U radu paketa Asterisk uočen je sigurnosni propust čije iskorištavanje može dovesti do izvođenja DoS (eng. Denial of Service) napada.

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-8914
2011-06-30 18:39:28
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 14
Version     : 1.6.2.19
Release     : 1.fc14
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

The Asterisk Development Team has announced the final maintenance release of
Asterisk, version 1.6.2.19. This release is available for immediate download
at
http://downloads.asterisk.org/pub/telephony/asterisk/

Please note that Asterisk 1.6.2.19 is the final maintenance release from the
1.6.2 branch. Support for security related issues will continue until April
21,
2012. For more information about support of the various Asterisk branches, see
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions

The release of Asterisk 1.6.2.19 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* Don't broadcast FullyBooted to every AMI connection
 The FullyBooted event should not be sent to every AMI connection
 every time someone connects via AMI. It should only be sent to
 the user who just connected.
 (Closes issue #18168. Reported, patched by FeyFre)
* Fix thread blocking issue in the sip TCP/TLS implementation.
 (Closes issue #18497. Reported by vois. Tested by vois, rossbeer, kowalma,
 Freddi_Fonet. Patched by dvossel)
* Don't delay DTMF in core bridge while listening for DTMF features.
 (Closes issue #15642, #16625. Reported by jasonshugart, sharvanek. Tested by
 globalnetinc, jde. Patched by oej, twilson)
* Fix chan_local crashs in local_fixup()
 Thanks OEJ for tracking down the issue and submitting the patch.
 (Closes issue #19053. Reported, patched by oej)
* Don't offer video to directmedia callee unless caller offered it as well
 (Closes issue #19195. Reported, patched by one47)

Additionally security announcements AST-2011-008, AST-2011-010, and
AST-2011-011 have been resolved in this release.

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.19
The Asterisk Development Team has announced the release of Asterisk versions
1.4.41.1, 1.6.2.18.1, and 1.8.4.3, which are security releases.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.4.41.1, 1.6.2.18, and 1.8.4.3 resolves several
issues
as outlined below:

* AST-2011-008: If a remote user sends a SIP packet containing a null,
 Asterisk assumes available data extends past the null to the
 end of the packet when the buffer is actually truncated when
 copied.  This causes SIP header parsing to modify data past
 the end of the buffer altering unrelated memory structures.
 This vulnerability does not affect TCP/TLS connections.
 -- Resolved in 1.6.2.18.1 and 1.8.4.3

* AST-2011-009: A remote user sending a SIP packet containing a Contact header
 with a missing left angle bracket (<) causes Asterisk to
 access a null pointer.
 -- Resolved in 1.8.4.3

* AST-2011-010: A memory address was inadvertently transmitted over the
 network via IAX2 via an option control frame and the remote party would try
 to access it.
 -- Resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3


The issues and resolutions are described in the AST-2011-008, AST-2011-009,
and
AST-2011-010 security advisories.

For more information about the details of these vulnerabilities, please read
the security advisories AST-2011-008, AST-2011-009, and AST-2011-010, which
were
released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.41.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.18.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.3

Security advisories AST-2011-008, AST-2011-009, and AST-2011-010 are available
at:

