ASTERWEB Blog

21Ago/14Off

Rilasciato Asterisk 1.8.30.0

Il giorno 19 agosto 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.30.0.

Dal post originale:
The release of Asterisk 1.8.30.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23911 - URIENCODE/URIDECODE: WARNING about passing an
empty string is a bit over zealous (Reported by Matt Jordan)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-24087 - [patch]chan_sip: sip_subscribe_mwi_destroy
should not call sip_destroy (Reported by Corey Farrell)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-18345 - [patch] sips connection dropped by asterisk
with a large INVITE (Reported by Stephane Chazelas)
* ASTERISK-23508 - Memory Corruption in
__ast_string_field_ptr_build_va (Reported by Arnd Schmitter)

Improvements made in this release:
-----------------------------------
* ASTERISK-21178 - Improve documentation for manager command
Getvar, Setvar (Reported by Rusty Newton)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.30.0

15Lug/14Off

Nuovo Raspberry Pi Model B+

Il nuovo Raspberry Pi Model B+ ha, rispetto al precedente modello, il connettore GPIO a 40 pin (con pinout da 26 pin identico al Modello B) e ben 4 porte USB.

Rinnovata anche la parte dei circuiti con sensibile risparmio di consumi energetici e (0.5W-1W) e un migliore output audio.

Questo nuovo modello si affianca ai precedenti che continueranno, al momento, ad essere prodotti.

Logo Asterweb

Logo Asterweb

12Lug/14Off

Rilasciato Asterisk 12.4.0

Il giorno 10 luglio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.4.0.

Dal post originale:
The release of Asterisk 12.4.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-22551 - Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23792 - Mutex left locked in chan_unistim.c (Reported
by Peter Whisker)
* ASTERISK-23582 - [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23499 - app_agent_pool: Interval hook prevents channel
from being hung up (Reported by Matt Jordan)
* ASTERISK-23721 - Calls to PJSIP endpoints with video enabled
result in leaked RTP ports (Reported by cervajs)
* ASTERISK-23803 - AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23718 - res_pjsip_incoming_blind_request: crash with
NULL session channel (Reported by Jonathan Rose)
* ASTERISK-23541 - Asterisk 12.1.0 Not respecting directmedia=no
and issuing REINVITE (Reported by Justin E)
* ASTERISK-23035 - ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki Cívico)
* ASTERISK-23824 - ConfBridge: Users cannot be muted via CLI or
AMI when waiting to enter a conference (Reported by Matt Jordan)
* ASTERISK-23683 - #includes - wildcard character in a path more
than one directory deep - results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 - autoservice thread doesn't exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-21965 - [patch] Bug-fixed version of safe_asterisk not
installed over old version (Reported by Jeremy Kister)
* ASTERISK-23802 - Security: Deadlock in res_pjsip_pubsub on
transaction timeout (Reported by Mark Michelson)
* ASTERISK-23489 - Vulnerability in res_pjsip_pubsub:
unauthenticated remote crash in during MWI unsubscribe without
being subscribed (Reported by John Bigelow)
* ASTERISK-23609 - Security: AMI action MixMonitor allows
arbitrary programs to be run (Reported by Corey Farrell)
* ASTERISK-23673 - Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23766 - [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23844 - Load of pbx_lua fails on sample extensions.lua
with Lua 5.2 or greater due to addition of goto statement
(Reported by Rusty Newton)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23834 - res_rtp_asterisk debug message gives wrong
length if ICE (Reported by Richard Kenner)
* ASTERISK-23922 - ao2_container nodes are inconsistent REF_DEBUG
(Reported by Corey Farrell)
* ASTERISK-23790 - [patch] - SIP From headers longer than 256
characters result in dropped call and 'No closing bracket'
warnings. (Reported by uniken1)
* ASTERISK-23917 - res_http_websocket: Delay in client processing
large streams of data causes disconnect and stuck socket
(Reported by Matt Jordan)
* ASTERISK-23908 - [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23947 - ActionID missing from AMI PJSIP events
(PJSIPShowEndpoints, etc.) (Reported by Mark Michelson)
* ASTERISK-23921 - refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 - REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23916 - [patch]SIP/SDP fmtp line may include whitespace
between attributes (Reported by Alexander Traud)
* ASTERISK-23984 - Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 - [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)
* ASTERISK-24001 - res_rtp_asterisk fails to load module due to
undefined symbol 'dtls_perform_handshake' when PJPROJECT is not
installed (Reported by Don Fanning)

