Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 17 Update: asterisk-10.12.2-1.fc17
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Sunday 7th April 2013 00:44:42 UTC (over 3 years ago)
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-4528
2013-03-29 00:54:06
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 17
Version     : 10.12.2
Release     : 1.fc17
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

The Asterisk Development Team has announced security releases for
Certified
Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security
releases
are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2,
10.12.2-digiumphones,
and 11.2.2.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following issues:

* A possible buffer overflow during H.264 format negotiation. The format
  attribute resource for H.264 video performs an unsafe read against a
media
  attribute when parsing the SDP.

  This vulnerability only affected Asterisk 11.

* A denial of service exists in Asterisk's HTTP server. AST-2012-014,
fixed
  in January of this year, contained a fix for Asterisk's HTTP server for
a
  remotely-triggered crash. While the fix prevented the crash from being
  triggered, a denial of service vector still exists with that solution if
an
  attacker sends one or more HTTP POST requests with very large
Content-Length
  values.

  This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10,
and 11

* A potential username disclosure exists in the SIP channel driver. When
  authenticating a SIP request with alwaysauthreject enabled, allowguest
  disabled, and autocreatepeer disabled, Asterisk discloses whether a user
  exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple
ways.

  This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10,
and 11

These issues and their resolutions are described in the security
advisories.

For more information about the details of these vulnerabilities, please
read
security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which
were
released at the same time as this announcement.

For a full list of changes in the current releases, please see the
ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.20.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2-digiumphones
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.2.2

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
 * http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
 * http://downloads.asterisk.org/pub/security/AST-2013-003.pdf

