[SECURITY] Fedora 13 Update: asterisk-1.6.2.16.1-1.fc13

updates at fedoraproject.org updates at fedoraproject.org
Thu Feb 3 20:24:13 UTC 2011


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-0794
2011-01-26 20:37:21
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 13
Version     : 1.6.2.16.1
Release     : 1.fc13
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

Update to 1.6.2.16.1 to fix CVE-2011-0495.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 25 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced security releases for the following
- versions of Asterisk:
-
- * 1.4.38.1
- * 1.4.39.1
- * 1.6.1.21
- * 1.6.2.15.1
- * 1.6.2.16.1
- * 1.8.1.2
- * 1.8.2.1
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2,
- 1.8.1.2, and 1.8.2.1 resolve an issue when forming an outgoing SIP request while
- in pedantic mode, which can cause a stack buffer to be made to overflow if
- supplied with carefully crafted caller ID information. The issue and resolution
- are described in the AST-2011-001 security advisory.
-
- For more information about the details of this vulnerability, please read the
- security advisory AST-2011-001, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current releases, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.38.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.39.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.21
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.15.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.1.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.1
-
- Security advisory AST-2011-001 is available at:
-
- http://downloads.asterisk.org/pub/security/AST-2011-001.pdf
* Tue Jan 25 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced the release of Asterisk 1.6.2.16.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.16 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * Fix cache of device state changes for multiple servers.
-  (Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
-  by russellb)
-
- * Resolve issue where channel redirect function (CLI or AMI) hangs up the call
-  instead of redirecting the call.
-  (Closes issue #18171. Reported by: SantaFox)
-  (Closes issue #18185. Reported by: kwemheuer)
-  (Closes issue #18211. Reported by: zahir_koradia)
-  (Closes issue #18230. Reported by: vmarrone)
-  (Closes issue #18299. Reported by: mbrevda)
-  (Closes issue #18322. Reported by: nerbos)
-
- * Linux and *BSD disagree on the elements within the ucred structure. Detect
-  which one is in use on the system.
-  (Closes issue #18384. Reported, patched, tested by bjm, tilghman)
-
- * app_followme: Don't create a Local channel if the target extension does not
-  exist.
-  (Closes issue #18126. Reported, patched by junky)
-
- * Revert code that changed SSRC for DTMF.
-  (Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686.
-  Tested by cmbaker82)
-
- * Resolve issue where REGISTER request with a Call-ID matching an existing
-  transaction is received it was possible that the REGISTER request would
-  overwrite the initreq of the private structure.
-  (Closes issue #18051. Reported by eeman. Patched, tested by twilson)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16
* Tue Jan 25 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced the release of Asterisk 1.6.2.15.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.15 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * When using chan_skinny, don't crash when parking a non-bridged call.
-   (Closes issue #17680. Reported, tested by jmhunter. Patched, tested by DEA)
-
- * Add ability for Asterisk to try both the encoded and unencoded subscription
-   URI for a match in hints.
-   (Closes issue #17785. Reported, tested by ramonpeek. Patched by tilghman)
-
- * Set the caller id on CDRs when it is set on the parent channel.
-   (Closes issue #17569. Reported, patched by tbelder)
-
- * Ensure user portion of SIP URI matches dialplan when using encoded characters
-   (Closes issue #17892. Reported by wdoekes. Patched by jpeeler)
-
- * Resolve issue where Party A in an analog 3-way call would continue to hear
-   ringback after party C answers.
-   (Patched by rmudgett)
-
- * Fix problem with qualify option packets for realtime peers never stopping.
-   The option packets not only never stopped, but if a realtime peer was not in
-   the peer list multiple options dialogs could accumulate over time.
-   (Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
-   jpeeler)
-
- * Multiple fixes related to Local channels.
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.15
* Tue Jan 25 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.16.1-1
-
- The Asterisk Development Team has announced the release of Asterisk
- 1.6.2.14.  This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.6.2.14 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
-  * Fix issue where session timers would be advertised as supported even
-   when session-timers=refuse was set in sip.conf. Also fix
-   interoperability problems with session timer behavior in Asterisk.
-   (Closes issue #17005. Reported by alexcarey. Patched by dvossel)
-
-  * Parse all "Accept" headers for SIP SUBSCRIBE requests.
-   (Closes issue #17758. Reported by ibc. Patched by dvossel)
-
-  * Fix issue where queue stats would be reset on reload.
-   (Closes issue #17535. Reported by raarts. Patched by tilghman)
-
-  * Fix issue where MoH files were no longer rescanned on during a
-   reload.
-   (Closes issue #16744. Reported by pj. Patched by Qwell)
-
-  * Fix issue with dialplan pattern matching where the specificity for
-   pattern ranges and pattern characters was inconsistent.
-   (Closes issue #16903. Reported, patched by Nick_Lewis)
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.14
* Fri Oct  8 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.14-0.1.rc1
- The release of Asterisk 1.6.2.14-rc1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
-  * Fix issue where session timers would be advertised as supported even when
-    session-timers=refuse was set in sip.conf. Also fix  interoperability
-    problems with session timer behavior in Asterisk.
-    (Closes issue #17005. Reported by alexcarey. Patched by dvossel)
-
-  * Fix issue with decoding ^-escaped characters in realtime (res_pgsql).
-    (Closes issue #17790. Reported by denzs. Patched by Qwell)
-
-  * Parse all "Accept" headers for SIP SUBSCRIBE requests.
-    (Closes issue #17758. Reported by ibc. Patched by dvossel)
-
-  * Fix issue where queue stats would be reset on reload.
-    (Closes issue #17535. Reported by raarts. Patched by tilghman)
-
-  * Fix issue where MoH files were no longer rescanned on during a reload.
-    (Closes issue #16744. Reported by pj. Patched by Qwell)
-
-  * Fix issue with dialplan pattern matching where the specificity for pattern
-    ranges and pattern characters was inconsistent.
-    (Closes issue #16903. Reported, patched by Nick_Lewis)
-
- For a full list of changes in the current release candidate, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.14-rc1