Improvements made in this release:
-----------------------------------
* ASTERISK-23492 - Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
* ASTERISK-23654 - Add 'pjsip reload' to default cli_aliases.conf
(Reported by Rusty Newton)
* ASTERISK-23811 - Improve performance of Asterisk by reducing the
number of channel snapshots created (Reported by Matt Jordan)
* ASTERISK-22961 - [patch] DTLS-SRTP not working with SHA-256
(Reported by Jay Jideliov)
* ASTERISK-23975 - Description of variables field for userEvent
operation missing details. (Reported by Samuel Galarneau)
* ASTERISK-23552 - http: support persistent connections (Reported
by Scott Griepentrog)
* ASTERISK-23939 - ARI: Allow for channel subscriptions on
originate (Reported by Matt Jordan)

New Features made in this release:
-----------------------------------
* ASTERISK-23786 - TALK_DETECT: A dialplan function that emits
talking start/stop events for AMI/ARI (Reported by Matt Jordan)
* ASTERISK-21443 - New SIP Channel Driver - Create a state
provider for dialog-info+xml (Reported by Matt Jordan)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.4.0

12Lug/14Off

Rilasciato Asterisk 11.11.0

Il giorno 10 luglio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.11.0.

Dal post originale:
The release of Asterisk 11.11.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-22551 - Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23792 - Mutex left locked in chan_unistim.c (Reported
by Peter Whisker)
* ASTERISK-23582 - [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 - AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 - ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki Cívico)
* ASTERISK-23824 - ConfBridge: Users cannot be muted via CLI or
AMI when waiting to enter a conference (Reported by Matt Jordan)
* ASTERISK-23683 - #includes - wildcard character in a path more
than one directory deep - results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 - autoservice thread doesn't exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23609 - Security: AMI action MixMonitor allows
arbitrary programs to be run (Reported by Corey Farrell)
* ASTERISK-23673 - Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 - DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 - [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23844 - Load of pbx_lua fails on sample extensions.lua
with Lua 5.2 or greater due to addition of goto statement
(Reported by Rusty Newton)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23834 - res_rtp_asterisk debug message gives wrong
length if ICE (Reported by Richard Kenner)
* ASTERISK-23790 - [patch] - SIP From headers longer than 256
characters result in dropped call and 'No closing bracket'
warnings. (Reported by uniken1)
* ASTERISK-23917 - res_http_websocket: Delay in client processing
large streams of data causes disconnect and stuck socket
(Reported by Matt Jordan)
* ASTERISK-23908 - [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 - refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 - REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23916 - [patch]SIP/SDP fmtp line may include whitespace
between attributes (Reported by Alexander Traud)
* ASTERISK-23984 - Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 - [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)

Improvements made in this release:
-----------------------------------
* ASTERISK-23492 - Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)
* ASTERISK-22961 - [patch] DTLS-SRTP not working with SHA-256
(Reported by Jay Jideliov)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.11.0

12Lug/14Off

Rilasciato Asterisk 1.8.29.0

Il giorno 10 luglio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.29.0.

