Raspberry Pi A+, ancora piu’ piccolo e piu’ economico
Il Modello A+ ha le stesse caratteristiche del precedente (processore e RAM) ma è molto più compatto nelle dimensioni, consuma meno energia, è dotato di un output audio migliore, ha un connettore GPIO a 40 pin e include una nuova porta "push-push" per schede Micro SD.
Per gli sviluppatori del progetto Raspberry questo è un ulteriore traguardo raggiunto nell'ottica dello sviluppo (ultra) low-cost.
Rilasciato Asterisk 12.7.0
Il giorno 10 novembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.7.0.
Dal post originale:
The release of Asterisk 12.7.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24339 - Swagger API Docs have incorrect basePath
(Reported by Bradley Watkins)
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-24295 - crash: creating out of dialog OPTIONS request
crashes (Reported by Rogger Padilla)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
Cohen)
* ASTERISK-24350 - PJSIP shows commands prints unneeded headers
(Reported by snuffy)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24362 - res_hep leaks reference to configuration
(Reported by Corey Farrell)
* ASTERISK-23781 - outgoing missing as enum from
contrib/ast-db-manage/config (Reported by Stephen More)
* ASTERISK-24199 - 'ALL' is specified in pjsip.conf.sample for TLS
cipher but it is not valid (Reported by Joshua Colp)
* ASTERISK-24262 - AMI CoreShowChannel missing several output
fields and event documentation (Reported by Mitch Claborn)
* ASTERISK-24356 - PJSIP: Directed pickup causes deadlock
(Reported by Richard Mudgett)
* ASTERISK-24195 - bridge_native_rtp: Removing mixmonitor from a
native RTP capable smart bridge doesn't cause the bridge to
resume being a native rtp bridge (Reported by Jonathan Rose)
* ASTERISK-24384 - chan_motif: format capabilities leak on module
load error (Reported by Corey Farrell)
* ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
(Reported by Corey Farrell)
* ASTERISK-24378 - Release AMI connections on shutdown (Reported
by Corey Farrell)
* ASTERISK-24369 - res_pjsip: Large message on reliable transport
can cause empty messages to be passed from the PJSIP stack up,
causing crashes in multiple locations (Reported by Matt Jordan)
* ASTERISK-24382 - chan_pjsip: Calling PJSIP_MEDIA_OFFER on a
non-PJSIP channel results in an invalid reference of a channel
pvt and a FRACK (Reported by Matt Jordan)
* ASTERISK-24370 - res_pjsip/pjsip_options: OPTIONS request sent
to Asterisk with no user in request is always 404'd (Reported by
Matt Jordan)
* ASTERISK-24224 - When using Bridge() dialplan application,
surrogate channel appears in list and call count is inflated.
(Reported by Mark Michelson)
* ASTERISK-24354 - AMI sendMessage closes AMI connection on error
(Reported by Peter Katzmann)
* ASTERISK-24398 - Initialize auth_rejection_permanent on client
state to the configuration parameter value (Reported by Matt
Jordan)
* ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
incorrectly attempted (Reported by Joshua Colp)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
received for component (Reported by Kevin Harwell)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24387 - res_pjsip: rport sent from UAS MUST include the
port that the UAC sent the request on (Reported by Matt Jordan)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24394 - CDR: FRACK with PJSIP directed pickup.
(Reported by Richard Mudgett)
* ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
Corey Farrell)
* ASTERISK-24321 - SIP deadlock when running automated queues
tests (Reported by Steve Pitts)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-23846 - Unistim multilines. Loss of voice after second
call drops (on a second line). (Reported by Rustam Khankishyiev)
* ASTERISK-24312 - SIGABRT when improperly configured realtime
pjsip (Reported by Dafi Ni)
* ASTERISK-24426 - CDR Batch mode: size used as time value after
first expire (Reported by Shane Blaser)
* ASTERISK-24327 - bridge_native_rtp: Smart bridge operation to
softmix sometimes fails to properly re-INVITE remotely bridged
participants (Reported by Matt Jordan)
* ASTERISK-24415 - Missing AMI VarSet events when channels inherit
variables. (Reported by Richard Mudgett)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24122 - Documentaton for res_pjsip option use_avpf
needs to be fixed (Reported by James Van Vleet)
* ASTERISK-24381 - res_pjsip_sdp_rtp: Declined media streams are
interpreted, leading to erroneous 488 rejections (Reported by
Matt Jordan)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
leak (Reported by Corey Farrell)
* ASTERISK-24430 - missing letter "p" in word response in
OriginateResponse event documentation (Reported by Dafi Ni)
* ASTERISK-24437 - Review implementation of ast_bridge_impart for
leaks and document proper usage (Reported by Scott Griepentrog)
* ASTERISK-24453 - manager: acl_change_sub leaks (Reported by
Corey Farrell)
* ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
Corey Farrell)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24304 - asterisk crashing randomly because of unistim
channel (Reported by dhanapathy sathya)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24462 - res_pjsip: Stale qualify statistics after
disablementation (Reported by Kevin Harwell)
* ASTERISK-24466 - app_queue: fix a couple leaks to struct
call_queue (Reported by Corey Farrell)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24411 - [patch] Status of outbound registration is not
changed upon unregistering. (Reported by John Bigelow)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24487 - configuration: sections should be loadable as
template even when not marked (Reported by Scott Griepentrog)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.7.0
Rilasciato Asterisk 11.14.0
Il giorno 10 novembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.14.0.
