Asterisk News

Asterisk Releases

Asterisk 12.4.0-rc1 Now Released

Jul 8, 2014

The Asterisk Development Team has announced the first release candidate of Asterisk 12.4.0. This release candidate is available for immediate
download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 12.4.0-rc1 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release candidate:

Bug

  • [ASTERISK-18230] - sometimes dialplan switches disappear when merging contexts between pbx_lua and pbx_config
  • [ASTERISK-21965] - [patch] Bug-fixed version of safe_asterisk not installed over old version
  • [ASTERISK-22551] - Session timer : UAS (Asterisk) starts counting at Invite, UAC starts counting at 200 OK.
  • [ASTERISK-23035] - ConfBridge with name longer than max (32 chars) results in several bridges with same conf_name
  • [ASTERISK-23489] - Vulnerability in res_pjsip_pubsub: unauthenticated remote crash in during MWI unsubscribe without being subscribed
  • [ASTERISK-23499] - app_agent_pool: Interval hook prevents channel from being hung up
  • [ASTERISK-23541] - Asterisk 12.1.0 Not respecting directmedia=no and issuing REINVITE
  • [ASTERISK-23582] - [patch]Inconsistent column length in *odbc
  • [ASTERISK-23609] - Security: AMI action MixMonitor allows arbitrary programs to be run
  • [ASTERISK-23673] - Security: DOS by consuming the number of allowed HTTP connections.
  • [ASTERISK-23683] - #includes - wildcard character in a path more than one directory deep - results in no config parsing on module reload
  • [ASTERISK-23718] - res_pjsip_incoming_blind_request: crash with NULL session channel
  • [ASTERISK-23721] - Calls to PJSIP endpoints with video enabled result in leaked RTP ports
  • [ASTERISK-23766] - [patch] Specify timeout for database write in SQLite
  • [ASTERISK-23790] - [patch] - SIP From headers longer than 256 characters result in dropped call and 'No closing bracket' warnings.
  • [ASTERISK-23792] - Mutex left locked in chan_unistim.c
  • [ASTERISK-23802] - Security: Deadlock in res_pjsip_pubsub on transaction timeout
  • [ASTERISK-23803] - AMI action UpdateConfig EmptyCat clears all categories but the requested one
  • [ASTERISK-23814] - No call started after peer dialed
  • [ASTERISK-23818] - PBX_Lua: after asterisk startup module is loaded, but dialplan not available
  • [ASTERISK-23824] - ConfBridge: Users cannot be muted via CLI or AMI when waiting to enter a conference
  • [ASTERISK-23827] - autoservice thread doesn't exit at shutdown
  • [ASTERISK-23834] - res_rtp_asterisk debug message gives wrong length if ICE
  • [ASTERISK-23844] - Load of pbx_lua fails on sample extensions.lua with Lua 5.2 or greater due to addition of goto statement
  • [ASTERISK-23897] - [patch]Change in SETUP ACK handling (checking PI) in revision 413765 breaks working environments
  • [ASTERISK-23908] - [patch]When using FEC error correction, asterisk tries considers negative sequence numbers as missing
  • [ASTERISK-23916] - [patch]SIP/SDP fmtp line may include whitespace between attributes
  • [ASTERISK-23917] - res_http_websocket: Delay in client processing large streams of data causes disconnect and stuck socket
  • [ASTERISK-23921] - refcounter.py uses excessive ram for large refs files
  • [ASTERISK-23922] - ao2_container nodes are inconsistent REF_DEBUG
  • [ASTERISK-23947] - ActionID missing from AMI PJSIP events (PJSIPShowEndpoints, etc.)
  • [ASTERISK-23948] - REF_DEBUG fails to record ao2_ref against objects that were already freed
  • [ASTERISK-23984] - Infinite loop possible in ast_careful_fwrite()
  • [ASTERISK-24001] - res_rtp_asterisk fails to load module due to undefined symbol 'dtls_perform_handshake' when PJPROJECT is not installed

Improvement

  • [ASTERISK-22961] - [patch] DTLS-SRTP not working with SHA-256
  • [ASTERISK-23492] - Add option to safe_asterisk to disable backgrounding
  • [ASTERISK-23552] - http: support persistent connections
  • [ASTERISK-23654] - Add 'pjsip reload' to default cli_aliases.conf
  • [ASTERISK-23811] - Improve performance of Asterisk by reducing the number of channel snapshots created
  • [ASTERISK-23939] - ARI: Allow for channel subscriptions on originate
  • [ASTERISK-23975] - Description of variables field for userEvent operation missing details.

