Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 16 Update: asterisk-1.8.20.0-1.fc16
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Wednesday 30th January 2013 00:55:24 UTC (over 3 years ago)
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-0992
2013-01-20 02:00:30
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 16
Version     : 1.8.20.0
Release     : 1.fc16
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

The Asterisk Development Team has announced the release of Asterisk
1.8.20.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.20.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- app_meetme: Fix channels lingering when hung up under certain
      conditions
  (Closes issue ASTERISK-20486. Reported by Michael Cargile)

* --- Fix stuck DTMF when bridge is broken.
  (Closes issue ASTERISK-20492. Reported by Jeremiah Gowdy)

* --- Improve Code Readability And Fix Setting natdetected Flag
  (Closes issue ASTERISK-20724. Reported by Michael L. Young)

* --- Fix extension matching with the '-' char.
  (Closes issue ASTERISK-19205. Reported by Philippe Lindheimer, Birger
"WIMPy" Harzenetter)

* --- Fix call files when astspooldir is relative.
  (Closes issue ASTERISK-20593. Reported by James Le Cuirot)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.20.0
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 18 2013 Jeffrey Ollie <[email protected]> - 1.8.19.0-1:
- The Asterisk Development Team has announced the release of Asterisk
1.8.20.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.20.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- app_meetme: Fix channels lingering when hung up under certain
-       conditions
-   (Closes issue ASTERISK-20486. Reported by Michael Cargile)
-
- * --- Fix stuck DTMF when bridge is broken.
-   (Closes issue ASTERISK-20492. Reported by Jeremiah Gowdy)
-
- * --- Improve Code Readability And Fix Setting natdetected Flag
-   (Closes issue ASTERISK-20724. Reported by Michael L. Young)
-
- * --- Fix extension matching with the '-' char.
-   (Closes issue ASTERISK-19205. Reported by Philippe Lindheimer, Birger
"WIMPy" Harzenetter)
-
- * --- Fix call files when astspooldir is relative.
-   (Closes issue ASTERISK-20593. Reported by James Le Cuirot)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.20.0
* Wed Dec 19 2012 Jeffrey Ollie <[email protected]> - 1.8.19.0-1:
- The Asterisk Development Team has announced the release of Asterisk
1.8.19.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.19.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Prevent resetting of NATted realtime peer address on reload.
-   (Closes issue ASTERISK-18203. Reported by daren ferreira)
-
- * --- Do not use a FILE handle when doing SIP TCP reads.
-   (Closes issue ASTERISK-20212. Reported by Phil Ciccone)
-
- * --- Fix execution of 'i' extension due to uninitialized variable.
-   (Closes issue ASTERISK-20455. Reported by Richard Miller)
-
- * --- Ensure that the Queue application tracks busy members in off
-       nominal situations
-   (Closes issue ASTERISK-20623. Reported by Bryan Walters)
-
- * --- Properly extract the Body information of an EWS calendar item
-   (Closes issue ASTERISK-19738. Reported by Dmitry Burilov)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.19.0
* Fri Dec  7 2012 Jeffrey Ollie <[email protected]> - 1.8.18.1-1:
- The Asterisk Development Team has announced the release of Asterisk
1.8.18.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.18.1 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- chan_local: Fix local_pvt ref leak in local_devicestate().
-   (Closes issue ASTERISK-20769. Reported by rmudgett)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.18.1
* Wed Nov  7 2012 Jeffrey Ollie <[email protected]> - 1.8.18.0-1:
- The Asterisk Development Team has announced the release of Asterisk
1.8.18.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.18.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- dsp.c User Configurable DTMF_HITS_TO_BEGIN and
-       DTMF_MISSES_TO_END
-   (Closes issue ASTERISK-17493. Reported by alecdavis)
-
- * --- Fix error where improper IMAP greetings would be deleted.
-   (Closes issue ASTERISK-20435. Reported by fhackenberger)
-
- * --- iax2-provision: Fix improper return on failed cache retrieval
-   (Closes issue ASTERISK-20337. Reported by John Covert)
-
- * --- Fix T.38 support when used with chan_local in between.
-   (Closes issue ASTERISK-20229. Reported by wdoekes)
-
- * --- Fix an issue where media would not flow for situations where the
-       legacy STUN code is in use.
-   (Closes issue ASTERISK-20415. Reported by Michele Cicciotti)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.18.0
* Tue Oct  9 2012 Jeffrey Ollie <[email protected]> - 1.8.17.0-1:
- The Asterisk Development Team has announced the release of Asterisk
1.8.17.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.17.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix channel reference leak in ChanSpy.