Dal post originale:
The release of Asterisk 1.8.29.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-22551 - Session timer : UAS (Asterisk) starts counting
at Invite, UAC starts counting at 200 OK. (Reported by i2045)
* ASTERISK-23582 - [patch]Inconsistent column length in *odbc
(Reported by Walter Doekes)
* ASTERISK-23803 - AMI action UpdateConfig EmptyCat clears all
categories but the requested one (Reported by zvision)
* ASTERISK-23035 - ConfBridge with name longer than max (32 chars)
results in several bridges with same conf_name (Reported by
Iñaki Cívico)
* ASTERISK-23683 - #includes - wildcard character in a path more
than one directory deep - results in no config parsing on module
reload (Reported by tootai)
* ASTERISK-23827 - autoservice thread doesn't exit at shutdown
(Reported by Corey Farrell)
* ASTERISK-23814 - No call started after peer dialed (Reported by
Igor Goncharovsky)
* ASTERISK-23673 - Security: DOS by consuming the number of
allowed HTTP connections. (Reported by Richard Mudgett)
* ASTERISK-23246 - DEBUG messages in sdp_crypto.c display despite
a DEBUG level of zero (Reported by Rusty Newton)
* ASTERISK-23766 - [patch] Specify timeout for database write in
SQLite (Reported by Igor Goncharovsky)
* ASTERISK-23818 - PBX_Lua: after asterisk startup module is
loaded, but dialplan not available (Reported by Dennis Guse)
* ASTERISK-23667 - features.conf.sample is unclear as to which
options can or cannot be set in the general section (Reported by
David Brillert)
* ASTERISK-23790 - [patch] - SIP From headers longer than 256
characters result in dropped call and 'No closing bracket'
warnings. (Reported by uniken1)
* ASTERISK-23908 - [patch]When using FEC error correction,
asterisk tries considers negative sequence numbers as missing
(Reported by Torrey Searle)
* ASTERISK-23921 - refcounter.py uses excessive ram for large refs
files (Reported by Corey Farrell)
* ASTERISK-23948 - REF_DEBUG fails to record ao2_ref against
objects that were already freed (Reported by Corey Farrell)
* ASTERISK-23984 - Infinite loop possible in ast_careful_fwrite()
(Reported by Steve Davies)
* ASTERISK-23897 - [patch]Change in SETUP ACK handling (checking
PI) in revision 413765 breaks working environments (Reported by
Pavel Troller)

Improvements made in this release:
-----------------------------------
* ASTERISK-23564 - [patch]TLS/SRTP status of channel not currently
available in a CLI command (Reported by Patrick Laimbock)
* ASTERISK-23492 - Add option to safe_asterisk to disable
backgrounding (Reported by Walter Doekes)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.29.0

13Giu/14Off

Asterisk Project Security Advisory – AST-2014-008

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:

Asterisk Project Security Advisory - AST-2014-008

Product Asterisk
Summary Denial of Service in PJSIP Channel Driver
Subscriptions
Nature of Advisory Denial of Service
Susceptibility Remote authenticated sessions
Severity Moderate
Exploits Known No
Reported On 28 May, 2014
Reported By Mark Michelson
Posted On June 12, 2014
Last Updated On June 12, 2014
Advisory Contact Mark Michelson
CVE Name CVE-2014-4048

Description When a SIP transaction timeout caused a subscription to be
terminated, the action taken by Asterisk was guaranteed to
deadlock the thread on which SIP requests are serviced.

Note that this behavior could only happen on established
subscriptions, meaning that this could only be exploited if
an attacker bypassed authentication and successfully
subscribed to a real resource on the Asterisk server.

Resolution The socket-servicing thread is now no longer capable of
dispatching synchronous tasks to other threads since that
may result in deadlocks.

Affected Versions
Product Release Series
Asterisk Open Source 12.x All versions

Corrected In
Product Release
Asterisk Open Source 12.3.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-008-12.diff Asterisk
12

Links https://issues.asterisk.org/jira/browse/ASTERISK-23802

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-008.pdf and
http://downloads.digium.com/pub/security/AST-2014-008.html

13Giu/14Off

Asterisk Project Security Advisory – AST-2014-007

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:

Asterisk Project Security Advisory - AST-2014-007

Product Asterisk
Summary Exhaustion of Allowed Concurrent HTTP Connections
Nature of Advisory Denial Of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On May 25, 2014
Reported By Richard Mudgett
Posted On May 9, 2014
Last Updated On June 12, 2014
Advisory Contact Richard Mudgett
CVE Name CVE-2014-4047

Description Establishing a TCP or TLS connection to the configured HTTP
or HTTPS port respectively in http.conf and then not
sending or completing a HTTP request will tie up a HTTP
session. By doing this repeatedly until the maximum number
of open HTTP sessions is reached, legitimate requests are
blocked.

Resolution The patched versions now have a session_inactivity timeout
option in http.conf that defaults to 30000 ms. Users should
upgrade to a corrected version, apply the released patches,
or disable HTTP support.