Dal post originale:
The release of Asterisk 11.14.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
Cohen)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24384 - chan_motif: format capabilities leak on module
load error (Reported by Corey Farrell)
* ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
(Reported by Corey Farrell)
* ASTERISK-24378 - Release AMI connections on shutdown (Reported
by Corey Farrell)
* ASTERISK-24354 - AMI sendMessage closes AMI connection on error
(Reported by Peter Katzmann)
* ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
* ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
incorrectly attempted (Reported by Joshua Colp)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
received for component (Reported by Kevin Harwell)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
Corey Farrell)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-23846 - Unistim multilines. Loss of voice after second
call drops (on a second line). (Reported by Rustam Khankishyiev)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
leak (Reported by Corey Farrell)
* ASTERISK-24430 - missing letter "p" in word response in
OriginateResponse event documentation (Reported by Dafi Ni)
* ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
Corey Farrell)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24304 - asterisk crashing randomly because of unistim
channel (Reported by dhanapathy sathya)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24466 - app_queue: fix a couple leaks to struct
call_queue (Reported by Corey Farrell)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0
Rilasciato Asterisk 1.8.32.0
Il giorno 10 novembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.32.0.
Dal post originale:
The release of Asterisk 1.8.32.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24348 - Built-in editline tab complete segfault with
MALLOC_DEBUG (Reported by Walter Doekes)
* ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
INVITE retransmissions of rejected calls (Reported by Torrey
Searle)
* ASTERISK-23768 - [patch] Asterisk man page contains a (new)
unquoted minus sign (Reported by Jeremy Lainé)
* ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
(Reported by Jeremy Lainé)
* ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
realtime peers (Reported by ibercom)
* ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
* ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
high on linux systems with lots of RAM (Reported by Michael
Myles)
* ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
results in a SIP channel leak (Reported by NITESH BANSAL)
* ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
Re-INVITE results in a SIP channel leak (Reported by Torrey
Searle)
* ASTERISK-24406 - Some caller ID strings are parsed differently
since 11.13.0 (Reported by Etienne Lessard)
* ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
(Reported by Tzafrir Cohen)
* ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
Tzafrir Cohen)
* ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
(Reported by Paolo Compagnini)
* ASTERISK-18923 - res_fax_spandsp usage counter is wrong
(Reported by Grigoriy Puzankin)
* ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
(Reported by Dmitry Melekhov)
* ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
when sending qualify requests (Reported by Damian Ivereigh)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
* ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
Nick Adams)
* ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
(Reported by Corey Farrell)
* ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
leaks (Reported by Corey Farrell)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.32.0
Rilasciato Asterisk 13.0.0
Il giorno 25 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0.
Dal post originale:
Asterisk 13 is the next major release series of Asterisk. It is a Long Term
Support (LTS) release, similar to Asterisk 11. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
For important information regarding upgrading to Asterisk 13, please see the
Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13
A short list of new features includes:
* Asterisk security events are now provided via AMI, allowing end users to
monitor their Asterisk system in real time for security related issues.
* Both AMI and ARI now allow external systems to control the state of a mailbox.
Using AMI actions or ARI resources, external systems can programmatically
trigger Message Waiting Indicators (MWI) on subscribed phones. This is of
particular use to those who want to build their own VoiceMail application
using ARI.
* ARI now supports the reception/transmission of out of call text messages using
any supported channel driver/protocol stack through ARI. Users receive out of
call text messages as JSON events over the ARI websocket connection, and can
send out of call text messages using HTTP requests.