http://downloads.asterisk.org/pub/security/AST-2011-008.pdf
http://downloads.asterisk.org/pub/security/AST-2011-009.pdf
http://downloads.asterisk.org/pub/security/AST-2011-010.pdf
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 29 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.19-1:
- The Asterisk Development Team has announced the final maintenance release of
- Asterisk, version 1.6.2.19. This release is available for immediate download
at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- Please note that Asterisk 1.6.2.19 is the final maintenance release from the
- 1.6.2 branch. Support for security related issues will continue until April
21,
- 2012. For more information about support of the various Asterisk branches,
see
- https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
-
- The release of Asterisk 1.6.2.19 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * Don't broadcast FullyBooted to every AMI connection
-  The FullyBooted event should not be sent to every AMI connection
-  every time someone connects via AMI. It should only be sent to
-  the user who just connected.
-  (Closes issue #18168. Reported, patched by FeyFre)
- * Fix thread blocking issue in the sip TCP/TLS implementation.
-  (Closes issue #18497. Reported by vois. Tested by vois, rossbeer, kowalma,
-  Freddi_Fonet. Patched by dvossel)
- * Don't delay DTMF in core bridge while listening for DTMF features.
-  (Closes issue #15642, #16625. Reported by jasonshugart, sharvanek. Tested
by
-  globalnetinc, jde. Patched by oej, twilson)
- * Fix chan_local crashs in local_fixup()
-  Thanks OEJ for tracking down the issue and submitting the patch.
-  (Closes issue #19053. Reported, patched by oej)
- * Don't offer video to directmedia callee unless caller offered it as well
-  (Closes issue #19195. Reported, patched by one47)
-
- Additionally security announcements AST-2011-008, AST-2011-010, and
- AST-2011-011 have been resolved in this release.
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.19
* Tue Jun 28 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.19-0.1:
- The Asterisk Development Team has announced the first release
- candidate of Asterisk 1.6.2.19. This release candidate is available
- for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- Please note that Asterisk 1.6.2.19 will be the final maintenance
- release from the 1.6.2 branch. Support for security related issues
- will continue for one additional year. For more information about
- support of the various Asterisk branches, see
- https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
-
- The release of Asterisk 1.6.2.19-rc1 resolves several issues reported
- by the community and would have not been possible without your
- participation.  Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * Don't broadcast FullyBooted to every AMI connection The FullyBooted
-  event should not be sent to every AMI connection every time someone
-  connects via AMI. It should only be sent to the user who just
-  connected.  (Closes issue #18168. Reported, patched by FeyFre)
-
- * Fix thread blocking issue in the sip TCP/TLS implementation.
-  (Closes issue #18497. Reported by vois. Tested by vois, rossbeer,
-  kowalma, Freddi_Fonet. Patched by dvossel)
-
- * Don't delay DTMF in core bridge while listening for DTMF features.
-  (Closes issue #15642, #16625. Reported by jasonshugart,
-  sharvanek. Tested by globalnetinc, jde. Patched by oej, twilson)
-
- * Fix chan_local crashs in local_fixup() Thanks OEJ for tracking down
-  the issue and submitting the patch.  (Closes issue #19053. Reported,
-  patched by oej)
-
- * Don't offer video to directmedia callee unless caller offered it as
-  well (Closes issue #19195. Reported, patched by one47)
-
- For a full list of changes in this release candidate, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.19-rc1
* Sat Jun 25 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.18.1-1
- The Asterisk Development Team has announced the release of Asterisk versions
- 1.4.41.1, 1.6.2.18.1, and 1.8.4.3, which are security releases.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.4.41.1, 1.6.2.18, and 1.8.4.3 resolves several
issues
- as outlined below:
-
- * AST-2011-008: If a remote user sends a SIP packet containing a null,
-  Asterisk assumes available data extends past the null to the
-  end of the packet when the buffer is actually truncated when
-  copied.  This causes SIP header parsing to modify data past
-  the end of the buffer altering unrelated memory structures.
-  This vulnerability does not affect TCP/TLS connections.
-  -- Resolved in 1.6.2.18.1 and 1.8.4.3
-
- * AST-2011-009: A remote user sending a SIP packet containing a Contact
header
-  with a missing left angle bracket (<) causes Asterisk to
-  access a null pointer.
-  -- Resolved in 1.8.4.3
-
- * AST-2011-010: A memory address was inadvertently transmitted over the
-  network via IAX2 via an option control frame and the remote party would try
-  to access it.
-  -- Resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3
-
-
- The issues and resolutions are described in the AST-2011-008, AST-2011-009,
and
- AST-2011-010 security advisories.
-
- For more information about the details of these vulnerabilities, please read
- the security advisories AST-2011-008, AST-2011-009, and AST-2011-010, which
were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLog:
-