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 11.x All versions
Asterisk Open Source 12.x All versions
Certified Asterisk 1.8.15 All versions
Certified Asterisk 11.6 All versions

Corrected In
Product Release
Asterisk Open Source 1.8.28.1, 11.10.1, 12.3.1
Certified Asterisk 1.8.15-cert6, 11.6-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified
Asterisk
1.8.15
http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-23673

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-007.pdf and
http://downloads.digium.com/pub/security/AST-2014-007.html

13Giu/14Off

Asterisk Project Security Advisory – AST-2014-006

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:

Asterisk Project Security Advisory - AST-2014-006

Product Asterisk
Summary Asterisk Manager User Unauthorized Shell Access
Nature of Advisory Permission Escalation
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On April 9, 2014
Reported By Corey Farrell
Posted On June 12, 2014
Last Updated On June 12, 2014
Advisory Contact Jonathan Rose < jrose AT digium DOT com >
CVE Name CVE-2014-4046

Description Manager users can execute arbitrary shell commands with the
MixMonitor manager action. Asterisk does not require system
class authorization for a manager user to use the
MixMonitor action, so any manager user who is permitted to
use manager commands can potentially execute shell commands
as the user executing the Asterisk process.

Resolution Upgrade to a version with the patch integrated, apply the
patch, or do not allow users who should not have permission
to run shell commands to use AMI.

Affected Versions
Product Release Series
Asterisk Open Source 11.x All
Asterisk Open Source 12.x All
Certified Asterisk 11.6 All

Corrected In
Product Release
Asterisk Open Source 11.10.1, 12.3.1
Certified Asterisk 11.6-cert3

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified
Asterisk
11.6

Links https://issues.asterisk.org/jira/browse/ASTERISK-23609

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-006.pdf and
http://downloads.digium.com/pub/security/AST-2014-006.html

13Giu/14Off

Asterisk Project Security Advisory – AST-2014-005

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:

Asterisk Project Security Advisory - AST-2014-005

Product Asterisk
Summary Remote Crash in PJSIP Channel Driver's
Publish/Subscribe Framework
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On March 17, 2014
Reported By John Bigelow
Posted On June 12, 2014
Last Updated On June 12, 2014
Advisory Contact Kevin Harwell
CVE Name CVE-2014-4045

Description A remotely exploitable crash vulnerability exists in the
PJSIP channel driver's pub/sub framework. If an attempt is
made to unsubscribe when not currently subscribed and the
endpoint's "sub_min_expiry" is set to zero, Asterisk tries
to create an expiration timer with zero seconds, which is
not allowed, so an assertion raised.

Resolution Upgrade to a version with the patch integrated, apply the
patch, or make sure the "sub_min_expiry" endpoint
configuration option is greater than zero.

Affected Versions
Product Release Series
Asterisk Open Source 12.x All

Corrected In
Product Release
Asterisk Open Source 12.x 12.3.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk
12

Links https://issues.asterisk.org/jira/browse/ASTERISK-23489

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-005.pdf and
http://downloads.digium.com/pub/security/AST-2014-005.html

13Giu/14Off

Asterisk: Security Release 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Il giorno 12 giugno 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle securety release per Asterisk: 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1

Dal post originale:
The release of these versions resolves the following issue:

* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
Connections

Establishing a TCP or TLS connection to the configured HTTP or HTTPS port
respectively in http.conf and then not sending or completing a HTTP request
will tie up a HTTP session. By doing this repeatedly until the maximum number
of open HTTP sessions is reached, legitimate requests are blocked.

Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the
following issue:

* AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized
Shell Access

Manager users can execute arbitrary shell commands with the MixMonitor manager
action. Asterisk does not require system class authorization for a manager
user to use the MixMonitor action, so any manager user who is permitted to use
manager commands can potentially execute shell commands as the user executing
the Asterisk process.

Additionally, the release of 12.3.1 resolves the following issues:

* AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe
Framework

A remotely exploitable crash vulnerability exists in the PJSIP channel
driver's pub/sub framework. If an attempt is made to unsubscribe when not
currently subscribed and the endpoint's “sub_min_expiry” is set to zero,
Asterisk tries to create an expiration timer with zero seconds, which is not
allowed, so an assertion raised.

* AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions

When a SIP transaction timeout caused a subscription to be terminated, the
action taken by Asterisk was guaranteed to deadlock the thread on which SIP
requests are serviced. Note that this behavior could only happen on
established subscriptions, meaning that this could only be exploited if an
attacker bypassed authentication and successfully subscribed to a real
resource on the Asterisk server.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008,
which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1

3Giu/14Off

Asterweb: Corso Configurazione Patton Smartnode

Questa la newsletter con cui abbiamo comunicato ai nostri iscritti, Partners e Rivenditori l'organizzazione di questo corso, ad un costo estremamente contenuto (solo 65,00 Euro più iva), che siamo certi aiuterà tutti gli operatori del settore che parteciperanno.