* The PJSIP stack now supports RFC 4662 Resource Lists, allowing Asterisk to act
as a Resource List Server. This includes defining lists of presence state,
mailbox state, or lists of presence state/mailbox state; managing
subscriptions to lists; and batched delivery of NOTIFY requests to
subscribers.
* The PJSIP stack can now be used as a means of distributing device state or
mailbox state via PUBLISH requests to other Asterisk instances. This is
analogous to Asterisk's clustering support using XMPP or Corosync; unlike
existing clustering mechanisms, using the PJSIP stack to perform the
distribution of state does not rely on another daemon or server to perform the
work.
And much more!
More information about the new features can be found on the Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Documentation
A full list of all new features can also be found in the CHANGES file:
http://svnview.digium.com/svn/asterisk/branches/13/CHANGES
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0
AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Il giorno 20 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability.
Dal post originale:
Asterisk Project Security Advisory - AST-2014-011
Product Asterisk
Summary Asterisk Susceptibility to POODLE Vulnerability
Nature of Advisory Unauthorized Data Disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Medium
Exploits Known No
Reported On 16 October 2014
Reported By abelbeck
Posted On 20 October 2014
Last Updated On October 20, 2014
Advisory Contact Matt Jordan
CVE Name CVE-2014-3566
Description The POODLE vulnerability - described under CVE-2014-3566 - is
described at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.
The POODLE vulnerability consists of two issues:
1) A vulnerability in the SSL protocol version 3.0. This
vulnerability has no known solution.
2) The ability to force a fallback to SSLv3 when a TLS
connection is negotiated.
Asterisk is susceptible to both portions of the vulnerability
in different places.
1) The res_jabber and res_xmpp module both use SSLv3
exclusively, and are hence susceptible to POODLE.
2) The core TLS handling, used by the chan_sip channel driver,
Asterisk Manager Interface (AMI), and the Asterisk HTTP
server, defaults to allowing SSLv3/SSLv2 fallback. This allows
a MITM to potentially force a connection to fallback to SSLv3,
exposing it to the POODLE vulnerability.
Resolution Asterisk has been patched such that it no longer uses SSLv3
for the res_jabber/res_xmpp modules. Additionally, when the
encryption method is not specified, the default handling in
the TLS core no longer allows for a fallback to SSLv3 or
SSLv2.
1) Users of Asterisk's res_jabber or res_xmpp modules should
upgrade to the versions of Asterisk specified in this
advisory.
2) Users of Asterisk's chan_sip channel driver, AMI, and
HTTP server may set the "tlsclientmethod" or
"sslclientmethod" to "tlsv1" to force TLSv1 as the only
allowed encryption method. Alternatively, they may also
upgrade to the versions of Asterisk specified in this
advisory. Users of Asterisk are encouraged to NOT specify
"sslv2" or "sslv3". Doing so will now emit a WARNING.
Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.28 All versions
Certified Asterisk 11.6 All versions
Corrected In
Product Release
Asterisk Open Source 1.8.31.1, 11.13.1, 12.6.1
Certified Asterisk 1.8.28-cert2, 11.6-cert7
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-011-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.28.diff Certified
Asterisk
1.8.28
http://downloads.asterisk.org/pub/security/AST-2014-011-11.6.diff Certified
Asterisk
11.6
Links https://issues.asterisk.org/jira/browse/ASTERISK-24425
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-011.pdf and
http://downloads.digium.com/pub/security/AST-2014-011.html
Revision History
Date Editor Revisions Made
October 19 Matt Jordan Initial Revision
Rilasciate Asterisk 1.8.28-cert2, 1.8.31.1, 11.6-cert7, 11.13.1, 12.6.1, 13.0.0-beta3 Now Available (Security Release)
Il giorno 20 ottobre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk Asterisk 1.8.28-cert2, 1.8.31.1, 11.6-cert7, 11.13.1, 12.6.1, 13.0.0-beta3 Now Available (Security Release).
Dal post originale:
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerability:
* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Asterisk is susceptible to the POODLE vulnerability in two ways:
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
encrypted connections.
2) The core TLS handling in Asterisk, which is used by the chan_sip channel
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
default allow a TLS connection to fallback to SSLv3. This allows for a
MITM to potentially force a connection to fallback to SSLv3, exposing it
to the POODLE vulnerability.
These issues have been resolved in the versions released in conjunction with
this security advisory.
For more information about the details of this vulnerability, please read
security advisory AST-2014-011, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3
The security advisory is available at:
Rilasciato Asterisk 12.6.0
Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.6.0.
