* You are viewing Posts Tagged ‘source’

CRM Solution for Asterisk

What is the best CRM solution for Asterisk, which is easy to deploy and Open Source? Well, there are some good options out there but the reality is that It’s not possible to determine which one is “better”. Nevertheless you can always evaluate and consider which one fits your needs, that’s why among the different CRM solutions around, I would like to call your attention to Zurmo CRM, which have just released their 1.0 GA version.

The first thing about Zurmo is that the way they care about the community’s feedback, contributions and suggestions leads me to believe that this project has a brilliant future. The community around Zurmo has been a major factor to getting the application to where it is today.

One of Zurmo’s strengths is its focus on usability. Have you ever wrestled with a bloated, heavy and enigmatic CRM solution whose interface and “functionality set” match the complexity of the Inception movie?. Well, Zurmo tries hard (and succeed) to avoid that, as their ultimate goal is to create a CRM that everyone will actually use.

From a developer and Slackware Linux user’s perspective, used to test driven development and simplicity, there’s something about Zurmo that gives me a good feeling: it doesn’t try to do everything under the sun, but what it does, it does it right.

Developed under the Yii framework, and other set of great tools, you can expect an application optimized for performance that it’s able to fulfill your needs.

If you just don’t have the whole “CRM” concept clear, and why would you (or your client) need a CRM solution, then check this out this short and interesting introduction: So What Is CRM All About?

Now, do you want to avoid being one of the estimated 70 percent of companies who have tried implementing standalone CRM systems and failed?, then you should read this book:

It provides information for the business person who is trying to understand CRM and how it can effect his/her business.

Total Amount Of Asterisk Installations

Counting any Open Source package is difficult for many reasons. There is probably not a reliable answer to this question since there are at least 4 major “flavors” of Asterisk out there (1.4, 1.6, 1.8, 1.10) and open and commercial source. It is reliably > 10,000 and quite possibly over 100,000 or even over 1 million. The Asterisk folks might be willing to tell you how many downloads have been done from http://www.asterisk.org , but that wouldn’t tell you the real number.

Maybe a good start point for an estimate would start at 200,000+ if you are including all of the versions and types. But then we might still think about the Asterisk boxes that are plugged to the Internet.

Getting a reasonably accurate count maybe would not be that difficult, but everybody is so paranoid about anybody knowing anything about them and what they do.

Some community members, like Danny Nicholas, points out the idea of a ‘curl’ request in the script that starts Asterisk that sends your MAC address and Asterisk version number to Asterisk.org. Personally I think that’s a great idea, as there’s no IP address tracking involved or any other identifying information, just the MAC and cheese. Another important remark is that, being Open Source, you can see exactly what is being sent and could always ‘opt-out.’

Some really useful information could be gathered and displayed like:

  • ‘Popularity’ of different versions.
  • Average time between restarts by version number.
  • Ratio of starts to stops by version number. (The difference between starts and stops could be an indicator crashes.)

Other information that might be helpful to share would be the TDM capacity or maximum simultaneous call count. And all that without really getting ‘compromised’ regarding the shared information. After all, what ‘competitive advantage’ would someone have over you just knowing that Asterisk was started on a box owned by someone, somewhere?

AST-2012-011: Remote Crash Vulnerability In Voice Mail Application

If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash.

Management of the memory in question has been reworked so that double frees and out of bounds array access do not occur. Upgrade to the latest release.

Affected Versions

  • Product Release Series
  • Asterisk Open Source 1.8.x 1.8.11 and newer
  • Asterisk Open Source 10.x 10.3 and newer
  • Certified Asterisk 1.8.11-certx All versions
  • Asterisk Digiumphones 10.x.x-digiumphones All versions

Corrected In

  • Product Release
  • Asterisk Open Source, 10.5.2
  • Certified Asterisk 1.8.11-cert4
  • Asterisk Digiumphones 10.5.2-digiumphones

AST-2012-010: Possible Resource Leak On Uncompleted Re-invite Transactions

Asterisk Project Security Advisory – AST-2012-010

Product Asterisk
Summary Possible resource leak on uncompleted re-invite
Nature of Advisory Denial of Service
Susceptibility Remote authenticated sessions
Severity Minor
Exploits Known No
Reported On June 13, 2012
Reported By Steve Davies
Posted On July 5, 2012
Last Updated On July 5, 2012
Advisory Contact Terry Wilson

Description If Asterisk sends a re-invite and an endpoint responds to
the re-invite with a provisional response but never sends a
final response, then the SIP dialog structure is never
freed and the RTP ports for the call are never released. If
an attacker has the ability to place a call, they could
create a denial of service by using all available RTP

Resolution A re-invite that receives a provisional response without a
final response is detected and properly cleaned up at

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions
Asterisk Business Edition C.3.x All versions
Certified Asterisk 1.8.11-certx All versions
Asterisk Digiumphones 10.x.x-digiumphones All versions

Corrected In
Product Release
Asterisk Open Source, 10.5.2
Asterisk Business Edition C.3.7.5
Certified Asterisk 1.8.11-cert4
Asterisk Digiumphones 10.5.2-digiumphones

URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff Asterisk
http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff Asterisk

Links https://issues.asterisk.org/jira/browse/ASTERISK-19992

Asterisk Project Security Advisories are posted at

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2012-010.pdf and

Revision History
Date Editor Revisions Made
06/27/2012 Terry Wilson Initial Release

Asterisk Project Security Advisory – AST-2012-010
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Open Source Realtime Dinner in Barcelona – June 13th


I will be running an Asterisk SIP Masterclass – the last one – in Barcelona in June. During this week, I will organize a dinner for everyone working with or interested in Asterisk, Kamailio and other Open Source platforms for realtime communication. It’s June 13th somewhere in Barcelona – location will be announced later. You pay our own dinner (unless we can find sponsors) and enjoy the geeky company for free!

To join the event, use this Facebook event https://www.facebook.com/events/307548349321608/

See you in Barcelona!


Heap Buffer Overflow in Skinny Channel Driver

In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun.

Now, the length of the buffer is now checked before appending a value to the end of the buffer.

Affected Versions:

  • Product Release Series
  • Asterisk Open Source 1.6.2.x All Versions
  • Asterisk Open Source 1.8.x All Versions
  • Asterisk Open Source 10.x All Versions

Corrected In Product Release:

  • Asterisk Open Source,, 10.3.1