Asterisk News

Asterisk Releases

Asterisk 13.1-cert5 and 13.8.1 Now Available (Security Release)

Apr 14, 2016

The Asterisk Development Team has announced security releases for Certified Asterisk 13.1 and Asterisk 13. The available security releases are released as versions 13.1-cert5, and 13.8.1. These releases are available for immediate download http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerabilities:

  • AST-2016-004: Long contact URIs in REGISTER requests can crash Asterisk

Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI. This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring.

  • AST-2016-005: TCP denial of service in PJProject

PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60. An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk.

If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject. If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic.

For a full list of changes in the current releases, please see the ChangeLogs:

The security advisories are available at:

Thank you for your continued support of Asterisk!


Asterisk 13.8.0 Now Available

Mar 29, 2016

The Asterisk Development Team has announced the release of Asterisk 13.8.0.

This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 13.8.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bug

  • [ASTERISK-20987] - non-admin users, who join muted conference are not being muted
  • [ASTERISK-24097] - Documentation - CHANNEL function help text missing 'linkedid' argument
  • [ASTERISK-24801] - ASAN: ast_el_read_char stack-buffer-overflow
  • [ASTERISK-24972] - Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server
  • [ASTERISK-25023] - Deadlock in chan_sip in update_provisional_keepalive
  • [ASTERISK-25113] - install_prereq in Debian 8 without "standard system utilities"
  • [ASTERISK-25116] - res_pjsip: Two PeerStatus AMI messages are sent for every status change
  • [ASTERISK-25137] - endpoint stasis messages are delivered twice
  • [ASTERISK-25179] - CDR(billsec,f) and CDR(duration,f) report incorrect values
  • [ASTERISK-25272] - [patch]The ICONV dialplan function sometimes returns garbage
  • [ASTERISK-25317] - asterisk sends too many stun requests
  • [ASTERISK-25321] - [patch]DeadLock ChanSpy with call over Local channel
  • [ASTERISK-25337] - Crash on PJSIP_HEADER Add P-Asserted-Identity when calling from Gosub
  • [ASTERISK-25394] - pbx: Incorrect device and presence state when changing hint details
  • [ASTERISK-25397] - [patch]chan_sip: File descriptor leak with non-default timert1
  • [ASTERISK-25442] - using realtime (mysql) queue members are never updated in wait_our_turn function (app_queue.c)
  • [ASTERISK-25582] - Testsuite: Reactor timeout error in tests/fax/pjsip/directmedia_reinvite_t38
  • [ASTERISK-25601] - json: Audit reference usage and thread safety
  • [ASTERISK-25603] - [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash
  • [ASTERISK-25606] - Core dump when using transports in sorcery
  • [ASTERISK-25611] - core: threadpool thread_timeout_thrash unit test sporadically failing
  • [ASTERISK-25614] - DTLS negotiation delays
  • [ASTERISK-25624] - AMI Event OriginateResponse bug
  • [ASTERISK-25625] - res_sorcery_memory_cache: Add full backend caching
  • [ASTERISK-25632] - res_pjsip_sdp_rtp: RTP is sent from wrong IP address when multihomed
  • [ASTERISK-25637] - Multi homed server using wrong IP
  • [ASTERISK-25640] - pbx: Deadlock on features reload and state change hint.
  • [ASTERISK-25641] - bridge: GOTO_ON_BLINDXFR doesn't work on transfer initiated channel
  • [ASTERISK-25647] - bug of cel_radius.c: wrong point of ADD_VENDOR_CODE
  • [ASTERISK-25664] - ast_format_cap_append_by_type leaks a reference
  • [ASTERISK-25668] - res_pjsip: Deadlock in distributor
  • [ASTERISK-25673] - res_crypto leaks CLI entries
  • [ASTERISK-25675] - Endpoint not listed as Unreachable
  • [ASTERISK-25677] - pbx_dundi: leaks during failed load.
  • [ASTERISK-25679] - res_calendar leaks scheduler.
  • [ASTERISK-25680] - manager: manager_channelvars is not cleaned at shutdown
  • [ASTERISK-25681] - devicestate: Engine thread is not shut down
  • [ASTERISK-25683] - res_ari: Asterisk fails to start if compiled with MALLOC_DEBUG
  • [ASTERISK-25685] - infrastructure: Run alembic in Jenkins build script
  • [ASTERISK-25686] - PJSIP: qualify_timeout is a double, database schema is an integer
  • [ASTERISK-25687] - res_musiconhold: Concurrent invocations of 'moh reload' cause a crash
  • [ASTERISK-25690] - Hanging up when executing connected line sub does not cause hangup
  • [ASTERISK-25696] - bridge_basic: don't cache xferfailsound during a transfer
  • [ASTERISK-25697] - bridge_basic: don't play an attended transfer fail sound after target hangs up
  • [ASTERISK-25700] - main/config: Clean config maps on shutdown.
  • [ASTERISK-25702] - PjSip realtime DB and Cache Errors since upgrade to asterisk-13.7.0 from asterisk-13.7.0-rc2
  • [ASTERISK-25709] - ARI: Crash can occur due to race condition when attempting to operate on a hung up channel
  • [ASTERISK-25712] - Second call to already-on-call phone and Asterisk sends "Ready"
  • [ASTERISK-25714] - ASAN:heap-buffer-overflow in logger.c
  • [ASTERISK-25721] - [patch] res_phoneprov: memory leak and heap-use-after-free
  • [ASTERISK-25722] - ASAN & testsute: stack-buffer-overflow in sip_sipredirect
  • [ASTERISK-25725] - core: Incorrect XML documentation may result in weird behavior
  • [ASTERISK-25727] - RPM build requires OPTIONAL_API cflag due to PJSIP requirement
  • [ASTERISK-25730] - build: make uninstall after make distclean tries to remove root
  • [ASTERISK-25737] - res_pjsip_outbound_registration: line option not in Alembic
  • [ASTERISK-25738] - res_pjsip_pubsub: Crash while executing OutboundSubscriptionDetail ami action
  • [ASTERISK-25742] - Secondary IFP Packets can result in accessing uninitialized pointers and a crash
  • [ASTERISK-25751] - res_pjsip: Support pjsip_dlg_create_uas_and_inc_lock
  • [ASTERISK-25771] - ARI:Crash - Attended transfers of channels into Stasis application.
  • [ASTERISK-25800] - [patch] Calculate talktime when is first call answered
  • [ASTERISK-25811] - Unable to delete object from sorcery cache
  • [ASTERISK-25814] - Segfault at f ip in res_pjsip_refer.so
  • [ASTERISK-25829] - res_pjsip: PJSIP does not accept spaces when separating multiple AORs
  • [ASTERISK-25830] - Revision 2451d4e breaks NAT
  • [ASTERISK-25849] - chan_pjsip: transfers with direct media sometimes drops audio

