Asterisk sicurezza – AST-2011-003: Resource exhaustion in Asterisk Manager Interface
Questo il link per scaricare il documento in PDF:
Rilasciata 2.4.1 di DAHDI-Linux e DAHDI-Tools
Il giorno 3 marzo, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione 2.4.1 di DAHDI-Linux e DAHDI-Tools.
Dal post originale:
2.4.1 is a maintenance release of the DAHDI drivers and tools packages. Some of the more notable changes are:
- Support for compilation against kernel versions from 2.6.9 up to and including 2.6.38-rc6.
- wct4xxp: PCI-express cards go through an extended reset at start by default.
- wcte12xp, wctdm24xxp: Disable read-line multiple PCI command, which increases compatibility in some systems.
- xpp: Fixes init error for PRI devices with < 4 ports.
- tonezone: Add Macao, China to tone zone data.
- dahdi_genconf: Don't generate configurations that use channel 16 on E1 CAS.
For a full list of changes in these releases, please see the ChangeLogs at http://svn.asterisk.org/svn/dahdi/linux/tags/2.4.1/ChangeLog and http://svn.asterisk.org/svn/dahdi/tools/tags/2.4.1/ChangeLog
Issues found in these release candidates can be reported in the DAHDI-linux or DAHDI-tools project at https://issues.asterisk.org
Rilasciato Asterisk 1.8.4-rc2
Il giorno 28 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.4-rc2
Dal post originale:
The release of Asterisk 1.8.4-rc2 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release candidate:
- Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)
NOTE: Be sure to read the ChangeLog for more information about these changes. - Resolve deadlocks related to device states in chan_sip
(Closes issue #18310. Reported, patched by one47. Patched by jpeeler) - Resolve an issue with the Asterisk manager interface leaking memory when
disabled.
(Reported internally by kmorgan. Patched by russellb) - Support greetingsfolder as documented in voicemail.conf.sample.
(Closes issue #17870. Reported by edhorton. Patched by seanbright) - Fix channel redirect out of MeetMe() and other issues with channel softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb) - Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler) - Set hangup cause in local_hangup so the proper return code of 486 instead of
503 when using Local channels when the far sides returns a busy. Also affects
CCSS in Asterisk 1.8+.
(Patched by twilson) - Fix issues with verbose messages not being output to the console.
(Closes issue #18580. Reported by pabelanger. Patched by qwell)
Asterisk 1.8.4-rc1 was not released due to a blocking issue found prior to
release. An additional fix was merged into Asterisk 1.8.4-rc2:
- Fix Deadlock with attended transfer of SIP call
(Closes issue #18837. Reported, patched by alecdavis. Tested by
alecdavid, Irontec, ZX81, cmaj)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4-rc2
Rilasciato Asterisk 1.6.2.18-rc1
Il giorno 28 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.18-rc1
Dal post originale:
The following is a sample of the issues resolved in this release candidate:
- Only offer codecs both sides support for directmedia.
(Closes issue #17403. Reported, patched by one47) - Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)
NOTE: Be sure to read the ChangeLog for more information about these changes. - Resolve deadlocks related to device states in chan_sip
(Closes issue #18310. Reported, patched by one47. Patched by jpeeler) - Fix channel redirect out of MeetMe() and other issues with channel softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb) - Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler) - Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
(Review: https://reviewboard.asterisk.org/r/1077/)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18-rc1
Rilasciato Asterisk 1.4.41-rc1
Il giorno 28 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.41-rc1
Dal post originale:
The following is a sample of the issues resolved in this release candidate:
- Only offer codecs both sides support for directmedia.
(Closes issue #17403. Reported, patched by one47) - Resolution of several DTMF based attended transfer issues.
(Closes issue #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchuan, grecco. Patched by rmudgett)
NOTE: Be sure to read the ChangeLog for more information about these changes. - Fix channel redirect out of MeetMe() and other issues with channel softhangup
(Closes issue #18585. Reported by oej. Tested by oej, wedhorn, russellb.
Patched by russellb) - Fix voicemail sequencing for file based storage.
(Closes issue #18498, #18486. Reported by JJCinAZ, bluefox. Patched by
jpeeler) - Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
(Review: https://reviewboard.asterisk.org/r/1077/)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.41-rc1
Rilasciato Asterisk 1.8.3
Il giorno 28 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.3
Dal post originale:
The following is a sample of the issues resolved in this release:
- Resolve duplicated data in the AstDB when using DIALGROUP()
(Closes issue #18091. Reported by bunny. Patched by tilghman) - Ensure the ipaddr field in realtime is large enough to handle IPv6 addresses.
(Closes issue #18464. Reported, patched by IgorG) - Reworking parsing of mwi => lines to resolve a segfault. Also add a set of
unit tests for the function that does the parsing.
(Closes issue #18350. Reported by gbour. Patched by Marquis) - When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
(Closes issue #18406. Reported by joscas. Patched by tilghman) - Resolve memory leak in iCalendar and Exchange calendaring modules.
(Closes issue #18521. Reported, patched by pitel. Tested by cervajs) - This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
(Patched by tilghman) - Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
(Closes issues #18262. Reported by francesco_r. Patched by cjacobson. Tested
by francesco_r, rfrantik, one47) - Resolve a memory leak when the Asterisk Manager Interface is disabled.
(Reported internally by kmorgan. Patched by russellb) - Reimplemented fax session reservation to reverse the ABI breakage introduced
in r297486.