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.41.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.18.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.3
-
- Security advisories AST-2011-008, AST-2011-009, and AST-2011-010 are
available
- at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-008.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-009.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-010.pdf
* Thu Apr 28 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.18-1
-
- The Asterisk Development Team has announced the release of Asterisk
1.6.2.18.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.18 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
-  * Only offer codecs both sides support for directmedia.
-   (Closes issue #17403. Reported, patched by one47)
-
-  * Resolution of several DTMF based attended transfer issues.
-   (Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
-   shihchuan, grecco. Patched by rmudgett)
-   NOTE: Be sure to read the ChangeLog for more information about these
changes.
-
-  * Resolve deadlocks related to device states in chan_sip
-   (Closes issue #18310. Reported, patched by one47. Patched by jpeeler)
-
-  * Fix channel redirect out of MeetMe() and other issues with channel
softhangup
-   (Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
-   Patched by russellb)
-
-  * Fix voicemail sequencing for file based storage.
-   (Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
-   jpeeler)
-
-  * Guard against retransmitting BYEs indefinitely during attended transfers
with
-   chan_sip.
-   (Review: https://reviewboard.asterisk.org/r/1077/)
-
- In addition to the changes listed above, commits to resolve security issues
- AST-2011-005 and AST-2011-006 have been merged into this release. More
- information about AST-2011-005 and AST-2011-006 can be found at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-006.pdf
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18
* Fri Apr 22 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.17.3-1
- The Asterisk Development Team has announced security releases for Asterisk
- branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
- released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve
two
- issues:
-
- * File Descriptor Resource Exhaustion (AST-2011-005)
- * Asterisk Manager User Shell Access (AST-2011-006)
-
- The issues and resolutions are described in the AST-2011-005 and
AST-2011-006
- security advisories.
-
- For more information about the details of these vulnerabilities, please read
the
- security advisories AST-2011-005 and AST-2011-006, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLog:
-
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.40.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.25
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.3
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.3
-
- Security advisory AST-2011-005 and AST-2011-006 are available at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-006.pdf
* Wed Mar 23 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.17.2-1
- The Asterisk Development Team has announced security releases for Asterisk
- branches 1.6.1, 1.6.2, and 1.8. The available security releases are
- released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- ** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
-   contained a bug which caused duplicate manager entries (issue #18987).
-
- The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two
issues:
-
-  * Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
-  * Remote crash vulnerability in TCP/TLS server (AST-2011-004)
-
- The issues and resolutions are described in the AST-2011-003 and
AST-2011-004
- security advisories.
-
- For more information about the details of these vulnerabilities, please read
the
- security advisories AST-2011-003 and AST-2011-004, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLog:
-
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.24
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.2
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.2
-
- Security advisory AST-2011-003 and AST-2011-004 are available at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-004.pdf
* Tue Mar  1 2011 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.17-1
- The Asterisk Development Team has announced the release of Asterisk
1.6.2.17.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.17 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * Resolve duplicated data in the AstDB when using DIALGROUP()
-  (Closes issue #18091. Reported by bunny. Patched by tilghman)
-
- * Correct issue where res_config_odbc could populate fields with invalid
data.
-  (Closes issue #18251, #18279. Reported by bcnit, zerohalo. Tested by trev,
-  jthurman, elguero, zerohalo. Patched by tilghman)
-
- * When using cdr_pgsql the billsec field was not populated correctly on
-  unanswered calls.
-  (Closes issue #18406. Reported by joscas. Patched by tilghman)
-
- * Resolve issue where re-transmissions of SUBSCRIBE could break presence.
-  (Closes issue #18075. Reported by mdu113. Patched by twilson)
-
- * Fix regression causing forwarding voicemails to not work with file
storage.
-  (Closes issue #18358. Reported by cabal95. Patched by jpeeler)
-
- * This version of Asterisk includes the new Compiler Flags option
-  BETTER_BACKTRACES which uses libbfd to search for better symbol information
-  within both the Asterisk binary, as well as loaded modules, to assist when
