Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 18 Update: asterisk-11.5.1-2.fc18
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Saturday 14th September 2013 02:35:21 UTC (over 3 years ago)
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-15567
2013-08-30 21:41:37
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 18
Version     : 11.5.1
Release     : 2.fc18
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

* Thu Aug 29 2013 Jeffrey Ollie <[email protected]> - 11.5.1-2:
- Enable hardened build BZ#954338
- Significant clean ups

* Thu Aug 29 2013 Jeffrey Ollie <[email protected]> - 11.5.1-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available
security releases
- are released as versions 1.8.15-cert2, 11.2-cert2, 1.8.23.1, 10.12.3,
10.12.3-digiumphones,
- and 11.5.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following issues:
-
- * A remotely exploitable crash vulnerability exists in the SIP channel
driver if
-   an ACK with SDP is received after the channel has been terminated. The
-   handling code incorrectly assumes that the channel will always be
present.
-
- * A remotely exploitable crash vulnerability exists in the SIP channel
driver if
-   an invalid SDP is sent in a SIP request that defines media descriptions
before
-   connection information. The handling code incorrectly attempts to
reference
-   the socket address information even though that information has not yet
been
-   set.
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2013-004 and AST-2013-005, which were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.23.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.5.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2013-004.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-005.pdf
-
- The Asterisk Development Team has announced the release of Asterisk
11.5.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.5.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix Segfault In app_queue When "persistentmembers" Is Enabled
-       And Using Realtime
-   (Closes issue ASTERISK-21738. Reported by JoshE)
-
- * --- IAX2: fix race condition with nativebridge transfers.
-   (Closes issue ASTERISK-21409. Reported by alecdavis)
-
- * --- Fix The Payload Being Set On CN Packets And Do Not Set Marker
-       Bit
-   (Closes issue ASTERISK-21246. Reported by Peter Katzmann)
-
- * --- Fix One-Way Audio With auto_* NAT Settings When SIP Calls
-       Initiated By PBX
-   (Closes issue ASTERISK-21374. Reported by Michael L. Young)
-
- * --- chan_sip: NOTIFYs for BLF start queuing up and fail to be sent
-       out after retries fail
-   (Closes issue ASTERISK-21677. Reported by Dan Martens)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.5.0
--------------------------------------------------------------------------------
ChangeLog:

* Thu Aug 29 2013 Jeffrey Ollie <[email protected]> - 11.5.1-2:
- Enable hardened build BZ#954338
- Significant clean ups
* Thu Aug 29 2013 Jeffrey Ollie <[email protected]> - 11.5.1-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available
security releases
- are released as versions 1.8.15-cert2, 11.2-cert2, 1.8.23.1, 10.12.3,
10.12.3-digiumphones,
- and 11.5.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following issues:
-
- * A remotely exploitable crash vulnerability exists in the SIP channel
driver if
-   an ACK with SDP is received after the channel has been terminated. The
-   handling code incorrectly assumes that the channel will always be
present.
-
- * A remotely exploitable crash vulnerability exists in the SIP channel
driver if
-   an invalid SDP is sent in a SIP request that defines media descriptions
before
-   connection information. The handling code incorrectly attempts to
reference
-   the socket address information even though that information has not yet
been
-   set.
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2013-004 and AST-2013-005, which were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.23.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.5.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2013-004.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-005.pdf
-
- The Asterisk Development Team has announced the release of Asterisk
11.5.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.5.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix Segfault In app_queue When "persistentmembers" Is Enabled
-       And Using Realtime
-   (Closes issue ASTERISK-21738. Reported by JoshE)
-
- * --- IAX2: fix race condition with nativebridge transfers.