Dal post originale:
The release of Asterisk 12.6.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24027 - MixMonitor AMI action called during AGI
execution from bridge feature causes channel to leave AGI has
hung up (Reported by Matt Jordan)
* ASTERISK-24236 - res_hep_rtcp: Module incorrectly depends on
pjsip (Reported by Matt Jordan)
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24234 - app_meetme: Crash on conference shutdown due to
NULL channel passed to meetme_stasis_generate_msg() (Reported by
Shaun Ruffell)
* ASTERISK-24043 - ARI /continue fails to actually continue into
the dialplan (Reported by Krandon Bruse)
* ASTERISK-24245 - gcc 4.1.2 complains of files that do not end
with newlines (Reported by Shaun Ruffell)
* ASTERISK-24229 - ARI: playback of sounds implicitly answers
channel, preventing early media playback (Reported by Matt
Jordan)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23994 - res_pjsip_sdp_rtp: owner address in SDP may not
be fully qualified domainname (Reported by Private Name)
* ASTERISK-24147 - ARI: channel hangup crashes asterisk process
(Reported by Edvin Vidmar)
* ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24143 - pjsip: Outbound call to WebRTC UA fails to
transmit ACK on received 200 OK (Reported by Aleksei Kulakov)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24264 - ARI: Adding a channel to a holding bridge
automatically starts MOH (Reported by Samuel Galarneau)
* ASTERISK-24212 - testsuite: Sporadic crash due to assert on
stopping RTP engine (Reported by Matt Jordan)
* ASTERISK-24241 - crash: CDRs recursively attempt to update Party
B information in a multi-party bridge, overrunning the stack
(Reported by Deepak Singh Rawat)
* ASTERISK-24254 - CDRs: Application/args/dialplan CEP updated
during dial operation (Reported by Matt Jordan)
* ASTERISK-24231 - crash: CLI execution of realtime destroy
sippeers id 1 causes crash due to NULL name provided to
ast_variable (Reported by Niklas Larsson)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 - res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24161 - PJSIPShowEndpoint gives inaccurate count of
list items (Reported by Mark Michelson)
* ASTERISK-24331 - Unexpected Errors in Asterisk Manager Interface
Output (Reported by xrobau)
* ASTERISK-24136 - Security: Crash in Asterisk's PJSIP code when
subscribing to an event with an unexpected body type (Reported
by Mark Michelson)
* ASTERISK-24301 - Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
* ASTERISK-24290 - Endpoint identifier match value fails to parse
when CIDR network format is specified (Reported by Ray Crumrine)
* ASTERISK-24237 - CDR: FRACK With PJSIP blonde transfer.
(Reported by Richard Mudgett)
Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.6.0
Rilasciato Asterisk 11.13.0
Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.13.0.
Dal post originale:
The release of Asterisk 11.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
warnings and ref leaks (Reported by Walter Doekes)
* ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
if ever not able to resolve (Reported by David Herselman)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
* ASTERISK-23577 - res_rtp_asterisk: Crash in
ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
Jay Jideliov)
* ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
by Roman Skvirsky)
* ASTERISK-24301 - Security: Out of call MESSAGE requests
processed via Message channel driver can crash Asterisk
(Reported by Matt Jordan)
Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0
Rilasciato Asterisk 1.8.31.0
Il giorno 24 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.31.0.
Dal post originale:
The release of Asterisk 1.8.31.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24032 - Gentoo compilation emits warning:
"_FORTIFY_SOURCE" redefined (Reported by Kilburn)
* ASTERISK-24225 - Dial option z is broken (Reported by
dimitripietro)
* ASTERISK-24178 - [patch]fromdomainport used even if not set
(Reported by Elazar Broad)
* ASTERISK-24019 - When a Music On Hold stream starts it restarts
at beginning of file. (Reported by Jason Richards)
* ASTERISK-24211 - testsuite: Fix the dial_LS_options test
(Reported by Matt Jordan)
* ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
Mohod)
Improvements made in this release:
-----------------------------------
* ASTERISK-24171 - [patch] Provide a manpage for the aelparse
utility (Reported by Jeremy Lainé)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.31.0
Remote crash when handling out of call message in certain dialplan configurations
Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.