-  using inline backtraces to track down problems.
-  (Patched by tilghman)
-
- * Resolve several issues with DTMF based attended transfers.
-  (Closes issues #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
-  shihchaun, grecco. Patched by rmudgett).
-  NOTE: Be sure to read the ChangeLog for more information about these
changes.
-
- * Resolve issue where no Music On Hold may be triggered when using
-  res_timing_dahdi.
-  (Closes issues #18262. Reported by francesco_r. Patched by cjacobson.
Tested
-  by francesco_r, rfrantik, one47)
-
- * Fix regression that changed behavior of queues when ringing a queue
member.
-  (Closes issue #18747, #18733. Reported by vrban. Patched by qwell.)
-
- Additionally, this release has the changes related to security bulletin
- AST-2011-002 which can be found at
- http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17
* Mon Feb 21 2011 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.16.2-1
-
-              Asterisk Project Security Advisory - AST-2011-002
-
-       Product       Asterisk
-       Summary       Multiple array overflow and crash vulnerabilities in
-                     UDPTL code
-  Nature of Advisory Exploitable Stack and Heap Array Overflows
-    Susceptibility   Remote Unauthenticated Sessions
-       Severity      Critical
-    Exploits Known   No
-     Reported On     January 27, 2011
-     Reported By     Matthew Nicholson
-      Posted On      February 21, 2011
-   Last Updated On   February 21, 2011
-   Advisory Contact  Matthew Nicholson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.>
-       CVE Name
-
-  Description When decoding UDPTL packets, multiple stack and heap based
-              arrays can be made to overflow by specially crafted packets.
-              Systems doing T.38 pass through or termination are vulnerable.
-
-  Resolution The UDPTL decoding routines have been modified to respect the
-             limits of exploitable arrays.
-
-             In asterisk versions not containing the fix for this issue,
-             disabling T.38 support will prevent this vulnerability from
-             being exploited. T.38 support can be disabled in chan_sip by
-             setting the t38pt_udptl option to "no" (it is off by default).
-
-             t38pt_udptl = no
-
-             The chan_ooh323 module should also be disabled by adding the
-             following line in modles.conf.
-
-             noload => chan_ooh323
-
-                              Affected Versions
-               Product              Release Series
-        Asterisk Open Source            1.4.x      All versions
-        Asterisk Open Source            1.6.x      All versions
-      Asterisk Business Edition         C.x.x      All versions
-             AsteriskNOW                 1.5       All versions
-     s800i (Asterisk Appliance)         1.2.x      All versions
-
-                                 Corrected In
-             Product                               Release
-       Asterisk Open Source        1.4.39.2, 1.6.1.22, 1.6.2.16.2, 1.8.2.4
-    Asterisk Business Edition                      C.3.6.3
-
-                                   Patches
-                                  URL                                 Branch
-  http://downloads.asterisk.org/pub/security/AST-2011-002-1.4.diff    1.4
-  http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.1.diff  1.6.1
-  http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.2.diff  1.6.2
-  http://downloads.asterisk.org/pub/security/AST-2011-002-1.8.diff    1.8
-
-         Links
-
-  Asterisk Project Security Advisories are posted at
-  http://www.asterisk.org/security
-
-  This document may be superseded by later versions; if so, the latest
-  version will be posted at
-  http://downloads.digium.com/pub/security/AST-2011-002.pdf and
-  http://downloads.digium.com/pub/security/AST-2011-002.html
-
-                               Revision History
-       Date                Editor                    Revisions Made
-  02/21/11        Matthew Nicholson         Initial Release
-
-              Asterisk Project Security Advisory - AST-2011-002
-             Copyright (c) 2011 Digium, Inc. All Rights Reserved.
- Permission is hereby granted to distribute and publish this advisory in its
-                          original, unaltered form.
* Tue Jan 25 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced security releases for the
following
- versions of Asterisk:
-
- * 1.4.38.1
- * 1.4.39.1
- * 1.6.1.21
- * 1.6.2.15.1
- * 1.6.2.16.1
- * 1.8.1.2
- * 1.8.2.1
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,
1.6.2.16.2,
- 1.8.1.2, and 1.8.2.1 resolve an issue when forming an outgoing SIP request
while
- in pedantic mode, which can cause a stack buffer to be made to overflow if
- supplied with carefully crafted caller ID information. The issue and
resolution
- are described in the AST-2011-001 security advisory.
-
- For more information about the details of this vulnerability, please read
the
- security advisory AST-2011-001, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLog:
-
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.38.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.39.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.21
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.15.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.1.2
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.1
-