New Feature

  • [ASTERISK-21443] - New SIP Channel Driver - Create a state provider for dialog-info+xml
  • [ASTERISK-23786] - TALK_DETECT: A dialplan function that emits talking start/stop events for AMI/ARI

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.4.0-rc1

Thank you for your continued support of Asterisk!


Asterisk 11.11.0-rc1 Now Available

Jul 8, 2014

The Asterisk Development Team has announced the first release candidate of Asterisk 11.11.0. This release candidate is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.11.0-rc1 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release candidate:

Bug

  • [ASTERISK-18230] - sometimes dialplan switches disappear when merging contexts between pbx_lua and pbx_config
  • [ASTERISK-22551] - Session timer : UAS (Asterisk) starts counting at Invite, UAC starts counting at 200 OK.
  • [ASTERISK-23035] - ConfBridge with name longer than max (32 chars) results in several bridges with same conf_name
  • [ASTERISK-23246] - DEBUG messages in sdp_crypto.c display despite a DEBUG level of zero
  • [ASTERISK-23582] - [patch]Inconsistent column length in *odbc
  • [ASTERISK-23609] - Security: AMI action MixMonitor allows arbitrary programs to be run
  • [ASTERISK-23673] - Security: DOS by consuming the number of allowed HTTP connections.
  • [ASTERISK-23683] - #includes - wildcard character in a path more than one directory deep - results in no config parsing on module reload
  • [ASTERISK-23766] - [patch] Specify timeout for database write in SQLite
  • [ASTERISK-23790] - [patch] - SIP From headers longer than 256 characters result in dropped call and 'No closing bracket' warnings.
  • [ASTERISK-23792] - Mutex left locked in chan_unistim.c
  • [ASTERISK-23803] - AMI action UpdateConfig EmptyCat clears all categories but the requested one
  • [ASTERISK-23814] - No call started after peer dialed
  • [ASTERISK-23818] - PBX_Lua: after asterisk startup module is loaded, but dialplan not available
  • [ASTERISK-23824] - ConfBridge: Users cannot be muted via CLI or AMI when waiting to enter a conference
  • [ASTERISK-23827] - autoservice thread doesn't exit at shutdown
  • [ASTERISK-23834] - res_rtp_asterisk debug message gives wrong length if ICE
  • [ASTERISK-23844] - Load of pbx_lua fails on sample extensions.lua with Lua 5.2 or greater due to addition of goto statement
  • [ASTERISK-23897] - [patch]Change in SETUP ACK handling (checking PI) in revision 413765 breaks working environments
  • [ASTERISK-23908] - [patch]When using FEC error correction, asterisk tries considers negative sequence numbers as missing
  • [ASTERISK-23916] - [patch]SIP/SDP fmtp line may include whitespace between attributes
  • [ASTERISK-23917] - res_http_websocket: Delay in client processing large streams of data causes disconnect and stuck socket
  • [ASTERISK-23921] - refcounter.py uses excessive ram for large refs files
  • [ASTERISK-23948] - REF_DEBUG fails to record ao2_ref against objects that were already freed
  • [ASTERISK-23984] - Infinite loop possible in ast_careful_fwrite()

Improvement

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.11.0-rc1

Thank you for your continued support of Asterisk!


