Asterisk 10.6.1 Now Available

Report
Question

The Asterisk Development Team has announced the release of Asterisk 10.6.1. This release resolves an issue reported by the community and would have not been possible without your participation. Thank you! The following is the issue resolved in this release:

  • Remove a superfluous and dangerous freeing of an SSL_CTX. (Closes issue ASTERISK-20074. Reported by Trevor Helmsley)
For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.6.1 Thank you for your continued support of Asterisk!

VoIP News 3.2 years ago 0 Answers

Asterisk 10.6.0 Now Available

Report
Question

The Asterisk Development Team has announced the release of Asterisk 10.6.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 10.6.0 resolves several issues reported by the community like:

  • format_mp3: Fix a possible crash in mp3_read(). (Closes issue ASTERISK-19761. Reported by Chris Maciejewsk)
  • Fix local channel chains optimizing themselves out of a call. (Closes issue ASTERISK-16711. Reported by Alec Davis)
  • Re-add LastMsgsSent value for SIP peers (Closes issue ASTERISK-17866. Reported by Steve Davies)
  • Prevent sip_pvt refleak when an ast_channel outlasts its corresponding sip_pvt. (Closes issue ASTERISK-19425. Reported by David Cunningham)
  • Send more accurate identification information in dialog-info SIP NOTIFYs. (Closes issue ASTERISK-16735.…

    VoIP News 3.2 years ago 0 Answers

AST-2012-011: Remote Crash Vulnerability In Voice Mail Application

Report
Question

If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash. Management of the memory in question has been reworked so that double frees and out of bounds array access do not occur. Upgrade to the latest release. Affected Versions

  • Product Release Series
  • Asterisk Open Source 1.8.x 1.8.11 and newer
  • Asterisk Open Source 10.x 10.3 and newer
  • Certified Asterisk 1.8.11-certx All versions
  • Asterisk Digiumphones 10.x.x-digiumphones All versions
Corrected In
  • Product Release
  • Asterisk Open Source 1.8.13.1, 10.5.2
  • Certified Asterisk 1.8.11-cert4
  • Asterisk Digiumphones 10.5.2-digiumphones

VoIP News 3.2 years ago 0 Answers

Skinny Channel Driver Remote Crash Vulnerability

Report
Question

A previously developed patch dealt with a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a Null pointer. Similar to the problem solved with the previous patch, a remote attacker with a valid SCCP ID can use this vulnerability by closing a connection to the Asterisk server when a station is in the "Off Hook" call state and…

VoIP News 3.3 years ago 0 Answers

Asterisk 10.5.0 Now Available

Report
Question

The Asterisk Development Team has announced the release of Asterisk 10.5.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 10.5.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following is a sample of the issues resolved in this release:

  • Turn off warning message when bind address is set to any. (Closes issue ASTERISK-19456. Reported by Michael L. Young)
  • Prevent overflow in calculation in ast_tvdiff_ms on 32-bit  machines (Closes issue ASTERISK-19727. Reported by Ben Klang)
  • Make DAHDISendCallreroutingFacility wait 5 seconds for a reply before disconnecting the call. (Closes issue ASTERISK-19708. Reported…

    VoIP News 3.3 years ago 0 Answers

Heap Buffer Overflow in Skinny Channel Driver

Report
Question

In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun. Now, the length of the buffer is now checked before appending a value to the end of the buffer. Affected Versions:

  • Product Release Series
  • Asterisk Open Source 1.6.2.x All Versions
  • Asterisk Open Source 1.8.x All Versions
  • Asterisk Open Source 10.x All Versions
Corrected In Product Release:

Asterisk Manager User Unauthorized Shell Access

Report
Question

A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any…

VoIP News 3.4 years ago 0 Answers

Adhearsion 2.0 Release For Asterisk 1.8+

Report
Question

Today marks another milestone in the Adhearsion project: the release of Adhearsion 2.0.  There has been a fury of activity in the last few days as we have worked hard to update documentation and release a brand new look-and-feel for the Adhearsion website.  We hope you like it.
So, with a small flourish and no small amount of relief, I'm pleased to announce the immediate availability of Adhearsion 2.0, the open source framework for the creation of voice applications.
Here are some highlights of the changes relative to the latest Adhearsion 1.x:

Asterisk 10.3.0 Now Available

Report
Question

The Asterisk Development Team has announced the release of Asterisk 10.3.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 10.3.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following are the issues resolved in this release: * --- Fix potential buffer overrun and memory leak when executing "sip show peers" (Closes issue ASTERISK-19231. Reported by Thomas Arimont, Jamuel Starkey) * --- Fix ACK routing for non-2xx responses. (Closes issue ASTERISK-19389.) * --- Remove possible segfaults from res_odbc by adding locks around usage of odbc handle (Closes issue…

VoIP News 3.5 years ago 0 Answers

ITSPA 2012 Award for Open Source VoIP Projects

Report
Question

Hello, the following is an email from Daniel, of Kamailio project: "ITSPA UK has unveiled the winners of its 4th annual Awards, an event designed to celebrate innovation and best practice in the VoIP industry: * http://www.itspaawards.org.uk/ Open Source VoIP Projects won a special category this year, Members' Pick, for providing a real value to VoIP Industry. I had the chance to attend the event in London and I have been selected to pick up the award. I made a news on the website of the project I am mainly involved in (Kamailio) with more details:

As you would…

VoIP News 3.5 years ago 0 Answers