Improvement

New Feature

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.8.0

Thank you for your continued support of Asterisk!


Asterisk 11.22.0 Now Available

Mar 29, 2016

The Asterisk Development Team has announced the release of Asterisk 11.22.0.

This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.22.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bug

  • [ASTERISK-20987] - non-admin users, who join muted conference are not being muted
  • [ASTERISK-24801] - ASAN: ast_el_read_char stack-buffer-overflow
  • [ASTERISK-24972] - Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server
  • [ASTERISK-25272] - [patch]The ICONV dialplan function sometimes returns garbage
  • [ASTERISK-25321] - [patch]DeadLock ChanSpy with call over Local channel
  • [ASTERISK-25394] - pbx: Incorrect device and presence state when changing hint details
  • [ASTERISK-25397] - [patch]chan_sip: File descriptor leak with non-default timert1
  • [ASTERISK-25442] - using realtime (mysql) queue members are never updated in wait_our_turn function (app_queue.c)
  • [ASTERISK-25603] - [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash
  • [ASTERISK-25614] - DTLS negotiation delays
  • [ASTERISK-25624] - AMI Event OriginateResponse bug
  • [ASTERISK-25640] - pbx: Deadlock on features reload and state change hint.
  • [ASTERISK-25647] - bug of cel_radius.c: wrong point of ADD_VENDOR_CODE
  • [ASTERISK-25673] - res_crypto leaks CLI entries
  • [ASTERISK-25677] - pbx_dundi: leaks during failed load.
  • [ASTERISK-25679] - res_calendar leaks scheduler.
  • [ASTERISK-25680] - manager: manager_channelvars is not cleaned at shutdown
  • [ASTERISK-25681] - devicestate: Engine thread is not shut down
  • [ASTERISK-25687] - res_musiconhold: Concurrent invocations of 'moh reload' cause a crash
  • [ASTERISK-25690] - Hanging up when executing connected line sub does not cause hangup
  • [ASTERISK-25700] - main/config: Clean config maps on shutdown.
  • [ASTERISK-25701] - core: Endless loop in "core show taskprocessors"
  • [ASTERISK-25714] - ASAN:heap-buffer-overflow in logger.c
  • [ASTERISK-25722] - ASAN & testsute: stack-buffer-overflow in sip_sipredirect
  • [ASTERISK-25730] - build: make uninstall after make distclean tries to remove root
  • [ASTERISK-25742] - Secondary IFP Packets can result in accessing uninitialized pointers and a crash
  • [ASTERISK-25800] - [patch] Calculate talktime when is first call answered
  • [ASTERISK-25857] - func_aes: incorrect use of strlen() leads to data corruption