Asterisk 1.8.29.0-rc1 Now Available

Jul 8, 2014

The Asterisk Development Team has announced the first release candidate of Asterisk 1.8.29.0. This release candidate is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.29.0-rc1 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following are the issues resolved in this release candidate:

Bug

  • [ASTERISK-18230] - sometimes dialplan switches disappear when merging contexts between pbx_lua and pbx_config
  • [ASTERISK-22551] - Session timer : UAS (Asterisk) starts counting at Invite, UAC starts counting at 200 OK.
  • [ASTERISK-23035] - ConfBridge with name longer than max (32 chars) results in several bridges with same conf_name
  • [ASTERISK-23246] - DEBUG messages in sdp_crypto.c display despite a DEBUG level of zero
  • [ASTERISK-23582] - [patch]Inconsistent column length in *odbc
  • [ASTERISK-23667] - features.conf.sample is unclear as to which options can or cannot be set in the general section
  • [ASTERISK-23673] - Security: DOS by consuming the number of allowed HTTP connections.
  • [ASTERISK-23683] - #includes - wildcard character in a path more than one directory deep - results in no config parsing on module reload
  • [ASTERISK-23766] - [patch] Specify timeout for database write in SQLite
  • [ASTERISK-23790] - [patch] - SIP From headers longer than 256 characters result in dropped call and 'No closing bracket' warnings.
  • [ASTERISK-23803] - AMI action UpdateConfig EmptyCat clears all categories but the requested one
  • [ASTERISK-23814] - No call started after peer dialed
  • [ASTERISK-23818] - PBX_Lua: after asterisk startup module is loaded, but dialplan not available
  • [ASTERISK-23827] - autoservice thread doesn't exit at shutdown
  • [ASTERISK-23844] - Load of pbx_lua fails on sample extensions.lua with Lua 5.2 or greater due to addition of goto statement
  • [ASTERISK-23897] - [patch]Change in SETUP ACK handling (checking PI) in revision 413765 breaks working environments
  • [ASTERISK-23908] - [patch]When using FEC error correction, asterisk tries considers negative sequence numbers as missing
  • [ASTERISK-23921] - refcounter.py uses excessive ram for large refs files
  • [ASTERISK-23948] - REF_DEBUG fails to record ao2_ref against objects that were already freed
  • [ASTERISK-23984] - Infinite loop possible in ast_careful_fwrite()

Improvement

  • [ASTERISK-23492] - Add option to safe_asterisk to disable backgrounding
  • [ASTERISK-23564] - [patch]TLS/SRTP status of channel not currently available in a CLI command

 

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.29.0-rc1

Thank you for your continued support of Asterisk!


Asterisk 1.8.15-cert7, 1.8.28.2, 11.6-cert4, 11.10.2, 12.3.2 Now Available (Security/Regression Release)

Jun 13, 2014

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert7, 11.6-cert4, 1.8.28.2, 11.10.2, and 12.3.2.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

These releases resolve security vulnerabilities that were previously fixed in 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1. Unfortunately, the fix for AST-2014-007 inadvertently introduced a regression in Asterisk's TCP and TLS handling that prevented Asterisk from sending data over these transports. This regression and the security vulnerabilities have been fixed in the versions specified in this release announcement. The security patches for AST-2014-007 have been updated with the fix for the regression, and are available at http://downloads.asterisk.org/pub/security

Please note that the release of these versions resolves the following security vulnerabilities:

  • AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework
  • AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized Shell Access
  • AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP Connections
  • AST-2014-008 : Denial of Service in PJSIP Channel Driver Subscriptions

For more information about the details of these vulnerabilities, please read security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008, which were released with the previous versions that addressed these vulnerabilities. For a full list of changes in the current releases, please see the ChangeLogs:

The security advisories are available at:

Thank you for your continued support of Asterisk!

 

Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1 Now Available (Security Release)

Jun 12, 2014

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following issue:

  • AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP Connections Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked.

Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the following issue:

  • AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized Shell Access Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process.

Additionally, the release of 12.3.1 resolves the following issues:

  • AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's “sub_min_expiry” is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised.
  • AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server.

These issues and their resolutions are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs:

The security advisories are available at:

Thank you for your continued support of Asterisk!


Pages

Subscribe to