 

Corso: Configurazione Patton Smartnode

Corso OnLine: Configurazione Patton Smartnode

Costo: 65,00 + iva

PRENOTA SUBITO

Omaggio:
file configurazione per i modelli:

4120/1BIS2V, 4120/2BIS4V, 4112/JO, 4114/JO, 4940/1E30V, 4961/1E30V

Potrai finalmente configurarteli da solo!


Unica data (esclusiva) - prenota immediatamente!

Lunedì 16 giugno  dalle 14:00 alle 18:00

 

Corso: € 65,00 + iva Corso + 1 ora di assistenza: € 95,00 + iva







Programma

14:00 - 15:55

Inizio lavori

Panoramica prodotti

Interfaccia CLI

Esempi di configurazione

16:05 - 18:00

Context Switch

IP Context

SIP Gateways and SIP Servers

Debugging


Asterweb

Lo STaff

https://www.asterweb.org

http://www.asterisk-phonebook.com

Visitate il sito CLASS da dove potrete scricare le VM con già installato il software in versione FULL Demo.

Video Class:


2Giu/14Off

Terza sessione del FreeWebinar “Programmazione Asterisk per FreePBX/Elastix”

Questa la newsletter con la quale comunichiamo ai nostri iscritti, Partners e Rivenditori la data della terza sessione del FreeWebinar "Programmazione Asterisk per FreePBX/Elastix".

 

Webinar gratuito: Programmazione Asterisk per FreePBX/Elastix

Prosegue questo venerdì 6 giugno il programma di Webinar gratuiti organizzati da Asterweb che ha l'obiettivo di farvi acquisire le conoscenze per la programmazione di Asterisk (specificamente rivolta all'integrazione con FreePBX/Elastix).

Anche questo terzo Webinar, della durata di 1 ora, avrà inizio alle ore 14:30.

Per l'inscrizione inviare e-mail a: freewebinar@asterweb.org indicando il/i nominativo/i del/i partecipante/i.

Gli utenti già iscritti potranno partecipare direttamente accedendo con le credenziali precedentemente comunicate (senza nuova iscrizione).

Con l'auspicio di avervi numerosi, vi salutiamo cordialmente.

Asterweb

Lo STaff

https://www.asterweb.org

http://www.asterisk-phonebook.com

Visitate il sito CLASS da dove potrete scricare le VM con già installato il software in versione FULL Demo.

Video Class:

30Mag/14Off

Rilasciato Asterisk 12.3.0

Il giorno 29 maggio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 12.3.0.

Dal post originale:
The release of Asterisk 12.3.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Improvements made in this release:
-----------------------------------
* ASTERISK-23553 - Add ast_spinlock capability to lock.h (Reported
by George Joseph)
* ASTERISK-23649 - [patch]Support for DTLS retransmission
(Reported by NITESH BANSAL)
* ASTERISK-23564 - [patch]TLS/SRTP status of channel not currently
available in a CLI command (Reported by Patrick Laimbock)
* ASTERISK-23754 - [patch] Use var/lib directory for log file
configured in asterisk.conf (Reported by Igor Goncharovsky)