Dal post originale:
Asterisk Project Security Advisory - AST-2014-010
Product Asterisk
Summary Remote crash when handling out of call message in
certain dialplan configurations
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Minor
Exploits Known No
Reported On 05 September 2014
Reported By Philippe Lindheimer
Posted On 18 September 2014
Last Updated On September 18, 2014
Advisory Contact Matt Jordan
CVE Name Pending
Description When an out of call message - delivered by either the SIP
or PJSIP channel driver or the XMPP stack - is handled in
Asterisk, a crash can occur if the channel servicing the
message is sent into the ReceiveFax dialplan application
while using the res_fax_spandsp module.
Note that this crash does not occur when using the
res_fax_digium module.
While this crash technically occurs due to a configuration
issue, as attempting to receive a fax from a channel driver
that only contains textual information will never succeed,
the likelihood of having it occur is sufficiently high as
to warrant this advisory.
Resolution The fax family of applications have been updated to handle
the Message channel driver correctly. Users using the fax
family of applications along with the out of call text
messaging features are encouraged to upgrade their versions
of Asterisk to the versions specified in this security
advisory.
Additionally, users of Asterisk are encouraged to use a
separate dialplan context to process text messages. This
avoids issues where the Message channel driver is passed to
dialplan applications that assume a media stream is
available. Note that the various channel drivers and stacks
provide such an option; an example being the SIP channel
driver's outofcall_message_context option.
Affected Versions
Product Release
Series
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 11.6 All versions
Corrected In
Product Release
Asterisk Open Source 11.12.1, 12.5.1
Certified Asterisk 11.6-cert6
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-010-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-010-11.6.diff Certified
Asterisk
11.6
Links https://issues.asterisk.org/jira/browse/ASTERISK-24301
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-010.pdf and
http://downloads.digium.com/pub/security/AST-2014-010.html
Revision History
Date Editor Revisions Made
September 18 Matt Jordan Initial Draft
AST-2014-009: Remote crash based on malformed SIP subscription requests
Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.
Dal post originale:
Asterisk Project Security Advisory - AST-2014-009
Product Asterisk
Summary Remote crash based on malformed SIP subscription
requests
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Major
Exploits Known No
Reported On 30 July, 2014
Reported By Mark Michelson
Posted On 18 September, 2014
Last Updated On September 18, 2014
Advisory Contact Mark Michelson
CVE Name Pending
Description It is possible to trigger a crash in Asterisk by sending a
SIP SUBSCRIBE request with unexpected mixes of headers for
a given event package. The crash occurs because Asterisk
allocates data of one type at one layer and then interprets
the data as a separate type at a different layer. The crash
requires that the SUBSCRIBE be sent from a configured
endpoint, and the SUBSCRIBE must pass any authentication
that has been configured.
Note that this crash is Asterisk's PJSIP-based
res_pjsip_pubsub module and not in the old chan_sip module.
Resolution Type-safety has been built into the pubsub API where it
previously was absent. A test has been added to the
testsuite that previously would have triggered the crash.
Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x Unaffected
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 12.x 12.1.0 and up
Certified Asterisk 1.8.15 Unaffected
Certified Asterisk 11.6 Unaffected
Corrected In
Product Release
Asterisk Open Source 12.5.1
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-009-12.diff Asterisk
12
Links https://issues.asterisk.org/jira/browse/ASTERISK-24136
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-009.pdf and
http://downloads.digium.com/pub/security/AST-2014-009.html
Revision History
Date Editor Revisions Made
19 August, 2014 Mark Michelson Initial version of document
Rilasciato Asterisk 13.0.0-beta2
Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.
Dal post originale:
All interested users of Asterisk are encouraged to participate in the
Asterisk 13 testing process. Please report any issues found to the issue
tracker, https://issues.asterisk.org/jira. All Asterisk users are invited to
participate in the #asterisk-bugs channel to help communicate issues found to
the Asterisk developers. It is also very useful to see successful test reports.
Please post those to the asterisk-dev mailing list (http://lists.digium.com).
Asterisk 13 is the next major release series of Asterisk. It will be a Long Term
Support (LTS) release, similar to Asterisk 11. For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
For important information regarding upgrading to Asterisk 13, please see the
Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Upgrading+to+Asterisk+13
A short list of new features includes:
* Asterisk security events are now provided via AMI, allowing end users to
monitor their Asterisk system in real time for security related issues.
* Both AMI and ARI now allow external systems to control the state of a mailbox.
Using AMI actions or ARI resources, external systems can programmatically
trigger Message Waiting Indicators (MWI) on subscribed phones. This is of
particular use to those who want to build their own VoiceMail application
using ARI.
* ARI now supports the reception/transmission of out of call text messages using
any supported channel driver/protocol stack through ARI. Users receive out of
call text messages as JSON events over the ARI websocket connection, and can
send out of call text messages using HTTP requests.