Improvement

  • [ASTERISK-24813] - asterisk.c: #if statement in listener() confuses code folding editors
  • [ASTERISK-25068] - Move commonly used FreePBX extra sounds to the core set
  • [ASTERISK-25767] - [patch] Add check to configure for sanitizes

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.22.0

Thank you for your continued support of Asterisk!


Libpri 1.5.0 Now Available

Mar 28, 2016

The Asterisk Development Team has announced the release of libpri 1.5.0.

This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/libpri

The release of libpri 1.5.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release:

Bug

  • PRI-173 - libpri does not handle keypad facility IE in overlap mode
  • PRI-180 - Incorrect handling of DISCONNECT with Progress Indicator #8
  • PRI-182 - Tighten mandatory ie checks and other misc items

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/libpri/ChangeLog-1.5.0

Thank you for your continued support of libpri!


Asterisk 13.8.0-rc1 Now Available

Mar 22, 2016

The Asterisk Development Team has announced the first release candidate of Asterisk 13.8.0.

This release candidate is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 13.8.0-rc1 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release candidate: Release Notes - Asterisk - Version 13.8.0

Bug

  • [ASTERISK-20987] - non-admin users, who join muted conference are not being muted
  • [ASTERISK-24097] - Documentation - CHANNEL function help text missing 'linkedid' argument
  • [ASTERISK-24801] - ASAN: ast_el_read_char stack-buffer-overflow
  • [ASTERISK-24972] - Transport Layer Security (TLS) Protocol BEAST Vulnerability - Investigate vulnerability of HTTP server
  • [ASTERISK-25023] - Deadlock in chan_sip in update_provisional_keepalive
  • [ASTERISK-25113] - install_prereq in Debian 8 without "standard system utilities"
  • [ASTERISK-25116] - res_pjsip: Two PeerStatus AMI messages are sent for every status change
  • [ASTERISK-25137] - endpoint stasis messages are delivered twice
  • [ASTERISK-25179] - CDR(billsec,f) and CDR(duration,f) report incorrect values
  • [ASTERISK-25272] - [patch]The ICONV dialplan function sometimes returns garbage
  • [ASTERISK-25317] - asterisk sends too many stun requests
  • [ASTERISK-25321] - [patch]DeadLock ChanSpy with call over Local channel
  • [ASTERISK-25337] - Crash on PJSIP_HEADER Add P-Asserted-Identity when calling from Gosub
  • [ASTERISK-25394] - pbx: Incorrect device and presence state when changing hint details
  • [ASTERISK-25397] - [patch]chan_sip: File descriptor leak with non-default timert1
  • [ASTERISK-25442] - using realtime (mysql) queue members are never updated in wait_our_turn function (app_queue.c)
  • [ASTERISK-25582] - Testsuite: Reactor timeout error in tests/fax/pjsip/directmedia_reinvite_t38
  • [ASTERISK-25601] - json: Audit reference usage and thread safety
  • [ASTERISK-25603] - [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash
  • [ASTERISK-25606] - Core dump when using transports in sorcery
  • [ASTERISK-25611] - core: threadpool thread_timeout_thrash unit test sporadically failing
  • [ASTERISK-25614] - DTLS negotiation delays
  • [ASTERISK-25624] - AMI Event OriginateResponse bug
  • [ASTERISK-25625] - res_sorcery_memory_cache: Add full backend caching
  • [ASTERISK-25632] - res_pjsip_sdp_rtp: RTP is sent from wrong IP address when multihomed