-   (Closes issue ASTERISK-19461. Reported by Irontec)
-
- * --- dsp.c: Fix multiple issues when no-interdigit delay is present,
-       and fast DTMF 50ms/50ms
-   (Closes issue ASTERISK-19610. Reported by Jean-Philippe Lord)
-
- * --- Fix bug where final queue member would not be removed from
-       memory.
-   (Closes issue ASTERISK-19793. Reported by Marcus Haas)
-
- * --- Fix memory leak when CEL is successfully written to PostgreSQL
-       database
-   (Closes issue ASTERISK-19991. Reported by Etienne Lessard)
-
- * --- Fix DUNDi message routing bug when neighboring peer is
-       unreachable
-   (Closes issue ASTERISK-19309. Reported by Peter Racz)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.17.0
* Wed Sep 26 2012 Jeffrey Ollie <[email protected]> - 1.8.16.0-1
- The Asterisk Development Team has announced the release of Asterisk
1.8.16.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.16.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- AST-2012-012: Resolve AMI User Unauthorized Shell Access through
-       ExternalIVR
-   (Closes issue ASTERISK-20132. Reported by Zubair Ashraf of IBM X-Force
Research)
-
- * --- AST-2012-013: Resolve ACL rules being ignored during calls by
-       some IAX2 peers
-   (Closes issue ASTERISK-20186. Reported by Alan Frisch)
-
- * --- Handle extremely out of order RFC 2833 DTMF
-   (Closes issue ASTERISK-18404. Reported by Stephane Chazelas)
-
- * --- Resolve severe memory leak in CEL logging modules.
-   (Closes issue AST-916. Reported by Thomas Arimont)
-
- * --- Only re-create an SRTP session when needed; respond with correct
-       crypto policy
-   (Issue ASTERISK-20194. Reported by Nicolo Mazzon)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.16.0
* Tue Sep  4 2012 Jeffrey Ollie <[email protected]> - 1.8.15.1-1
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases
are
- released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and
10.7.1-digiumphones.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and
10.7.1-digiumphones
- resolve the following two issues:
-
- * A permission escalation vulnerability in Asterisk Manager Interface. 
This
-   would potentially allow remote authenticated users the ability to
execute
-   commands on the system shell with the privileges of the user running
the
-   Asterisk application.  Please note that the
README-SERIOUSLY.bestpractices.txt
-   file delivered with Asterisk has been updated due to this and other
related
-   vulnerabilities fixed in previous versions of Asterisk.
-
- * When an IAX2 call is made using the credentials of a peer defined in a
-   dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for
that
-   peer are not applied to the call attempt. This allows for a remote
attacker
-   who is aware of a peer's credentials to bypass the ACL rules set for
that
-   peer.
-
- These issues and their resolutions are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-012 and AST-2012-013, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-012.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-013.pdf
* Tue Sep  4 2012 Jeffrey Ollie <[email protected]> - 1.8.15.0-1
- The Asterisk Development Team has announced the release of Asterisk
1.8.15.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.15.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix deadlock potential with ast_set_hangupsource() calls.
-   (Closes issue ASTERISK-19801. Reported by Alec Davis)
-
- * --- Fix request routing issue when outboundproxy is used.
-   (Closes issue ASTERISK-20008. Reported by Marcus Hunger)
-
- * --- Make the address family filter specific to the transport.
-   (Closes issue ASTERISK-16618. Reported by Leif Madsen)
-
- * --- Fix NULL pointer segfault in ast_sockaddr_parse()
-   (Closes issue ASTERISK-20006. Reported by Michael L. Young)
-
- * --- Do not perform install on existing directories
-   (Closes issue ASTERISK-19492. Reported by Karl Fife)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.15.0
* Tue Sep  4 2012 Jeffrey Ollie <[email protected]> - 1.8.14.1-1
- The Asterisk Development Team has announced the release of Asterisk
1.8.14.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.14.1 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- Remove a superfluous and dangerous freeing of an SSL_CTX.
-   (Closes issue ASTERISK-20074. Reported by Trevor Helmsley)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.14.1
* Tue Sep  4 2012 Jeffrey Ollie <[email protected]> - 1.8.14.0-1
- The Asterisk Development Team has announced the release of Asterisk
1.8.14.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.14.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- format_mp3: Fix a possible crash in mp3_read().
-   (Closes issue ASTERISK-19761. Reported by Chris Maciejewsk)
-
- * --- Fix local channel chains optimizing themselves out of a call.