- Security advisory AST-2011-001 is available at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-001.pdf
* Tue Jan 25 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced the release of Asterisk
1.6.2.16.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.16 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * Fix cache of device state changes for multiple servers.
-  (Closes issue #18284, #18280. Reported, tested by klaus3000. Patched,
tested
-  by russellb)
-
- * Resolve issue where channel redirect function (CLI or AMI) hangs up the
call
-  instead of redirecting the call.
-  (Closes issue #18171. Reported by: SantaFox)
-  (Closes issue #18185. Reported by: kwemheuer)
-  (Closes issue #18211. Reported by: zahir_koradia)
-  (Closes issue #18230. Reported by: vmarrone)
-  (Closes issue #18299. Reported by: mbrevda)
-  (Closes issue #18322. Reported by: nerbos)
-
- * Linux and *BSD disagree on the elements within the ucred structure. Detect
-  which one is in use on the system.
-  (Closes issue #18384. Reported, patched, tested by bjm, tilghman)
-
- * app_followme: Don't create a Local channel if the target extension does
not
-  exist.
-  (Closes issue #18126. Reported, patched by junky)
-
- * Revert code that changed SSRC for DTMF.
-  (Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou.
rsw686.
-  Tested by cmbaker82)
-
- * Resolve issue where REGISTER request with a Call-ID matching an existing
-  transaction is received it was possible that the REGISTER request would
-  overwrite the initreq of the private structure.
-  (Closes issue #18051. Reported by eeman. Patched, tested by twilson)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16
* Tue Jan 25 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced the release of Asterisk
1.6.2.15.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.15 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * When using chan_skinny, don't crash when parking a non-bridged call.
-   (Closes issue #17680. Reported, tested by jmhunter. Patched, tested by
DEA)
-
- * Add ability for Asterisk to try both the encoded and unencoded
subscription
-   URI for a match in hints.
-   (Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman)
-
- * Set the caller id on CDRs when it is set on the parent channel.
-   (Closes issue #17569. Reported, patched by tbelder)
-
- * Ensure user portion of SIP URI matches dialplan when using encoded
characters
-   (Closes issue #17892. Reported by wdoekes. Patched by jpeeler)
-
- * Resolve issue where Party A in an analog 3-way call would continue to hear
-   ringback after party C answers.
-   (Patched by rmudgett)
-
- * Fix problem with qualify option packets for realtime peers never stopping.
-   The option packets not only never stopped, but if a realtime peer was not
in
-   the peer list multiple options dialogs could accumulate over time.
-   (Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
-   jpeeler)
-
- * Multiple fixes related to Local channels.
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.15
* Tue Jan 25 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced the release of Asterisk
- 1.6.2.14.  This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.14 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
-  * Fix issue where session timers would be advertised as supported even
-   when session-timers=refuse was set in sip.conf. Also fix
-   interoperability problems with session timer behavior in Asterisk.
-   (Closes issue #17005. Reported by alexcarey. Patched by dvossel)
-
-  * Parse all "Accept" headers for SIP SUBSCRIBE requests.
-   (Closes issue #17758. Reported by ibc. Patched by dvossel)
-
-  * Fix issue where queue stats would be reset on reload.
-   (Closes issue #17535. Reported by raarts. Patched by tilghman)
-
-  * Fix issue where MoH files were no longer rescanned on during a
-   reload.
-   (Closes issue #16744. Reported by pj. Patched by Qwell)
-
-  * Fix issue with dialplan pattern matching where the specificity for
-   pattern ranges and pattern characters was inconsistent.
-   (Closes issue #16903. Reported, patched by Nick_Lewis)
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.14
* Fri Oct  8 2010 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.2.14-0.1.rc1
- The release of Asterisk 1.6.2.14-rc1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
-  * Fix issue where session timers would be advertised as supported even when
-    session-timers=refuse was set in sip.conf. Also fix  interoperability
-    problems with session timer behavior in Asterisk.
-    (Closes issue #17005. Reported by alexcarey. Patched by dvossel)
-
-  * Fix issue with decoding ^-escaped characters in realtime (res_pgsql).
-    (Closes issue #17790. Reported by denzs. Patched by Qwell)
-
-  * Parse all "Accept" headers for SIP SUBSCRIBE requests.
-    (Closes issue #17758. Reported by ibc. Patched by dvossel)
-
-  * Fix issue where queue stats would be reset on reload.
-    (Closes issue #17535. Reported by raarts. Patched by tilghman)
-
-  * Fix issue where MoH files were no longer rescanned on during a reload.
-    (Closes issue #16744. Reported by pj. Patched by Qwell)
-
-  * Fix issue with dialplan pattern matching where the specificity for
pattern
-    ranges and pattern characters was inconsistent.
-    (Closes issue #16903. Reported, patched by Nick_Lewis)
-
- For a full list of changes in the current release candidate, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.14-rc1