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23547 - [patch] app_queue removing callers from queue
when reloading (Reported by Italo Rossi)
* ASTERISK-22846 - testsuite: masquerade super test fails on all
branches (still) (Reported by Matt Jordan)
* ASTERISK-23390 - NewExten Event with application AGI shows up
before and after AGI runs (Reported by Benjamin Keith Ford)
* ASTERISK-23584 - PJSIP 'Unable to create channel' when
attempting to call from endpoint with UDP transport to one using
WebSockets (Reported by Rusty Newton)
* ASTERISK-23545 - Confbridge talker detection settings
configuration load bug (Reported by John Knott)
* ASTERISK-23546 - CB_ADD_LEN does not do what you'd think
(Reported by Walter Doekes)
* ASTERISK-22904 - bridges: lock the bridge when creating bridge
snapshots (Reported by Matt Jordan)
* ASTERISK-23620 - Code path in app_stack fails to unlock list
(Reported by Bradley Watkins)
* ASTERISK-23616 - Big memory leak in logger.c (Reported by
ibercom)
* ASTERISK-23588 - ARI: Crash when unsubscribing from bridge
(Reported by Matt Jordan)
* ASTERISK-23502 - Channel variable SIPREFERTOHDR not being set
during blind transfer (Reported by John Bigelow)
* ASTERISK-23576 - Build failure on SmartOS / Illumos / SunOS
(Reported by Sebastian Wiedenroth)
* ASTERISK-23514 - The pjsip.conf aor qualify contact parameters
are not updated on reload. (Reported by Richard Mudgett)
* ASTERISK-23550 - Newer sound sets don't show up in menuselect
(Reported by Rusty Newton)
* ASTERISK-22677 - Playbacks on bridge via ARI are not queued
(Reported by John Bigelow)
* ASTERISK-18331 - app_sms failure (Reported by David Woodhouse)
* ASTERISK-23487 - features.conf cant load from realtime because
features_config.c starts before loader.c (Reported by Denis)
* ASTERISK-23282 - Documentation - Tab completion and CLI usage
documentation do not indicate that 'all' is accepted for
'confbridge kick all' (Reported by Dorian Logan)
* ASTERISK-19465 - P-Asserted-Identity Privacy (Reported by
Krzysztof Chmielewski)
* ASTERISK-23573 - Crash when transferring unbridged call - in
bridge_app_subscribed at stasis/app.c (Reported by Mark
Michelson)
* ASTERISK-23639 - PJSIP Realtime: Alembic migration needed in
order to widen some string columns (Reported by Mark Michelson)
* ASTERISK-23560 - [ARI] MOH doesn't indicate progress (Reported
by Jan Svoboda)
* ASTERISK-23605 - res_http_websocket: Race condition in shutting
down websocket causes crash (Reported by Matt Jordan)
* ASTERISK-23498 - Asterisk PJSIP transport configuration fails on
parsing of 'cipher' option, any valid option is reported as
unsupported (Reported by Anthony Messina)
* ASTERISK-23672 - PJSIP Digium presence notifications are not
sent if only the subtype or message changes (Reported by Mark
Michelson)
* ASTERISK-23501 - Copy 'Referred-By' header to outgoing INVITE
(Reported by John Bigelow)
* ASTERISK-23707 - Realtime Contacts: Apparent mismatch between
PGSQL database state and Asterisk state (Reported by Mark
Michelson)
* ASTERISK-23675 - [patch] Segmentation Fault on first SIP
registration using res_config_odbc (Reported by Leandro Dardini)
* ASTERISK-23381 - [patch]ChanSpy- Barge only works on the initial
'spy', if the spied-on channel makes a new call, unable to
barge. (Reported by Robert Moss)
* ASTERISK-23497 - chan_sip SIP protocol attended transfer, with
directmedia=yes results in a simple bridge, typically with no
audio (Reported by Etienne Lessard)
* ASTERISK-23665 - Wrong mime type for codec H263-1998 (h263+)
(Reported by Guillaume Maudoux)
* ASTERISK-23664 - Incorrect H264 specification in SDP. (Reported
by Guillaume Maudoux)
* ASTERISK-23709 - Regression in Dahdi/Analog/waitfordialtone
(Reported by Steve Davies)
* ASTERISK-23758 - 500 internal server error when answering a
channel with ARI (Reported by Paul Belanger)
* ASTERISK-22912 - res_corosync doesn't build in Asterisk 12 beta2
(Reported by Malcolm Davenport)
* ASTERISK-22372 - res_corosync: Compilation errors and
functionality broken in Asterisk 12 (Reported by Matt Jordan)
* ASTERISK-23721 - Calls to PJSIP endpoints with video enabled
result in leaked RTP ports (Reported by cervajs)

New Features made in this release:
-----------------------------------
* ASTERISK-23433 - ARI: Add 'tones' as a URI scheme for /play
operations on resources that support media (bridges, channels)
(Reported by Matt Jordan)
* ASTERISK-22697 - ARI: Add the ability to raise an arbitrary User
Event from the Asterisk or Applications resource (Reported by
Matt Jordan)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-12.3.0

30Mag/14Off

Rilasciato Asterisk 11.10.0

Il giorno 29 maggio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 11.10.0.

