ASTERWEB Blog

26Ott/14Off

Rilasciato Asterisk 13.0.0

Il giorno 25 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0.

Dal post originale:
Asterisk 13 is the next major release series of Asterisk. It is a Long Term
Support (LTS) release, similar to Asterisk 11. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions

For important information regarding upgrading to Asterisk 13, please see the
Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13

A short list of new features includes:

* Asterisk security events are now provided via AMI, allowing end users to
monitor their Asterisk system in real time for security related issues.

* Both AMI and ARI now allow external systems to control the state of a mailbox.
Using AMI actions or ARI resources, external systems can programmatically
trigger Message Waiting Indicators (MWI) on subscribed phones. This is of
particular use to those who want to build their own VoiceMail application
using ARI.

* ARI now supports the reception/transmission of out of call text messages using
any supported channel driver/protocol stack through ARI. Users receive out of
call text messages as JSON events over the ARI websocket connection, and can
send out of call text messages using HTTP requests.

* The PJSIP stack now supports RFC 4662 Resource Lists, allowing Asterisk to act
as a Resource List Server. This includes defining lists of presence state,
mailbox state, or lists of presence state/mailbox state; managing
subscriptions to lists; and batched delivery of NOTIFY requests to
subscribers.

* The PJSIP stack can now be used as a means of distributing device state or
mailbox state via PUBLISH requests to other Asterisk instances. This is
analogous to Asterisk's clustering support using XMPP or Corosync; unlike
existing clustering mechanisms, using the PJSIP stack to perform the
distribution of state does not rely on another daemon or server to perform the
work.

And much more!

More information about the new features can be found on the Asterisk wiki:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Documentation

A full list of all new features can also be found in the CHANGES file:

http://svnview.digium.com/svn/asterisk/branches/13/CHANGES

For a full list of changes in the current release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0

21Ott/14Off

AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability

Il giorno 20 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability.

Dal post originale:
Asterisk Project Security Advisory - AST-2014-011

Product Asterisk
Summary Asterisk Susceptibility to POODLE Vulnerability
Nature of Advisory Unauthorized Data Disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Medium
Exploits Known No
Reported On 16 October 2014
Reported By abelbeck
Posted On 20 October 2014
Last Updated On October 20, 2014
Advisory Contact Matt Jordan
CVE Name CVE-2014-3566

Description The POODLE vulnerability - described under CVE-2014-3566 - is
described at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.

The POODLE vulnerability consists of two issues:

1) A vulnerability in the SSL protocol version 3.0. This
vulnerability has no known solution.

2) The ability to force a fallback to SSLv3 when a TLS
connection is negotiated.

Asterisk is susceptible to both portions of the vulnerability
in different places.

1) The res_jabber and res_xmpp module both use SSLv3
exclusively, and are hence susceptible to POODLE.

2) The core TLS handling, used by the chan_sip channel driver,
Asterisk Manager Interface (AMI), and the Asterisk HTTP
server, defaults to allowing SSLv3/SSLv2 fallback. This allows
a MITM to potentially force a connection to fallback to SSLv3,
exposing it to the POODLE vulnerability.

Resolution Asterisk has been patched such that it no longer uses SSLv3
for the res_jabber/res_xmpp modules. Additionally, when the
encryption method is not specified, the default handling in
the TLS core no longer allows for a fallback to SSLv3 or
SSLv2.

1) Users of Asterisk's res_jabber or res_xmpp modules should
upgrade to the versions of Asterisk specified in this
advisory.

2) Users of Asterisk's chan_sip channel driver, AMI, and
HTTP server may set the "tlsclientmethod" or
"sslclientmethod" to "tlsv1" to force TLSv1 as the only
allowed encryption method. Alternatively, they may also
upgrade to the versions of Asterisk specified in this
advisory. Users of Asterisk are encouraged to NOT specify
"sslv2" or "sslv3". Doing so will now emit a WARNING.

Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 1.8.31.1, 11.13.1, 12.6.1
Certified Asterisk 1.8.28-cert2, 11.6-cert7

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-011-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2014-011-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-24425

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-011.pdf and
http://downloads.digium.com/pub/security/AST-2014-011.html

Revision History
Date Editor Revisions Made
October 19 Matt Jordan Initial Revision

21Ott/14Off

Rilasciate Asterisk 1.8.28-cert2, 1.8.31.1, 11.6-cert7, 11.13.1, 12.6.1, 13.0.0-beta3 Now Available (Security Release)

Il giorno 20 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk Asterisk 1.8.28-cert2, 1.8.31.1, 11.6-cert7, 11.13.1, 12.6.1, 13.0.0-beta3 Now Available (Security Release).

Dal post originale:
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability

Asterisk is susceptible to the POODLE vulnerability in two ways:
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
encrypted connections.
2) The core TLS handling in Asterisk, which is used by the chan_sip channel
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
default allow a TLS connection to fallback to SSLv3. This allows for a
MITM to potentially force a connection to fallback to SSLv3, exposing it
to the POODLE vulnerability.

These issues have been resolved in the versions released in conjunction with
this security advisory.

For more information about the details of this vulnerability, please read
security advisory AST-2014-011, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3

The security advisory is available at:

http://downloads.asterisk.org/pub/security/AST-2014-011.pdf