* You are viewing the archive for the ‘Asterisk Announces’ Category

Asterisk: Manager User Dialplan Permission Escalation

There was an  Asterisk Manager User Dialplan Permission Escalation vulnerability reported by Matt Jordan about Asterisk PBX. This permission escalation bug which made it possible to compromise remote authenticated sessions was considered as a minor severity vulnerability.

Protocols such as the Asterisk Manager Interface, which offer external control, are often able to set and get channel variables which allows the execution of dialplan functions.

We all know of the power of dialplan functions inside Asterisk. Is that power which allows us to build a plethora of Asterisk based applications. When some functions that are allowed to do more (e.g. execute commands, change files, etc.) are executed from an external protocol, the execution could lead to non desirable results, as a privilege escalation.

Asterisk can now inhibit the execution of these functions from external interfaces such as AMI, if live_dangerously in the [options] section of asterisk.conf is set to no. For backwards compatibility, live_dangerously defaults to yes, and must be explicitly set to no to enable this privilege escalation protection.

Asterisk VoIP Software 12.0.0-beta2 Now Available!

The Asterisk Development Team is pleased to announce the second beta release of Asterisk 12.0.0. You can immediately download this release at http://downloads.asterisk.org/pub/telephony/asterisk/releases

We strongly encourage all interested Asterisk users to participate throughout the testing process. For any issues you might find, please use the issue tracker to report it: https://issues.asterisk.org/jira. We would like you to come to the #asterisk-bugs channel in order to help communicating issues you found. Also, it is also very useful to see successful test reports. You can use the asterisk-dev mailing list for that (http://lists.digium.com).

The next major release in the series of our favorite VoIP software will be Asterisk 12, which will be a Standard release just like it was Asterisk 10.

There are many new features included in this version of Asterisk, besides of a long list of improvements. Just to mention some of them:

  • A new SIP channel driver and accompanying SIP stack named chan_pjsip has been added.
  • The Asterisk REST Interface (ARI) has been added.
  • Major standardization of the Asterisk Manager Interface and its events have occurred within this version.
  • All bridging within Asterisk is now performed using the Asterisk Bridging API, which previously was only used by the ConfBridge application.

And the list continues. For information about the new features, please visit the Asterisk wiki: https://wiki.asterisk.org/wiki/display/AST/Asterisk+12+Documentation

Thank you for your continued support of Asterisk!

Asterisk 11.5.0 Now Available

The Asterisk Development Team has announced the release of Asterisk 11.5.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.5.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you!

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.5.0

Thank you for your continued support of Asterisk!

DAHDI-Linux And DAHDI-Tools 2.7.0 Now Available

The Asterisk Development Team has announced the releases of:
DAHDI-Linux-v2.7.0
DAHDI-Tools-v2.7.0
dahdi-linux-complete-2.7.0+2.7.0

This release is available for immediate download at:
http://downloads.asterisk.org/pub/telephony/dahdi-linux
http://downloads.asterisk.org/pub/telephony/dahdi-tools
http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete

In this release:
* Driving closer towards sysfs configuration of dahdi devices
* Experimental support to “pin” [1] specific span and channel numbers to specific device/local spans
* New wcte13xp base driver

[1] http://git.asterisk.org/gitweb/?p=dahdi/tools.git;a=commit;h=3d1fd71af2221b3f3e21274ba800619feec439e1

For a full list of changes in these releases, please see the shortlog at:
http://git.asterisk.org/gitweb/?p=dahdi/linux.git;a=shortlog;h=refs/tags/v2.7.0-rc1
http://git.asterisk.org/gitweb/?p=dahdi/tools.git;a=shortlog;h=refs/tags/v2.7.0-rc1

Issues found in this release can be reported in the DAHDI-Linux [1] and DAHDI-Tools [2] projects at https://issues.asterisk.org/jira

[1] https://issues.asterisk.org/jira/browse/DAHLIN
[2] https://issues.asterisk.org/jira/browse/DAHTOOL

Thank you for your continued support of Asterisk!

Changes To The Community Service Maintenance Notifications

You may have noticed (or maybe not) that there have been several maintenance notifications for the asterisk.org community services this month. We are working hard to keep up the services running smoothly, and those notices are sent whenever we think our maintenance may interfere with the operation of any of the services.

So far, it’s been our policy that we send out a maintenance notification whenever we do anything other than the most minor maintenance on the services. You can usually read “may have intermittent availability” as “it should be available unless things go horribly wrong”.

We now realize that most of these notifications are just spam for most of the community. It is also cumbersome for us to send out the notifications every time we touch the services. Especially considering that the services are typically unavailable for at most a few minutes, if at all.

In an effort to reduce spam and make service availability more predictable, we’re changing the policy about when we send notifications about community service availability.

Starting on Monday, May 27th, we will have a regular maintenance window every Monday for one hour starting at 9:00 PM Central Time (that’s 02:00 UTC during daylight saving time in the summer, and 03:00 UTC during standard time). We will try to restrict the service impacting maintenance to that weekly window.

For the times where there might be a service interruption outside of that window (either when it needs to be coordinated with our colo provider, or if the maintenance will take longer than one hour), we will send notice of the impending service interruption to just the asterisk-announce mailing list[1].

This will help us in planning service upgrades and maintenance, and reduce the amount of unnecessary email for the community.

[1]: http://lists.digium.com/mailman/listinfo/asterisk-announce

 Digium’s Asterisk Development Team

Asterisk 11.4.0 Now Available

The Asterisk Development Team has announced the release of Asterisk 11.4.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.4.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you!

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.4.0

Thank you for your continued support of Asterisk!