- This release resolves an issue where the .version and ChangeLog files were
not
- updated for 1.6.2.12. Asterisk 1.6.2.13 has no additional changes from
1.6.2.12
- other than the .version, ChangeLog and summary files.
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.13

- The release of Asterisk 1.6.2.12 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
-     * Fix issue where DNID does not get cleared on a new call when using
-       immediate=yes with ISDN signaling.
-       (Closes issue #17568. Reported by wuwu. Patched by rmudgett)
-     * Several updates to res_config_ldap.
-       (Closes issue #13573. Reported by navkumar. Patched by navkumar,
bencer.
-       Tested by suretec)
-     * Prevent loss of Caller ID information set on local channel after
masquerade.
-       (Closes issue #17138. Reported by kobaz, patched by jpeeler)
-     * Fix SIP peers memory leak.
-       (Closes issue #17774. Reported, patched by kkm)
-     * Add Danish support to say.conf.sample
-       (Closes issue #17836. Reported, patched by RoadKill)
-     * Ensure SSRC is changed when media source is changed to resolve audio
delay.
-       (Closes issue #17404. Reported, tested by sdolloff. Patched by
jpeeler)
-     * Only do magic pickup when notifycid is enabled.
-       A new way of doing BLF pickup was introduced into 1.6.2. This feature
adds a
-       call-id value into the XML of a SIP_NOTIFY message sent to alert a
subscriber
-       that a device is ringing. This option should only be enabled when the
new
-       'notifycid' option is set, but this was not the case. Instead the
call-id
-       value was included for every RINGING Notify message, which caused a
-       regression for people who used other methods for call pickup.
-       (Closes issue #17633. Reported, patched by urosh. Patched by dvossel.
-       Tested by: dvossel, urosh, okrief, alecdavis)
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.12
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-8983
2011-07-02 18:56:34
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 15
Version     : 1.8.4.4
Release     : 2.fc15
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

