* You are viewing Posts Tagged ‘linkedin’

Heap Buffer Overflow in Skinny Channel Driver

Jose P. Espinal April 23, 2012 VoIP News No Comments

Tags: , , , , , , , , , , , ,

In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun.

Now, the length of the buffer is now checked before appending a value to the end of the buffer.

Affected Versions:

  • Product Release Series
  • Asterisk Open Source 1.6.2.x All Versions
  • Asterisk Open Source 1.8.x All Versions
  • Asterisk Open Source 10.x All Versions

Corrected In Product Release:

  • Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1

Asterisk Manager User Unauthorized Shell Access

Jose P. Espinal April 23, 2012 VoIP News No Comments

Tags: , , , , , , , ,

A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands.

Asterisk now performs checks against manager commands that cause these behaviors for each of the affected actions.

The following versions are affected:

  • Asterisk Open Source 1.6.2.x All versions
  • Asterisk Open Source 1.8.x All versions
  • Asterisk Open Source 10.x All versions
  • Asterisk Business Edition C.3.x All versions

Corrected In Product Release:

  • Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1
  • Asterisk Business Edition C.3.7.4

Asterisk Directmedia

Jose P. Espinal April 20, 2012 Asterisk Tips No Comments

Tags: , , , , , , , , , ,

What is directmedia?

To put it simply, is the process where Asterisk tries to redirect the RTP media stream to go directly from the caller to the callee. Be careful that some devices do not support this (especially if one of them is behind a NAT). The default setting is YES.

When to use it?

If you have all clients behind a NAT, or for some other reason want Asterisk to stay in the audio path, you may want to turn this off.

If you want to allow media path redirection (reinvite) only when the peer where the media is being  sent is known to not be behind a NAT (as the RTP core can determine it based on the apparent IP address the media arrives from), set this to nonat.

Adhearsion 2.0 Release For Asterisk 1.8+

Jose P. Espinal April 13, 2012 VoIP News No Comments

Tags: , , , , , , , , , , ,

Today marks another milestone in the Adhearsion project: the release of Adhearsion 2.0.  There has been a fury of activity in the last few days as we have worked hard to update documentation and release a brand new look-and-feel for the Adhearsion website.  We hope you like it.

So, with a small flourish and no small amount of relief, I’m pleased to announce the immediate availability of Adhearsion 2.0, the open source framework for the creation of voice applications.
Here are some highlights of the changes relative to the latest Adhearsion 1.x:
  • Adhearsion now supports multiple telephony engines! In particular we support Asterisk (as always) as well newly added support for PRISM via the open-standard Rayo protocol
  • CallControllers make telephone functionality more Ruby-esque, more testable and are scientifically shown to make you happier
  • A self-documenting configuration engine (“rake config:show”)
  • A completely revamped plugin system makes adding and sharing Adhearsion functionality better than ever
  • Did I mention the new website design and documentation?
  • Way more stuff than I can reasonably list here.  You should check out the CHANGELOG and the Upgrade documentation.
I would like to take a moment and recognize the team that made this happen.  The Adhearsion project has exploded in the last year, and many of the people who worked so hard to bring you Adhearsion 2 are actually new to the community within the last year!  A special thanks to Ben Langfeld who has driven much of this development effort and contributed fixes to many bugs and added new functionality in some of our dependency packages in the process of making this happen.  I also want to thank our sponsors, especially Tropo, for not only funding direct development, but helping to evangelize and organize.  Tropo has been a fantastic collaborator throughout Adhearsion’s lifetime.
Now, you might be thinking “all of the above sounds great, but how stable can it really be? Is it webscale?”  The answer is “very stable” and “yes”, respectively.  But I don’t want you to just take my word for it.  A few weeks back, I bet Ben Langfeld a double sawbuck (that is, an Andrew Jackson, a USD $20) that Adhearsion 2 wasn’t ready to take a fully loaded server’s worth of traffic.  And he muttered something about me not keeping the faith, and then took me up on that bet.  So now we’re going to do it live.  In the next couple of weeks we are going to do a live broadcast of a load test, pushing Adhearsion to scale on both Asterisk and PRISM.  We are going to see just how “webscale” it is, and we’re going to be streaming the event live on Ustream so you all can join in the fun.  The loser (hopefully me) will be well and truly prepared to take your jeers and fork over the cash.  Look for an announcement soon for where and when.  It’s about as geeky fun as telephony gets.  I hope you’ll come join us.
In the meantime, go check out Adhearsion 2!

On behalf of the Adhearsion 2 development team, thanks for being you.

Ben Klang
404.475.4841
Mojo Lingo – Voice applications that work like magic
Twitter: @MojoLingo

Asterisk 10.3.0 Now Available

Jose P. Espinal March 29, 2012 VoIP News Comments Off

Tags: , , , , , , , ,

The Asterisk Development Team has announced the release of Asterisk 10.3.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.3.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you!

The following are the issues resolved in this release:

* — Fix potential buffer overrun and memory leak when executing “sip
show peers”
(Closes issue ASTERISK-19231. Reported by Thomas Arimont, Jamuel Starkey)

* — Fix ACK routing for non-2xx responses.
(Closes issue ASTERISK-19389.)

* — Remove possible segfaults from res_odbc by adding locks around
usage of odbc handle
(Closes issue ASTERISK-19011. Reported by Walter Doekes)

* — Fix blind transfer parking issues if the dialed extension is not
recognized as a parking extension.
(Closes issue ASTERISK-19322. Reported by aragon)

* — Copy CDR variables when set during a bridge
(Closes issue ASTERISK-16990.)

* — push ‘outgoing’ flag from sig_XXX up to chan_dahdi
(Closes issue ASTERISK-19316. Reported by Jeremy Pepper)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.3.0

Thank you for your continued support of Asterisk!

 

  1. Pages:
  2. 1
  3. 2
  4. 3
  5. 4
  6. 5
  7. 6
  8. 7
  9. ...
  10. 15