-   (Closes issue ASTERISK-21409. Reported by alecdavis)
-
- * --- Fix The Payload Being Set On CN Packets And Do Not Set Marker
-       Bit
-   (Closes issue ASTERISK-21246. Reported by Peter Katzmann)
-
- * --- Fix One-Way Audio With auto_* NAT Settings When SIP Calls
-       Initiated By PBX
-   (Closes issue ASTERISK-21374. Reported by Michael L. Young)
-
- * --- chan_sip: NOTIFYs for BLF start queuing up and fail to be sent
-       out after retries fail
-   (Closes issue ASTERISK-21677. Reported by Dan Martens)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.5.0
* Sat Aug  3 2013 Fedora Release Engineering
 - 11.4.0-2.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar  - 11.4.0-2.1
- Perl 5.18 rebuild
* Fri May 24 2013 Rex Dieter  11.4.0-2
- rebuild (libical)
* Mon May 20 2013 Jeffrey Ollie <[email protected]> - 11.4.0-1:
- The Asterisk Development Team has announced the release of Asterisk
11.4.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.4.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix Sorting Order For Parking Lots Stored In Static Realtime
-   (Closes issue ASTERISK-21035. Reported by Alex Epshteyn)
-
- * --- Fix StopMixMonitor Hanging Up When Unable To Stop MixMonitor On
-       A Channel
-   (Closes issue ASTERISK-21294. Reported by daroz)
-
- * --- When a session timer expires during a T.38 call, re-invite with
-       correct SDP
-   (Closes issue ASTERISK-21232. Reported by Nitesh Bansal)
-
- * --- Fix white noise on SRTP decryption
-   (Closes issue ASTERISK-21323. Reported by andrea)
-
- * --- Fix reload skinny with active devices.
-   (Closes issue ASTERISK-16610. Reported by wedhorn)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.4.0
* Fri May 10 2013 Tom Callaway  - 11.3.0-2:
- fix build with lua 5.2
* Tue Apr 23 2013 Jeffrey Ollie <[email protected]> - 11.3.0-1:
- The Asterisk Development Team has announced the release of Asterisk
11.3.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.3.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix issue where chan_mobile fails to bind to first available
-       port
-   (Closes issue ASTERISK-16357. Reported by challado)
-
- * --- Fix Queue Log Reporting Every Call COMPLETECALLER With "h"
-       Extension Present
-   (Closes issue ASTERISK-20743. Reported by call)
-
- * --- Retain XMPP filters across reconnections so external modules
-       continue to function as expected.
-   (Closes issue ASTERISK-20916. Reported by kuj)
-
- * --- Ensure that a declined media stream is terminated with a '\r\n'
-   (Closes issue ASTERISK-20908. Reported by Dennis DeDonatis)
-
- * --- Fix pjproject compilation in certain circumstances
-   (Closes issue ASTERISK-20681. Reported by Dinesh Ramjuttun)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.3.0
* Thu Mar 28 2013 Jeffrey Ollie <[email protected]> - 11.2.2-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security
releases
- are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2,
10.12.2-digiumphones,
- and 11.2.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following issues:
-
- * A possible buffer overflow during H.264 format negotiation. The format
-   attribute resource for H.264 video performs an unsafe read against a
media
-   attribute when parsing the SDP.
-
-   This vulnerability only affected Asterisk 11.
-
- * A denial of service exists in Asterisk's HTTP server. AST-2012-014,
fixed
-   in January of this year, contained a fix for Asterisk's HTTP server for
a
-   remotely-triggered crash. While the fix prevented the crash from being
-   triggered, a denial of service vector still exists with that solution
if an
-   attacker sends one or more HTTP POST requests with very large
Content-Length
-   values.
-
-   This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10,
and 11
-
- * A potential username disclosure exists in the SIP channel driver. When
-   authenticating a SIP request with alwaysauthreject enabled, allowguest
-   disabled, and autocreatepeer disabled, Asterisk discloses whether a
user
-   exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple
ways.
-
-   This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10,
and 11
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which
were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.20.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.2.2
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-003.pdf
* Sun Feb 10 2013 Jeffrey Ollie <[email protected]> - 11.2.1-1:
- The Asterisk Development Team has announced the release of Asterisk
11.2.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.2.1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- * --- Fix astcanary startup problem due to wrong pid value from before
-       daemon call
-   (Closes issue ASTERISK-20947. Reported by Jakob Hirsch)
-
- * --- Update init.d scripts to handle stderr; readd splash screen for
-       remote consoles
-   (Closes issue ASTERISK-20945. Reported by Warren Selby)
-
- * --- Reset RTP timestamp; sequence number on SSRC change
-   (Closes issue ASTERISK-20906. Reported by Eelco Brolman)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.2.1
* Fri Jan 18 2013 Jeffrey Ollie <[email protected]> - 11.2.0-1:
- The Asterisk Development Team has announced the release of Asterisk
11.2.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.2.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- app_meetme: Fix channels lingering when hung up under certain
-       conditions
-   (Closes issue ASTERISK-20486. Reported by Michael Cargile)
-
- * --- Fix stuck DTMF when bridge is broken.
-   (Closes issue ASTERISK-20492. Reported by Jeremiah Gowdy)
-
- * --- Add missing support for "who hung up" to chan_motif.