--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 28 2013 Jeffrey Ollie <[email protected]> - 10.12.2-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security
releases
- are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2,
10.12.2-digiumphones,
- and 11.2.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following issues:
-
- * A possible buffer overflow during H.264 format negotiation. The format
-   attribute resource for H.264 video performs an unsafe read against a
media
-   attribute when parsing the SDP.
-
-   This vulnerability only affected Asterisk 11.
-
- * A denial of service exists in Asterisk's HTTP server. AST-2012-014,
fixed
-   in January of this year, contained a fix for Asterisk's HTTP server for
a
-   remotely-triggered crash. While the fix prevented the crash from being
-   triggered, a denial of service vector still exists with that solution
if an
-   attacker sends one or more HTTP POST requests with very large
Content-Length
-   values.
-
-   This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10,
and 11
-
- * A potential username disclosure exists in the SIP channel driver. When
-   authenticating a SIP request with alwaysauthreject enabled, allowguest
-   disabled, and autocreatepeer disabled, Asterisk discloses whether a
user
-   exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple
ways.
-
-   This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10,
and 11
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which
were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.20.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.2.2
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-003.pdf
-
- The Asterisk Development Team has announced the release of Asterisk
10.12.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.12.1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- * --- Fix astcanary startup problem due to wrong pid value from before
-       daemon call
-   (Closes issue ASTERISK-20947. Reported by Jakob Hirsch)
-
- * --- Update init.d scripts to handle stderr; readd splash screen for
-       remote consoles
-   (Closes issue ASTERISK-20945. Reported by Warren Selby)
-
- * --- Reset RTP timestamp; sequence number on SSRC change
-   (Closes issue ASTERISK-20906. Reported by Eelco Brolman)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.12.1
* Fri Jan 18 2013 Jeffrey Ollie <[email protected]> - 10.12.0-1:
- The Asterisk Development Team has announced the release of Asterisk
10.12.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.12.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- app_meetme: Fix channels lingering when hung up under certain
-       conditions
-   (Closes issue ASTERISK-20486. Reported by Michael Cargile)
-
- * --- Fix stuck DTMF when bridge is broken.
-   (Closes issue ASTERISK-20492. Reported by Jeremiah Gowdy)
-
- * --- Improve Code Readability And Fix Setting natdetected Flag
-   (Closes issue ASTERISK-20724. Reported by Michael L. Young)
-
- * --- Fix extension matching with the '-' char.
-   (Closes issue ASTERISK-19205. Reported by Philippe Lindheimer, Birger
"WIMPy" Harzenetter)
-
- * --- Fix call files when astspooldir is relative.
-   (Closes issue ASTERISK-20593. Reported by James Le Cuirot)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.12.0
* Fri Jan  4 2013 Jeffrey Ollie <[email protected]> - 10.11.1-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security
releases
- are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1,
10.11.1-digiumphones,
- and 11.1.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following two issues:
-
- * Stack overflows that occur in some portions of Asterisk that manage a
TCP
-   connection. In SIP, this is exploitable via a remote unauthenticated
session;
-   in XMPP and HTTP connections, this is exploitable via remote
authenticated
-   sessions.
-
- * A denial of service vulnerability through exploitation of the device
state
-   cache. Anonymous calls had the capability to create devices in Asterisk
that
-   would never be disposed of.
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-014 and AST-2012-015, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert10
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.19.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.11.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.11.1-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
* Fri Dec 14 2012 Jeffrey Ollie <[email protected]> - 10.11.0-1:
- The Asterisk Development Team has announced the release of Asterisk
10.11.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.11.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Prevent resetting of NATted realtime peer address on reload.
-   (Closes issue ASTERISK-18203. Reported by daren ferreira)
-
- * --- Do not use a FILE handle when doing SIP TCP reads.
-   (Closes issue ASTERISK-20212. Reported by Phil Ciccone)
-
- * --- Fix ConfBridge crash if no timing module loaded.
-   (Closes issue ASTERISK-19448. Reported by feyfre)
-
- * --- confbridge: Fix a bug which made conferences not record with
-       AMI/CLI commands
-   (Closes issue ASTERISK-20601. Reported by Vilius)
-
- * --- Fix execution of 'i' extension due to uninitialized variable.
-   (Closes issue ASTERISK-20455. Reported by Richard Miller)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.11.0
* Fri Dec  7 2012 Jeffrey Ollie <[email protected]> - 10.10.1-1
- The Asterisk Development Team has announced the release of Asterisk
10.10.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.10.1 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- chan_local: Fix local_pvt ref leak in local_devicestate().
-   (Closes issue ASTERISK-20769. Reported by rmudgett)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.10.1
* Wed Nov  7 2012 Jeffrey Ollie <[email protected]> - 10.10.0-1:
- The Asterisk Development Team has announced the release of Asterisk
10.10.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.10.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Resolve issues in ConfBridge regarding marked, waitmarked, and
-       unmarked users
-   (Closes issue ASTERISK-19562. Reported by flan)
-
- * --- dsp.c User Configurable DTMF_HITS_TO_BEGIN and
-       DTMF_MISSES_TO_END
-   (Closes issue ASTERISK-17493. Reported by alecdavis)
-
- * --- Fix error where improper IMAP greetings would be deleted.
-   (Closes issue ASTERISK-20435. Reported by fhackenberger)
-