Remove systemd dependencies from EL6 and F15
The Asterisk Development Team has announced the release of Asterisk versions
1.4.41.2, 1.6.2.18.2, and 1.8.4.4, which are security releases.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.4.41.2, 1.6.2.18.2, and 1.8.4.4 resolves the
following issue:

AST-2011-011: Asterisk may respond differently to SIP requests from an
invalid SIP user than it does to a user configured on the system, even when the
alwaysauthreject option is set in the configuration. This can leak information
about what SIP users are valid on the Asterisk system.

For more information about the details of this vulnerability, please read
the security advisory AST-2011-011, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.41.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.18.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.4

Security advisory AST-2011-011 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-011.pdf
The Asterisk Development Team has announced the release of Asterisk versions
1.4.41.1, 1.6.2.18.1, and 1.8.4.3, which are security releases.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.4.41.1, 1.6.2.18, and 1.8.4.3 resolves several issues
as outlined below:

* AST-2011-008: If a remote user sends a SIP packet containing a null,
 Asterisk assumes available data extends past the null to the
 end of the packet when the buffer is actually truncated when
 copied.  This causes SIP header parsing to modify data past
 the end of the buffer altering unrelated memory structures.
 This vulnerability does not affect TCP/TLS connections.
 -- Resolved in 1.6.2.18.1 and 1.8.4.3

* AST-2011-009: A remote user sending a SIP packet containing a Contact header
 with a missing left angle bracket (<) causes Asterisk to
 access a null pointer.
 -- Resolved in 1.8.4.3

* AST-2011-010: A memory address was inadvertently transmitted over the
 network via IAX2 via an option control frame and the remote party would try
 to access it.
 -- Resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3


The issues and resolutions are described in the AST-2011-008, AST-2011-009, and
AST-2011-010 security advisories.

For more information about the details of these vulnerabilities, please read
the security advisories AST-2011-008, AST-2011-009, and AST-2011-010, which
were
released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.41.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.18.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.3

Security advisories AST-2011-008, AST-2011-009, and AST-2011-010 are available
at:

http://downloads.asterisk.org/pub/security/AST-2011-008.pdf
http://downloads.asterisk.org/pub/security/AST-2011-009.pdf
http://downloads.asterisk.org/pub/security/AST-2011-010.pdf

The Asterisk Development Team has announced the release of Asterisk
version 1.8.4.2, which is a security release for Asterisk 1.8.

This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.8.4.2 resolves an issue with SIP URI
parsing which can lead to a remotely exploitable crash:

   Remote Crash Vulnerability in SIP channel driver (AST-2011-007)

The issue and resolution is described in the AST-2011-007 security
advisory.

For more information about the details of this vulnerability, please
read the security advisory AST-2011-007, which was released at the
same time as this announcement.

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.2

Security advisory AST-2011-007 is available at:

http://downloads.asterisk.org/pub/security/AST-2011-007.pdf

The Asterisk Development Team has announced the release of Asterisk 1.8.4.1.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/

The release of Asterisk 1.8.4.1 resolves several issues reported by the
community. Without your help this release would not have been possible.
Thank you!

Below is a list of issues resolved in this release:

 * Fix our compliance with RFC 3261 section 18.2.2. (aka Cisco phone fix)
  (Closes issue #18951. Reported by jmls. Patched by wdoekes)

 * Resolve a change in IPv6 header parsing due to the Cisco phone fix issue.
  This issue was found and reported by the Asterisk test suite.
  (Closes issue #18951. Patched by mnicholson)

 * Resolve potential crash when using SIP TLS support.
  (Closes issue #19192. Reported by stknob. Patched by Chainsaw. Tested by
   vois, Chainsaw)

 * Improve reliability when using SIP TLS.
  (Closes issue #19182. Reported by st. Patched by mnicholson)


For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4.1

The Asterisk Development Team has announced the release of Asterisk 1.8.4. This
release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/

The release of Asterisk 1.8.4 resolves several issues reported by the
community.
Without your help this release would not have been possible. Thank you!

Below is a sample of the issues resolved in this release:

 * Use SSLv23_client_method instead of old SSLv2 only.
  (Closes issue #19095, #19138. Reported, patched by tzafrir. Tested by russell
  and chazzam.

 * Resolve crash in ast_mutex_init()
  (Patched by twilson)

 * Resolution of several DTMF based attended transfer issues.
  (Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
  shihchuan, grecco. Patched by rmudgett)

  NOTE: Be sure to read the ChangeLog for more information about these changes.