(Reported internally. Patched by mnicholson) - Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.) - Resolve deadlock involving REFER.
(Closes issue #18403. Reported, tested by jthurman. Patched by jpeeler.)
Additionally, this release has the changes related to security bulletin
AST-2011-002 which can be found at
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.3
Rilasciato Asterisk 1.6.2.17
Il giorno 28 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.17
Dal post originale:
The following is a sample of the issues resolved in this release:
- Resolve duplicated data in the AstDB when using DIALGROUP()
(Closes issue #18091. Reported by bunny. Patched by tilghman) - Correct issue where res_config_odbc could populate fields with invalid data.
(Closes issue #18251, #18279. Reported by bcnit, zerohalo. Tested by trev,
jthurman, elguero, zerohalo. Patched by tilghman) - When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
(Closes issue #18406. Reported by joscas. Patched by tilghman) - Resolve issue where re-transmissions of SUBSCRIBE could break presence.
(Closes issue #18075. Reported by mdu113. Patched by twilson) - Fix regression causing forwarding voicemails to not work with file storage.
(Closes issue #18358. Reported by cabal95. Patched by jpeeler) - This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
(Patched by tilghman) - Resolve several issues with DTMF based attended transfers.
(Closes issues #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchaun, grecco. Patched by rmudgett).
NOTE: Be sure to read the ChangeLog for more information about these changes. - Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
(Closes issues #18262. Reported by francesco_r. Patched by cjacobson. Tested
by francesco_r, rfrantik, one47) - Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.)
Additionally, this release has the changes related to security bulletin
AST-2011-002 which can be found at
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17
Rilasciato Asterisk 1.4.40
Il giorno 28 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.40
Dal post originale:
The following is a sample of the issues resolved in this release:
- Correct issue where res_config_odbc could populate fields with invalid data.
(Closes issue #18251, #18279. Reported by bcnit, zerohalo. Tested by trev,
jthurman, elguero, zerohalo. Patched by tilghman) - Resolve issue where re-transmissions of SUBSCRIBE could break presence.
(Closes issue #18075. Reported by mdu113. Patched by twilson) - Resolve issue in res_odbc where it may crash when a query fails.
(Closes issue #18243. Reported, patched by ks3) - Fix CPU spike when pressing DTMF after agent login.
(Closes issue #18130. Reported by rgj. Patched by jpeeler) - Fix cross-compiling issue.
(Closes issue #18301. Reported, patched by abelbeck) - This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
(Patched by tilghman) - Resolve several issues with DTMF based attended transfers.
(Closes issues #17999, #17096, #18395, #17273. Reported by iskatel, gelo,
shihchaun, grecco. Patched by rmudgett).
NOTE: Be sure to read the ChangeLog for more information about these changes. - Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.)
Additionally, this release has the changes related to security bulletin
AST-2011-002 which can be found at
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.40
Raffica di rilasci Asterisk
Il giorno 28 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio di ben 6 versioni: 3 stabili e 3 rc, tutte lo stesso giorno.
In dettaglio:
Stabile => 1.4.40
Stabile => 1.6.2.17
Stabile => 1.8.3
RC => 1.4.41-rc1
RC => 1.6.2.18-rc1
RC => 1.8.4-rc2
Nei prossimi post vederemo le release nei dettagli.
Rilasciate le versioni Asterisk: 1.4.39.2, 1.6.1.22, 1.6.2.16.2 e 1.8.2.4.
Il giorno 21 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio delle versioni Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
Dal post originale:
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems doing T.38 pass
through or termination are vulnerable. The issue and resolution are described in
the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-...
Security advisory AST-2011-002 is available at:
Asterisk sicurezza – AST-2011-002: Multiple array overflow and crash vulnerabilities in UDPTL code
Questo il link per scaricare il documento in PDF:
Rilasciato Asterisk 1.8.3-rc3
Il giorno 16 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.8.3-rc3.
Dal post originale:
The release of Asterisk 1.8.3-rc3 resolves the following issues in addition to
those included in 1.8.3-rc1 and 1.8.3-rc2:
- Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.) - Resolve deadlock involving REFER.
(Closes issue #18403. Reported, tested by jthurman. Patched by jpeeler.)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.3-rc3
Rilasciato Asterisk 1.6.2.17-rc3
Il giorno 16 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.6.2.17-rc3.
Dal post originale:
The release of Asterisk 1.6.2.17-rc3 resolves the following issues in addition
to those included in 1.6.2.17-rc1 and 1.6.2.17-rc2:
- Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17-rc3
Rilasciato Asterisk 1.4.40-rc3
Il giorno 16 febbraio, il Team di Sviluppo di Asterisk ha annunciato il rilascio della versione Asterisk 1.4.40-rc3.
Dal post originale:
The release of Asterisk 1.4.40-rc3 resolves the following issues in addition to
those included in 1.4.40-rc1 and 1.4.40-rc2:
- Fix regression that changed behavior of queues when ringing a queue member.
(Closes issue #18747, #18733. Reported by vrban. Patched by qwell.)
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.40-rc3
Asterisk 1.8 e fail2ban
Per la corretta protezione di Asterisk 1.8 da parte di iptables/fail2ban รจ necessario utilizzare un "nuovo" file asterisk.conf. Questa la procedura di installazione:
# cd /etc/fail2ban/filter.d# wget http://pbxinaflash.net/source/fail2ban/asterisk18.conf# mv asterisk.conf asterisk14.conf# mv asterisk18.conf asterisk.conf# service fail2ban restart