Dal post originale:
The release of Asterisk 11.10.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23547 - [patch] app_queue removing callers from queue
when reloading (Reported by Italo Rossi)
* ASTERISK-23559 - app_voicemail fails to load after fix to
dialplan functions (Reported by Corey Farrell)
* ASTERISK-22846 - testsuite: masquerade super test fails on all
branches (still) (Reported by Matt Jordan)
* ASTERISK-23545 - Confbridge talker detection settings
configuration load bug (Reported by John Knott)
* ASTERISK-23546 - CB_ADD_LEN does not do what you'd think
(Reported by Walter Doekes)
* ASTERISK-23620 - Code path in app_stack fails to unlock list
(Reported by Bradley Watkins)
* ASTERISK-23616 - Big memory leak in logger.c (Reported by
ibercom)
* ASTERISK-23576 - Build failure on SmartOS / Illumos / SunOS
(Reported by Sebastian Wiedenroth)
* ASTERISK-23550 - Newer sound sets don't show up in menuselect
(Reported by Rusty Newton)
* ASTERISK-18331 - app_sms failure (Reported by David Woodhouse)
* ASTERISK-19465 - P-Asserted-Identity Privacy (Reported by
Krzysztof Chmielewski)
* ASTERISK-23605 - res_http_websocket: Race condition in shutting
down websocket causes crash (Reported by Matt Jordan)
* ASTERISK-23707 - Realtime Contacts: Apparent mismatch between
PGSQL database state and Asterisk state (Reported by Mark
Michelson)
* ASTERISK-23381 - [patch]ChanSpy- Barge only works on the initial
'spy', if the spied-on channel makes a new call, unable to
barge. (Reported by Robert Moss)
* ASTERISK-23665 - Wrong mime type for codec H263-1998 (h263+)
(Reported by Guillaume Maudoux)
* ASTERISK-23664 - Incorrect H264 specification in SDP. (Reported
by Guillaume Maudoux)
* ASTERISK-22977 - chan_sip+CEL: missing ANSWER and PICKUP event
for INVITE/w/replaces pickup (Reported by Walter Doekes)
* ASTERISK-23709 - Regression in Dahdi/Analog/waitfordialtone
(Reported by Steve Davies)

Improvements made in this release:
-----------------------------------
* ASTERISK-23649 - [patch]Support for DTLS retransmission
(Reported by NITESH BANSAL)
* ASTERISK-23564 - [patch]TLS/SRTP status of channel not currently
available in a CLI command (Reported by Patrick Laimbock)
* ASTERISK-23754 - [patch] Use var/lib directory for log file
configured in asterisk.conf (Reported by Igor Goncharovsky)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.10.0

30Mag/14Off

Rilasciato Asterisk 1.8.28.0

Il giorno 29 maggio 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 1.8.28.0.

Dal post originale:
The release of Asterisk 1.8.28.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
* ASTERISK-23547 - [patch] app_queue removing callers from queue
when reloading (Reported by Italo Rossi)
* ASTERISK-22846 - testsuite: masquerade super test fails on all
branches (still) (Reported by Matt Jordan)
* ASTERISK-23546 - CB_ADD_LEN does not do what you'd think
(Reported by Walter Doekes)
* ASTERISK-23620 - Code path in app_stack fails to unlock list
(Reported by Bradley Watkins)
* ASTERISK-18331 - app_sms failure (Reported by David Woodhouse)
* ASTERISK-19465 - P-Asserted-Identity Privacy (Reported by
Krzysztof Chmielewski)
* ASTERISK-23707 - Realtime Contacts: Apparent mismatch between
PGSQL database state and Asterisk state (Reported by Mark
Michelson)
* ASTERISK-23665 - Wrong mime type for codec H263-1998 (h263+)
(Reported by Guillaume Maudoux)
* ASTERISK-22977 - chan_sip+CEL: missing ANSWER and PICKUP event
for INVITE/w/replaces pickup (Reported by Walter Doekes)
* ASTERISK-23709 - Regression in Dahdi/Analog/waitfordialtone
(Reported by Steve Davies)
* ASTERISK-23650 - Intermittent segfault in string functions
(Reported by Roel van Meer)

Improvements made in this release:
-----------------------------------
* ASTERISK-23754 - [patch] Use var/lib directory for log file
configured in asterisk.conf (Reported by Igor Goncharovsky)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.28.0

Thank you for your continued support of Asterisk!