* The PJSIP stack now supports RFC 4662 Resource Lists, allowing Asterisk to act
as a Resource List Server. This includes defining lists of presence state,
mailbox state, or lists of presence state/mailbox state; managing
subscriptions to lists; and batched delivery of NOTIFY requests to
subscribers.
* The PJSIP stack can now be used as a means of distributing device state or
mailbox state via PUBLISH requests to other Asterisk instances. This is
analogous to Asterisk's clustering support using XMPP or Corosync; unlike
existing clustering mechanisms, using the PJSIP stack to perform the
distribution of state does not rely on another daemon or server to perform the
work.
And much more!
More information about the new features can be found on the Asterisk wiki:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Documentation
A full list of all new features can also be found in the CHANGES file:
http://svnview.digium.com/svn/asterisk/branches/13/CHANGES
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta2
Rilasciato Asterisk 12.5.0
Il giorno 19 agosto 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.5.0.
Dal post originale:
The release of Asterisk 12.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Improvements made in this release:
-----------------------------------
* ASTERISK-24036 - ARI: Recording resource should allow copying a
recording (Reported by Samuel Galarneau)
* ASTERISK-24037 - ARI: RecordingFinished event should return
duration of recording (Reported by Samuel Galarneau)
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
* ASTERISK-23692 - ARI: Add a Messaging Capability (Reported by
Matt Jordan)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-23852 - ARI mixing bridges should propagate linkedids.
(Reported by Richard Mudgett)
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 - PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23987 - BridgeWait: channel entering into holding
bridge that is being destroyed fails to successfully join the
newly created holding bridge (Reported by Matt Jordan)
* ASTERISK-23969 - SendMessage AMI action Cant Send Text Message
Over PJSIP (Reported by Andrew Nagy)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23847 - Alembic voicemail script - 'recording' column
should be longblob on MySQL (Reported by Stephen More)
* ASTERISK-23825 - Alembic scripts - table queue_members missing
unique index on column uniqueid (Reported by Stephen More)
* ASTERISK-23909 - Alembic scripts - table sippeers could use a
longer useragent column (Reported by Stephen More)
* ASTERISK-23941 - ARI: Attended transfers of channels into Stasis
application lose information (Reported by Matt Jordan)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
New Features made in this release:
-----------------------------------
* ASTERISK-24000 - chan_pjsip: Add accountcode setting (Reported
by Matt Jordan)
* ASTERISK-24119 - HEP: Add module that exports RTCP information
to a Homer Capture Server (Reported by Matt Jordan)
For a full list of changes in this release, please see the ChangeLog:
The following are the issues resolved in this release:
Improvements made in this release:
-----------------------------------
* ASTERISK-24036 - ARI: Recording resource should allow copying a
recording (Reported by Samuel Galarneau)
* ASTERISK-24037 - ARI: RecordingFinished event should return
duration of recording (Reported by Samuel Galarneau)
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
* ASTERISK-23692 - ARI: Add a Messaging Capability (Reported by
Matt Jordan)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-23852 - ARI mixing bridges should propagate linkedids.
(Reported by Richard Mudgett)
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 - PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23987 - BridgeWait: channel entering into holding
bridge that is being destroyed fails to successfully join the
newly created holding bridge (Reported by Matt Jordan)
* ASTERISK-23969 - SendMessage AMI action Cant Send Text Message
Over PJSIP (Reported by Andrew Nagy)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23847 - Alembic voicemail script - 'recording' column
should be longblob on MySQL (Reported by Stephen More)
* ASTERISK-23825 - Alembic scripts - table queue_members missing
unique index on column uniqueid (Reported by Stephen More)
* ASTERISK-23909 - Alembic scripts - table sippeers could use a
longer useragent column (Reported by Stephen More)
* ASTERISK-23941 - ARI: Attended transfers of channels into Stasis
application lose information (Reported by Matt Jordan)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
New Features made in this release:
-----------------------------------
* ASTERISK-24000 - chan_pjsip: Add accountcode setting (Reported
by Matt Jordan)
* ASTERISK-24119 - HEP: Add module that exports RTCP information
to a Homer Capture Server (Reported by Matt Jordan)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.5.0
Rilasciato Asterisk 11.12.0
Il giorno 19 agosto 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.12.0.
Dal post originale:
The release of Asterisk 11.12.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23985 - PresenceState Action response does not contain
ActionID; duplicates Message Header (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)
Improvements made in this release:
-----------------------------------
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.12.0