- * --- iax2-provision: Fix improper return on failed cache retrieval
-   (Closes issue ASTERISK-20337. Reported by John Covert)
-
- * --- Fix T.38 support when used with chan_local in between.
-   (Closes issue ASTERISK-20229. Reported by wdoekes)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.10.0
* Tue Oct  9 2012 Jeffrey Ollie <[email protected]> - 10.9.0-1
- The Asterisk Development Team has announced the release of Asterisk
10.9.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.9.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix channel reference leak in ChanSpy.
-   (Closes issue ASTERISK-19461. Reported by Irontec)
-
- * --- dsp.c: Fix multiple issues when no-interdigit delay is present,
-       and fast DTMF 50ms/50ms
-   (Closes issue ASTERISK-19610. Reported by Jean-Philippe Lord)
-
- * --- Fix bug where final queue member would not be removed from
-       memory.
-   (Closes issue ASTERISK-19793. Reported by Marcus Haas)
-
- * --- Fix memory leak when CEL is successfully written to PostgreSQL
-       database
-   (Closes issue ASTERISK-19991. Reported by Etienne Lessard)
-
- * --- Fix DUNDi message routing bug when neighboring peer is
-       unreachable
-   (Closes issue ASTERISK-19309. Reported by Peter Racz)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.9.0
* Wed Sep 26 2012 Jeffrey Ollie <[email protected]> - 10.8.0-1
- The Asterisk Development Team has announced the release of Asterisk
10.8.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.8.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- AST-2012-012: Resolve AMI User Unauthorized Shell Access through
-       ExternalIVR
-   (Closes issue ASTERISK-20132. Reported by Zubair Ashraf of IBM X-Force
Research)
-
- * --- AST-2012-013: Resolve ACL rules being ignored during calls by
-       some IAX2 peers
-   (Closes issue ASTERISK-20186. Reported by Alan Frisch)
-
- * --- Handle extremely out of order RFC 2833 DTMF
-   (Closes issue ASTERISK-18404. Reported by Stephane Chazelas)
-
- * --- Resolve severe memory leak in CEL logging modules.
-   (Closes issue AST-916. Reported by Thomas Arimont)
-
- * --- Only re-create an SRTP session when needed
-   (Issue ASTERISK-20194. Reported by Nicolo Mazzon)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.8.0
* Tue Sep  4 2012 Dan HorĂ¡k  - 10.7.1-2
- fix build on s390
* Thu Aug 30 2012 Jeffrey Ollie <[email protected]> - 10.7.1-1
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases
are
- released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and
10.7.1-digiumphones.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and
10.7.1-digiumphones
- resolve the following two issues:
-
- * A permission escalation vulnerability in Asterisk Manager Interface. 
This
-   would potentially allow remote authenticated users the ability to
execute
-   commands on the system shell with the privileges of the user running
the
-   Asterisk application.  Please note that the
README-SERIOUSLY.bestpractices.txt
-   file delivered with Asterisk has been updated due to this and other
related
-   vulnerabilities fixed in previous versions of Asterisk.
-
- * When an IAX2 call is made using the credentials of a peer defined in a
-   dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for
that
-   peer are not applied to the call attempt. This allows for a remote
attacker
-   who is aware of a peer's credentials to bypass the ACL rules set for
that
-   peer.
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-012 and AST-2012-013, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-012.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-013.pdf
* Thu Aug 30 2012 Jeffrey Ollie <[email protected]> - 10.7.0-1
- The Asterisk Development Team has announced the release of Asterisk
10.7.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.7.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix deadlock potential with ast_set_hangupsource() calls.
-   (Closes issue ASTERISK-19801. Reported by Alec Davis)
-
- * --- Fix request routing issue when outboundproxy is used.
-   (Closes issue ASTERISK-20008. Reported by Marcus Hunger)
-
- * --- Set the Caller ID "tag" on peers even if remote party
-       information is present.
-   (Closes issue ASTERISK-19859. Reported by Thomas Arimont)
-
- * --- Fix NULL pointer segfault in ast_sockaddr_parse()
-   (Closes issue ASTERISK-20006. Reported by Michael L. Young)
-
- * --- Do not perform install on existing directories
-   (Closes issue ASTERISK-19492. Reported by Karl Fife)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.7.0
* Thu Aug 30 2012 Jeffrey Ollie <[email protected]> - 10.6.1-1
- The Asterisk Development Team has announced the release of Asterisk
10.6.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.6.1 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- Remove a superfluous and dangerous freeing of an SSL_CTX.
-   (Closes issue ASTERISK-20074. Reported by Trevor Helmsley)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.6.1
* Thu Aug 30 2012 Jeffrey Ollie <[email protected]> - 10.6.0-1
- The Asterisk Development Team has announced the release of Asterisk
10.6.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.6.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- format_mp3: Fix a possible crash in mp3_read().
-   (Closes issue ASTERISK-19761. Reported by Chris Maciejewsk)
-
- * --- Fix local channel chains optimizing themselves out of a call.
-   (Closes issue ASTERISK-16711. Reported by Alec Davis)
-
- * --- Re-add LastMsgsSent value for SIP peers
-   (Closes issue ASTERISK-17866. Reported by Steve Davies)
-
- * --- Prevent sip_pvt refleak when an ast_channel outlasts its
-       corresponding sip_pvt.
-   (Closes issue ASTERISK-19425. Reported by David Cunningham)
-
- * --- Send more accurate identification information in dialog-info SIP
-       NOTIFYs.
-   (Closes issue ASTERISK-16735. Reported by Maciej Krajewski)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.6.0
* Wed Jul 18 2012 Fedora Release Engineering
 - 10.5.2-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon Jul  9 2012 Petr Pisar  - 10.5.2-1.1
- Perl 5.16 rebuild
* Thu Jul  5 2012 Jeffrey Ollie <[email protected]> - 10.5.2-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases
are
- released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and
10.5.2-digiumphones.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and
10.5.2-digiumphones
- resolve the following two issues:
-
- * If Asterisk sends a re-invite and an endpoint responds to the re-invite