-   (Closes issue ASTERISK-20671. Reported by Matt Jordan)
-
- * --- Remove a fixed size limitation for producing SDP and change how
-       ICE support is disabled by default.
-   (Closes issue ASTERISK-20643. Reported by coopvr)
-
- * --- Fix chan_sip websocket payload handling
-   (Closes issue ASTERISK-20745. Reported by Iñaki Baz Castillo)
-
- * --- Fix pjproject compilation in certain circumstances
-   (Closes issue ASTERISK-20681. Reported by Dinesh Ramjuttun)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.2.0
* Thu Jan  3 2013 Jeffrey Ollie <[email protected]> - 11.1.2-1:
- The Asterisk Development Team has announced a security release for
Asterisk 11,
- Asterisk 11.1.2. This release addresses the security vulnerabilities
reported in
- AST-2012-014 and AST-2012-015, and replaces the previous version of
Asterisk 11
- released for these security vulnerabilities. The prior release left open
a
- vulnerability in res_xmpp that exists only in Asterisk 11; as such, other
- versions of Asterisk were resolved correctly by the previous releases.
-
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following two issues:
-
- * Stack overflows that occur in some portions of Asterisk that manage a
TCP
-   connection. In SIP, this is exploitable via a remote unauthenticated
session;
-   in XMPP and HTTP connections, this is exploitable via remote
authenticated
-   sessions. The vulnerabilities in SIP and HTTP were corrected in a prior
-   release of Asterisk; the vulnerability in XMPP is resolved in this
release.
-
- * A denial of service vulnerability through exploitation of the device
state
-   cache. Anonymous calls had the capability to create devices in Asterisk
that
-   would never be disposed of. Handling the cachability of device states
-   aggregated via XMPP is handled in this release.
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-014 and AST-2012-015.
-
- For a full list of changes in the current release, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
-
- Thank you for your continued support of Asterisk - and we apologize for
having
- to do this twice!
* Wed Jan  2 2013 Jeffrey Ollie <[email protected]> - 11.1.1-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security
releases
- are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1,
10.11.1-digiumphones,
- and 11.1.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following two issues:
-
- * Stack overflows that occur in some portions of Asterisk that manage a
TCP
-   connection. In SIP, this is exploitable via a remote unauthenticated
session;
-   in XMPP and HTTP connections, this is exploitable via remote
authenticated
-   sessions.
-
- * A denial of service vulnerability through exploitation of the device
state
-   cache. Anonymous calls had the capability to create devices in Asterisk
that
-   would never be disposed of.
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-014 and AST-2012-015, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert10
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.19.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.11.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.11.1-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
* Wed Dec 12 2012 Jeffrey Ollie <[email protected]> - 11.1.0-1:
- The Asterisk Development Team has announced the release of Asterisk
11.1.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.1.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix execution of 'i' extension due to uninitialized variable.
-   (Closes issue ASTERISK-20455. Reported by Richard Miller)
-
- * --- Prevent resetting of NATted realtime peer address on reload.
-   (Closes issue ASTERISK-18203. Reported by daren ferreira)
-
- * --- Fix ConfBridge crash if no timing module loaded.
-   (Closes issue ASTERISK-19448. Reported by feyfre)
-
- * --- Fix the Park 'r' option when a channel parks itself.
-   (Closes issue ASTERISK-19382. Reported by James Stocks)
-
- * --- Fix an issue where outgoing calls would fail to establish audio
-       due to ICE negotiation failures.
-   (Closes issue ASTERISK-20554. Reported by mmichelson)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.1.0
* Fri Dec  7 2012 Jeffrey Ollie <[email protected]> - 11.0.2-1:
- The Asterisk Development Team has announced the release of Asterisk
11.0.2.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.0.2 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- chan_local: Fix local_pvt ref leak in local_devicestate().
-   (Closes issue ASTERISK-20769. Reported by rmudgett)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.0.2
* Wed Dec  5 2012 Dan Horák  - 11.0.1-3
- simplify LDFLAGS setting
* Fri Nov 30 2012 Dennis Gilmore  - 11.0.1-2
- clean up things to allow building on arm arches
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1002044 - CVE-2013-5641 CVE-2013-5642 asterisk: two denial of
service flaws in the SIP channel driver (AST-2013-004, AST-2013-005)
        https://bugzilla.redhat.com/show_bug.cgi?id=1002044
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on
the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce
 
CD: 4ms