  • [ASTERISK-25637] - Multi homed server using wrong IP
  • [ASTERISK-25640] - pbx: Deadlock on features reload and state change hint.
  • [ASTERISK-25641] - bridge: GOTO_ON_BLINDXFR doesn't work on transfer initiated channel
  • [ASTERISK-25647] - bug of cel_radius.c: wrong point of ADD_VENDOR_CODE
  • [ASTERISK-25664] - ast_format_cap_append_by_type leaks a reference
  • [ASTERISK-25668] - res_pjsip: Deadlock in distributor
  • [ASTERISK-25673] - res_crypto leaks CLI entries
  • [ASTERISK-25675] - Endpoint not listed as Unreachable
  • [ASTERISK-25677] - pbx_dundi: leaks during failed load.
  • [ASTERISK-25679] - res_calendar leaks scheduler.
  • [ASTERISK-25680] - manager: manager_channelvars is not cleaned at shutdown
  • [ASTERISK-25681] - devicestate: Engine thread is not shut down
  • [ASTERISK-25683] - res_ari: Asterisk fails to start if compiled with MALLOC_DEBUG
  • [ASTERISK-25685] - infrastructure: Run alembic in Jenkins build script
  • [ASTERISK-25686] - PJSIP: qualify_timeout is a double, database schema is an integer
  • [ASTERISK-25687] - res_musiconhold: Concurrent invocations of 'moh reload' cause a crash
  • [ASTERISK-25690] - Hanging up when executing connected line sub does not cause hangup
  • [ASTERISK-25696] - bridge_basic: don't cache xferfailsound during a transfer
  • [ASTERISK-25697] - bridge_basic: don't play an attended transfer fail sound after target hangs up
  • [ASTERISK-25700] - main/config: Clean config maps on shutdown.
  • [ASTERISK-25702] - PjSip realtime DB and Cache Errors since upgrade to asterisk-13.7.0 from asterisk-13.7.0-rc2
  • [ASTERISK-25709] - ARI: Crash can occur due to race condition when attempting to operate on a hung up channel
  • [ASTERISK-25712] - Second call to already-on-call phone and Asterisk sends "Ready"
  • [ASTERISK-25714] - ASAN:heap-buffer-overflow in logger.c
  • [ASTERISK-25721] - [patch] res_phoneprov: memory leak and heap-use-after-free
  • [ASTERISK-25722] - ASAN & testsute: stack-buffer-overflow in sip_sipredirect
  • [ASTERISK-25725] - core: Incorrect XML documentation may result in weird behavior
  • [ASTERISK-25727] - RPM build requires OPTIONAL_API cflag due to PJSIP requirement
  • [ASTERISK-25730] - build: make uninstall after make distclean tries to remove root
  • [ASTERISK-25737] - res_pjsip_outbound_registration: line option not in Alembic
  • [ASTERISK-25738] - res_pjsip_pubsub: Crash while executing OutboundSubscriptionDetail ami action
  • [ASTERISK-25742] - Secondary IFP Packets can result in accessing uninitialized pointers and a crash
  • [ASTERISK-25751] - res_pjsip: Support pjsip_dlg_create_uas_and_inc_lock
  • [ASTERISK-25771] - ARI:Crash - Attended transfers of channels into Stasis application.
  • [ASTERISK-25800] - [patch] Calculate talktime when is first call answered
  • [ASTERISK-25811] - Unable to delete object from sorcery cache
  • [ASTERISK-25814] - Segfault at f ip in res_pjsip_refer.so
  • [ASTERISK-25829] - res_pjsip: PJSIP does not accept spaces when separating multiple AORs
  • [ASTERISK-25830] - Revision 2451d4e breaks NAT
  • [ASTERISK-25849] - chan_pjsip: transfers with direct media sometimes drops audio

Improvement

New Feature

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.8.0-rc1

Thank you for your continued support of Asterisk!


Pages

Subscribe to