 * Resolve deadlocks related to device states in chan_sip
  (Closes issue #18310. Reported, patched by one47. Patched by jpeeler)

 * Resolve an issue with the Asterisk manager interface leaking memory when
  disabled.
  (Reported internally by kmorgan. Patched by russellb)

 * Support greetingsfolder as documented in voicemail.conf.sample.
  (Closes issue #17870. Reported by edhorton. Patched by seanbright)

 * Fix channel redirect out of MeetMe() and other issues with channel
softhangup
  (Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
  Patched by russellb)

 * Fix voicemail sequencing for file based storage.
  (Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
  jpeeler)

 * Set hangup cause in local_hangup so the proper return code of 486 instead of
  503 when using Local channels when the far sides returns a busy. Also affects
  CCSS in Asterisk 1.8+.
  (Patched by twilson)

 * Fix issues with verbose messages not being output to the console.
  (Closes issue #18580. Reported by pabelanger. Patched by qwell)

 * Fix Deadlock with attended transfer of SIP call
  (Closes issue #18837. Reported, patched by alecdavis. Tested by
  alecdavid, Irontec, ZX81, cmaj)

Includes changes per AST-2011-005 and AST-2011-006
For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4

Information about the security releases are available at:

http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf

--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul  1 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.8.4.4-2
- Fix systemd dependencies in EL6 and F15
* Thu Jun 30 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.8.4.4-2
- Fedora Directory Server -> 389 Directory Server
* Wed Jun 29 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.8.4.4-1
- The Asterisk Development Team has announced the release of Asterisk
- versions 1.4.41.2, 1.6.2.18.2, and 1.8.4.4, which are security
- releases.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.4.41.2, 1.6.2.18.2, and 1.8.4.4 resolves the
- following issue:
-
- AST-2011-011: Asterisk may respond differently to SIP requests from an
- invalid SIP user than it does to a user configured on the system, even
- when the alwaysauthreject option is set in the configuration. This can
- leak information about what SIP users are valid on the Asterisk
- system.
-
- For more information about the details of this vulnerability, please
- read the security advisory AST-2011-011, which was released at the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLog:
-
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.41.2
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.18.2
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.4
-
- Security advisory AST-2011-011 is available at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-011.pdf
* Mon Jun 27 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.8.4.3-3
- Don't forget stereorize
* Mon Jun 27 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.8.4.3-2
- Move /var/run/asterisk to /run/asterisk
- Add comments to systemd service file on how to mimic safe_asterisk
functionality
- Build more of the optional binaries
- Install the tmpfiles.d configuration on Fedora 15
* Fri Jun 24 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.8.4.3-1
- The Asterisk Development Team has announced the release of Asterisk versions
- 1.4.41.1, 1.6.2.18.1, and 1.8.4.3, which are security releases.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.4.41.1, 1.6.2.18, and 1.8.4.3 resolves several
issues
- as outlined below:
-
- * AST-2011-008: If a remote user sends a SIP packet containing a null,
-  Asterisk assumes available data extends past the null to the
-  end of the packet when the buffer is actually truncated when
-  copied.  This causes SIP header parsing to modify data past
-  the end of the buffer altering unrelated memory structures.
-  This vulnerability does not affect TCP/TLS connections.
-  -- Resolved in 1.6.2.18.1 and 1.8.4.3
-
- * AST-2011-009: A remote user sending a SIP packet containing a Contact
header
-  with a missing left angle bracket (<) causes Asterisk to
-  access a null pointer.
-  -- Resolved in 1.8.4.3
-
- * AST-2011-010: A memory address was inadvertently transmitted over the
-  network via IAX2 via an option control frame and the remote party would try
-  to access it.
-  -- Resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3
-
- The issues and resolutions are described in the AST-2011-008, AST-2011-009,
and
- AST-2011-010 security advisories.
-
- For more information about the details of these vulnerabilities, please read
- the security advisories AST-2011-008, AST-2011-009, and AST-2011-010, which
were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLog:
-
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.41.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.18.1
-
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.3
-
- Security advisories AST-2011-008, AST-2011-009, and AST-2011-010 are
available
- at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-008.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-009.pdf
- http://downloads.asterisk.org/pub/security/AST-2011-010.pdf
* Tue Jun 21 2011 Jeffrey C. Ollie <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.8.4.2-2
- Convert to systemd
* Fri Jun 17 2011 Marcela MaĹÄ