-   (Closes issue ASTERISK-16711. Reported by Alec Davis)
-
- * --- Update a peer's LastMsgsSent when the peer is notified of
-       waiting messages
-   (Closes issue ASTERISK-17866. Reported by Steve Davies)
-
- * --- Prevent sip_pvt refleak when an ast_channel outlasts its
-       corresponding sip_pvt.
-   (Closes issue ASTERISK-19425. Reported by David Cunningham)
-
- * --- Send more accurate identification information in dialog-info SIP
-       NOTIFYs.
-   (Closes issue ASTERISK-16735. Reported by Maciej Krajewski)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.14.0
* Tue Sep  4 2012 Jeffrey Ollie <[email protected]> - 1.8.13.1-1
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases
are
- released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and
10.5.2-digiumphones.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and
10.5.2-digiumphones
- resolve the following two issues:
-
- * If Asterisk sends a re-invite and an endpoint responds to the re-invite
with
-   a provisional response but never sends a final response, then the SIP
dialog
-   structure is never freed and the RTP ports for the call are never
released. If
-   an attacker has the ability to place a call, they could create a denial
of
-   service by using all available RTP ports.
-
- * If a single voicemail account is manipulated by two parties
simultaneously,
-   a condition can occur where memory is freed twice causing a crash.
-
- These issues and their resolution are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-010 and AST-2012-011, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert4
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.13.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2-digiumphones
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-010.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-011.pdf
* Tue Sep  4 2012 Jeffrey Ollie <[email protected]> - 1.8.13.0-1
- The Asterisk Development Team has announced the release of Asterisk
1.8.13.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.13.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Turn off warning message when bind address is set to any.
-   (Closes issue ASTERISK-19456. Reported by Michael L. Young)
-
- * --- Prevent overflow in calculation in ast_tvdiff_ms on 32-bit
-       machines
-   (Closes issue ASTERISK-19727. Reported by Ben Klang)
-
- * --- Make DAHDISendCallreroutingFacility wait 5 seconds for a reply
-       before disconnecting the call.
-   (Closes issue ASTERISK-19708. Reported by mehdi Shirazi)
-
- * --- Fix recalled party B feature flags for a failed DTMF atxfer.
-   (Closes issue ASTERISK-19383. Reported by lgfsantos)
-
- * --- Fix DTMF atxfer running h exten after the wrong bridge ends.
-   (Closes issue ASTERISK-19717. Reported by Mario)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.13.0
* Wed May 30 2012 Jeffrey Ollie <[email protected]> - 1.8.12.2-1
- The Asterisk Development Team has announced the release of Asterisk
1.8.12.2.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.12.2 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- Resolve crash in subscribing for MWI notifications
-  (Closes issue ASTERISK-19827. Reported by B. R)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.2
* Wed May 30 2012 Jeffrey Ollie <[email protected]> - 1.8.12.1-1:
- The Asterisk Development Team has announced security releases for
Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases
are
- released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the
following
- two issues:
-
- * A remotely exploitable crash vulnerability exists in the IAX2 channel
-  driver if an established call is placed on hold without a suggested
music
-  class. Asterisk will attempt to use an invalid pointer to the music
-  on hold class name, potentially causing a crash.
-
- * A remotely exploitable crash vulnerability was found in the Skinny
(SCCP)
-  Channel driver. When an SCCP client closes its connection to the server,
-  a pointer in a structure is set to NULL.  If the client was not in the
-  on-hook state at the time the connection was closed, this pointer is
later
-  dereferenced. This allows remote authenticated connections the ability
to
-  cause a crash in the server, denying services to legitimate users.
-
- These issues and their resolution are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-007 and AST-2012-008, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.12.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.4.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-007.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-008.pdf
* Thu May  3 2012 Jeffrey Ollie <[email protected]> - 1.8.12.0-1:
- The Asterisk Development Team has announced the release of Asterisk
1.8.12.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.12.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- * --- Prevent chanspy from binding to zombie channels
-  (Closes issue ASTERISK-19493. Reported by lvl)
-
- * --- Fix Dial m and r options and forked calls generating warnings
-      for voice frames.
-  (Closes issue ASTERISK-16901. Reported by Chris Gentle)
-
- * --- Remove ISDN hold restriction for non-bridged calls.
-  (Closes issue ASTERISK-19388. Reported by Birger Harzenetter)
-
- * --- Fix copying of CDR(accountcode) to local channels.