with
-   a provisional response but never sends a final response, then the SIP
dialog
-   structure is never freed and the RTP ports for the call are never
released. If
-   an attacker has the ability to place a call, they could create a denial
of
-   service by using all available RTP ports.
-
- * If a single voicemail account is manipulated by two parties
simultaneously,
-   a condition can occur where memory is freed twice causing a crash.
-
- These issues and their resolution are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-010 and AST-2012-011, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert4
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.13.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2-digiumphones
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-010.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-011.pdf
* Thu Jun 28 2012 Petr Pisar  - 10.5.1-1.1
- Perl 5.16 rebuild
* Fri Jun 15 2012 Jeffrey Ollie <[email protected]> - 10.5.1-1
- The Asterisk Development Team has announced a security release for
Asterisk 10.
- This security release is released as version 10.5.1.
-
- The release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 10.5.1 resolves the following issue:
-
- * A remotely exploitable crash vulnerability was found in the Skinny
(SCCP)
-  Channel driver. When an SCCP client sends an Off Hook message, followed
by
-  a Key Pad Button Message, a structure that was previously set to NULL is
-  dereferenced.  This allows remote authenticated connections the ability
to
-  cause a crash in the server, denying services to legitimate users.
-
- This issue and its resolution is described in the security advisory.
-
- For more information about the details of this vulnerability, please read
- security advisory AST-2012-009, which was released at the same time as
this
- announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.1
-
- The security advisory is available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-009.pdf
* Fri Jun 15 2012 Jeffrey Ollie <[email protected]> - 10.5.0-1
- The Asterisk Development Team has announced the release of Asterisk
10.5.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.5.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Turn off warning message when bind address is set to any.
-  (Closes issue ASTERISK-19456. Reported by Michael L. Young)
-
- * --- Prevent overflow in calculation in ast_tvdiff_ms on 32-bit
-      machines
-  (Closes issue ASTERISK-19727. Reported by Ben Klang)
-
- * --- Make DAHDISendCallreroutingFacility wait 5 seconds for a reply
-      before disconnecting the call.
-  (Closes issue ASTERISK-19708. Reported by mehdi Shirazi)
-
- * --- Fix recalled party B feature flags for a failed DTMF atxfer.
-  (Closes issue ASTERISK-19383. Reported by lgfsantos)
-
- * --- Fix DTMF atxfer running h exten after the wrong bridge ends.
-  (Closes issue ASTERISK-19717. Reported by Mario)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.5.0
* Mon Jun 11 2012 Petr Pisar  - 10.4.2-1.1
- Perl 5.16 rebuild
* Wed May 30 2012 Jeffrey Ollie <[email protected]> - 10.4.2-1
- The Asterisk Development Team has announced the release of Asterisk
10.4.2.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.4.2 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- * --- Resolve crash in subscribing for MWI notifications
-  (Closes issue ASTERISK-19827. Reported by B. R)
-
- * --- Fix crash in ConfBridge when user announcement is played for
-      more than 2 users
-  (Closes issue ASTERISK-19899. Reported by Florian Gilcher)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.4.2
* Wed May 30 2012 Jeffrey Ollie <[email protected]> - 10.4.1-1
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases
are
- released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the
following
- two issues:
-
- * A remotely exploitable crash vulnerability exists in the IAX2 channel
-  driver if an established call is placed on hold without a suggested
music
-  class. Asterisk will attempt to use an invalid pointer to the music
-  on hold class name, potentially causing a crash.
-
- * A remotely exploitable crash vulnerability was found in the Skinny
(SCCP)
-  Channel driver. When an SCCP client closes its connection to the server,
-  a pointer in a structure is set to NULL.  If the client was not in the
-  on-hook state at the time the connection was closed, this pointer is
later
-  dereferenced. This allows remote authenticated connections the ability
to
-  cause a crash in the server, denying services to legitimate users.
-
- These issues and their resolution are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-007 and AST-2012-008, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.12.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.4.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-007.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-008.pdf
* Fri May  4 2012 Jeffrey Ollie <[email protected]> - 10.4.0-1
- The Asterisk Development Team has announced the release of Asterisk
10.4.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 10.4.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- * --- Prevent chanspy from binding to zombie channels
-  (Closes issue ASTERISK-19493. Reported by lvl)
-
- * --- Fix Dial m and r options and forked calls generating warnings
-      for voice frames.
-  (Closes issue ASTERISK-16901. Reported by Chris Gentle)
-
- * --- Remove ISDN hold restriction for non-bridged calls.
-  (Closes issue ASTERISK-19388. Reported by Birger Harzenetter)
-
- * --- Fix copying of CDR(accountcode) to local channels.
-  (Closes issue ASTERISK-19384. Reported by jamicque)
-
- * --- Ensure Asterisk acknowledges ACKs to 4xx on Replaces errors
-  (Closes issue ASTERISK-19303. Reported by Jon Tsiros)
-
- * --- Eliminate double close of file descriptor in manager.c
-  (Closes issue ASTERISK-18453. Reported by Jaco Kroon)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.4.0
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #928774 - CVE-2013-2686 asterisk: DoS in the HTTP server
(AST-2013-002)
        https://bugzilla.redhat.com/show_bug.cgi?id=928774
  [ 2 ] Bug #928777 - CVE-2013-2264 asterisk: Username disclosure in SIP
channel driver (AST-2013-003)
        https://bugzilla.redhat.com/show_bug.cgi?id=928777
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on
the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce
 
CD: 4ms