Digium presence notifications are not sent if only the subtype or message changes
  • [ASTERISK-23675] - [patch] Segmentation Fault on first SIP registration using res_config_odbc
  • [ASTERISK-23707] - Realtime Contacts: Apparent mismatch between PGSQL database state and Asterisk state
  • [ASTERISK-23709] - Regression in Dahdi/Analog/waitfordialtone
  • [ASTERISK-23721] - Calls to PJSIP endpoints with video enabled result in leaked RTP ports
  • [ASTERISK-23758] - 500 internal server error when answering a channel with ARI

Improvement

  • [ASTERISK-23553] - Add ast_spinlock capability to lock.h
  • [ASTERISK-23564] - [patch]TLS/SRTP status of channel not currently available in a CLI command
  • [ASTERISK-23649] - [patch]Support for DTLS retransmission
  • [ASTERISK-23754] - [patch] Use var/lib directory for log file configured in asterisk.conf

New Feature

  • [ASTERISK-22697] - ARI: Add the ability to raise an arbitrary User Event from the Asterisk or Applications resource
  • [ASTERISK-23433] - ARI: Add 'tones' as a URI scheme for /play operations on resources that support media (bridges, channels)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.3.0

Thank you for your continued support of Asterisk!


Asterisk 11.10.0 Now Available

May 29, 2014

The Asterisk Development Team has announced the release of Asterisk 11.10.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.10.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bug

  • [ASTERISK-18331] - app_sms failure
  • [ASTERISK-19465] - P-Asserted-Identity Privacy
  • [ASTERISK-22846] - testsuite: masquerade super test fails on all branches (still)
  • [ASTERISK-22977] - chan_sip+CEL: missing ANSWER and PICKUP event for INVITE/w/replaces pickup
  • [ASTERISK-23381] - [patch]ChanSpy- Barge only works on the initial 'spy', if the spied-on channel makes a new call, unable to barge.
  • [ASTERISK-23545] - Confbridge talker detection settings configuration load bug
  • [ASTERISK-23546] - CB_ADD_LEN does not do what you'd think
  • [ASTERISK-23547] - [patch] app_queue removing callers from queue when reloading
  • [ASTERISK-23550] - Newer sound sets don't show up in menuselect
  • [ASTERISK-23559] - app_voicemail fails to load after fix to dialplan functions
  • [ASTERISK-23576] - Build failure on SmartOS / Illumos / SunOS
  • [ASTERISK-23605] - res_http_websocket: Race condition in shutting down websocket causes crash
  • [ASTERISK-23616] - Big memory leak in logger.c
  • [ASTERISK-23620] - Code path in app_stack fails to unlock list
  • [ASTERISK-23664] - Incorrect H264 specification in SDP.
  • [ASTERISK-23665] - Wrong mime type for codec H263-1998 (h263+)
  • [ASTERISK-23707] - Realtime Contacts: Apparent mismatch between PGSQL database state and Asterisk state
  • [ASTERISK-23709] - Regression in Dahdi/Analog/waitfordialtone

Improvement

  • [ASTERISK-23564] - [patch]TLS/SRTP status of channel not currently available in a CLI command
  • [ASTERISK-23649] - [patch]Support for DTLS retransmission
  • [ASTERISK-23754] - [patch] Use var/lib directory for log file configured in asterisk.conf

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.10.0

Thank you for your continued support of Asterisk!


Pages

Subscribe to