-  (Closes issue ASTERISK-19384. Reported by jamicque)
-
- * --- Ensure Asterisk acknowledges ACKs to 4xx on Replaces errors
-  (Closes issue ASTERISK-19303. Reported by Jon Tsiros)
-
- * --- Eliminate double close of file descriptor in manager.c
-  (Closes issue ASTERISK-18453. Reported by Jaco Kroon)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.0
* Tue Apr 24 2012 Jeffrey Ollie <[email protected]> - 1.8.11.1-1:
- The Asterisk Development Team has announced security releases for
Asterisk 1.6.2,
- 1.8, and 10. The available security releases are released as versions
1.6.2.24,
- 1.8.11.1, and 10.3.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the
following two
- issues:
-
-  * A permission escalation vulnerability in Asterisk Manager Interface. 
This
-   would potentially allow remote authenticated users the ability to
execute
-   commands on the system shell with the privileges of the user running
the
-   Asterisk application.
-
-  * A heap overflow vulnerability in the Skinny Channel driver.  The
keypad
-   button message event failed to check the length of a fixed length
buffer
-   before appending a received digit to the end of that buffer.  A remote
-   authenticated user could send sufficient keypad button message events
that the
-   buffer would be overrun.
-
- In addition, the release of Asterisk 1.8.11.1 and 10.3.1 resolve the
following
- issue:
-
-  * A remote crash vulnerability in the SIP channel driver when processing
UPDATE
-   requests.  If a SIP UPDATE request was received indicating a connected
line
-   update after a channel was terminated but before the final destruction
of the
-   associated SIP dialog, Asterisk would attempt a connected line update
on a
-   non-existing channel, causing a crash.
-
- These issues and their resolution are described in the security
advisories.
-
- For more information about the details of these vulnerabilities, please
read
- security advisories AST-2012-004, AST-2012-005, and AST-2012-006, which
were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.24
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.11.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.3.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-004.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-005.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-006.pdf
* Fri Mar 30 2012 Russell Bryant  - 1.8.11.0-1
- Update to 1.8.11.0
* Sat Mar 17 2012 Russell Bryant  - 1.8.10.1-1
- Update to 1.8.10.1 from upstream.
- Fix remote stack overflow in app_milliwatt.
- Fix remote stack overflow, including possible code injection, in HTTP
digest
  authentication handling.
- Diable build of SRTP on ppc64, as it doesn't build right now.
- Resolves: rhbz#804045, rhbz#804038, rhbz#804042
* Fri Dec  9 2011 Jeffrey C. Ollie <[email protected]> - 1.8.7.2-1
- The Asterisk Development Team has announced security releases for
Asterisk 1.4,
- 1.6.2 and 1.8. The available security releases are released as versions
1.4.43,
- 1.6.2.21 and 1.8.7.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk versions 1.4.43, 1.6.2.21, and 1.8.7.2 resolves
an issue
- with possible remote enumeration of SIP endpoints with differing NAT
settings.
-
- The release of Asterisk versions 1.6.2.21 and 1.8.7.2 resolves a remote
crash
- possibility with SIP when the "automon" feature is enabled.
-
- The issues and resolutions are described in the AST-2011-013 and
AST-2011-014
- security advisories.
-
- For more information about the details of these vulnerabilities, please
read the
- security advisories AST-2011-013 and AST-2011-014, which were released at
the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the
ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.43
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.21
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.2
-
- Security advisory AST-2011-013 is available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2011-013.pdf
-
- Security advisory AST-2011-014 is available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2011-014.pdf
* Thu Nov 17 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.4.rc4
- The Asterisk Development Team has announced the fourth release candidate
of
- Asterisk 1.8.8.0. This release candidate is available for immediate
download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc4 resolves a particular issue with BLF
- subscriptions. A change in Asterisk 1.8.8.0-rc3 had the potential to
cause a
- segfault, and this release candidate was created to resolve that.
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc4
* Thu Nov 10 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.3.rc3
- The Asterisk Development Team has announced the third release candidate
of
- Asterisk 1.8.8.0. This release candidate is available for immediate
download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc3 resolves several issues reported by
the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release
candidate:
-
- * Prevent BLF subscriptions from causing deadlocks.
-  (Closes issue ASTERISK-18663)
-  Review: https://reviewboard.asterisk.org/r/1563/
-
- * Fix deadlock if peer is destroyed while sending MWI notice.
-  (Closes issue ASTERISK-18747)
-  Reported by: Gregory Hinton Nietsky
-
- * Fix issue with setting defaultenabled on categories that are already
enabled
-  by default.
-  (Closes issue ASTERISK-18738)
-  Reported by: Paul Belanger
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc3
* Tue Nov  8 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.2.rc2
- The Asterisk Development Team has announced the second release candidate
of
- Asterisk 1.8.8.0. This release candidate is available for immediate
download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc2 resolves several issues reported by
the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release
candidate:
-
- * --- Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012)
---
-  http://downloads.asterisk.org/pub/security/AST-2011-012.pdf
-
- * --- Fix locking order in app_queue.c which caused deadlocks ---
-  (Closes issue ASTERISK-18101. Reported by Paul Rolfe, patched by Gregory
Nietsky)
-  (Closes issue ASTERISK-18487. Reported by Jason Legault, patched by
Gregory
- Nietsky)
-
- * --- Fix regression in configure script for libpri capability checks ---
-  (Closes issue ASTERISK-18687. Reported by norbert, patched by Richard
Mudgett)
-
- * --- Properly ignore AST_CONTROL_UPDATE_RTP_PEER in more places ---
-  (Closes issue ASTERISK-18610. Reported by Kristijan_Vrban, patched by
Terry
- Wilson, and again by Kristijan_Vrban)
-
- * --- Fix issue with removing peers by IP ---
-  (Closes issue ASTERISK-18696. Reported by rsw686, patched by Terry
Wilson)
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc2
* Tue Nov  8 2011 Jeffrey C. Ollie <[email protected]> - 1.8.8.0-0.1.rc1
- The Asterisk Development Team announces the first release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate
download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc1 resolves several issues reported by
the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release
candidate:
-
-  * Updated SIP 484 handling; added Incomplete control frame
-   When a SIP phone uses the dial application and receives a 484 Address
-   Incomplete response, if overlapped dialing is enabled for SIP, then the
484
-   Address Incomplete is forwarded back to the SIP phone and the
HANGUPCAUSE
-   channel variable is set to 28. Previously, the Incomplete application
-   dialplan logic was automatically triggered; now, explicit dialplan
usage of
-   the application is required.
-   (Closes ASTERISK-17288. Reported by: Mikael Carlsson Tested by: Matthew
-    Jordan Review: https://reviewboard.asterisk.org/r/1416/)
-
-  * Prevent IAX2 from getting IPv6 addresses via DNS IAX2 does not support
IPv6
-   and getting such addresses from DNS can cause error messages on the
remote
-   end involving bad IPv4 address casts in the presence of IPv6/IPv4
tunnels.
-   (Closes issue ASTERISK-18090. Patched by Kinsey Moore)
-
-  * Fix bad RTP media bridges in directmedia calls on peers separated by
multiple
-   Asterisk nodes.
-   (Closes issue ASTERISK-18340. Reported by: Thomas Arimont. Closes issue
-    ASTERISK-17725. Reported by: kwk. Tested by: twilson, jrose)
-
-  * Fix crashes in ast_rtcp_write()
-   (Closes issue ASTERISK-18570)
-   Related issues that look like they are the same problem:
-   (Issue ASTERISK-17560, ASTERISK-15406, ASTERISK-15257, ASTERISK-13334,
-    ASTERISK-9977, ASTERISK-9716)
-   Review: https://reviewboard.asterisk.org/r/1444/
-   Patched by: Russell Bryant
-
-  * Fix for incorrect voicemail duration in external notifications.
-   This patch fixes an issue where the voicemail duration was being
reported
-   with a duration significantly less than the actual sound file duration.
-   (Closes ASTERISK-16981. Reported by: Mary Ciuciu, Byron Clark, Brad
House,
-    Karsten Wemheuer, KevinH Tested by: Matt Jordan
-    Review: https://reviewboard.asterisk.org/r/1443)
-
-  * Prevent segfault if call arrives before Asterisk is fully booted.
-   (Patched by alecdavis. https://reviewboard.asterisk.org/r/1407/)
-
- For a full list of changes in this release candidate, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc1
* Mon Oct 17 2011 Jeffrey C. Ollie <[email protected]> - 1.8.7.1-1
- The Asterisk Development Team has announced a security release for
Asterisk 1.8.
- The available security release is released as version 1.8.7.1.
-
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing
which can
- lead to a remotely exploitable crash:
-
-    Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
-
- The issue and resolution is described in the AST-2011-012 security
- advisory.
-
- For more information about the details of this vulnerability, please read
the
- security advisory AST-2011-012, which was released at the same time as
this
- announcement.
-
- For a full list of changes in the current release, please see the
ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.1
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #891646 - CVE-2012-5976 asterisk: Crashes due to large stack
allocations when using TCP (AST-2012-014)
        https://bugzilla.redhat.com/show_bug.cgi?id=891646
  [ 2 ] Bug #891649 - CVE-2012-5977 asterisk: Denial of service through
exploitation of device state caching (AST-2012-015)
        https://bugzilla.redhat.com/show_bug.cgi?id=891649
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on
the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce
 
CD: 3ms