- This release resolves an issue where the .version and ChangeLog files were not
- updated for 1.6.2.12. Asterisk 1.6.2.13 has no additional changes from 1.6.2.12
- other than the .version, ChangeLog and summary files.
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.13

- The release of Asterisk 1.6.2.12 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
-     * Fix issue where DNID does not get cleared on a new call when using
-       immediate=yes with ISDN signaling.
-       (Closes issue #17568. Reported by wuwu. Patched by rmudgett)
-     * Several updates to res_config_ldap.
-       (Closes issue #13573. Reported by navkumar. Patched by navkumar, bencer.
-       Tested by suretec)
-     * Prevent loss of Caller ID information set on local channel after masquerade.
-       (Closes issue #17138. Reported by kobaz, patched by jpeeler)
-     * Fix SIP peers memory leak.
-       (Closes issue #17774. Reported, patched by kkm)
-     * Add Danish support to say.conf.sample
-       (Closes issue #17836. Reported, patched by RoadKill)
-     * Ensure SSRC is changed when media source is changed to resolve audio delay.
-       (Closes issue #17404. Reported, tested by sdolloff. Patched by jpeeler)
-     * Only do magic pickup when notifycid is enabled.
-       A new way of doing BLF pickup was introduced into 1.6.2. This feature adds a
-       call-id value into the XML of a SIP_NOTIFY message sent to alert a subscriber
-       that a device is ringing. This option should only be enabled when the new
-       'notifycid' option is set, but this was not the case. Instead the call-id
-       value was included for every RINGING Notify message, which caused a
-       regression for people who used other methods for call pickup.
-       (Closes issue #17633. Reported, patched by urosh. Patched by dvossel.
-       Tested by: dvossel, urosh, okrief, alecdavis)
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.12
* Tue Aug 24 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.12-0.1.rc1
- The release of Asterisk 1.6.2.12-RC1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
-  * Fix issue where DNID does not get cleared on a new call when using
-    immediate=yes with ISDN signaling.
-    (Closes issue #17568. Reported by wuwu. Patched by rmudgett)
-
-  * Several updates to res_config_ldap.
-    (Closes issue #13573. Reported by navkumar. Patched by navkumar, bencer.
-     Tested by suretec)
-
-  * Prevent loss of Caller ID information set on local channel after masquerade.
-    (Closes issue #17138. Reported by kobaz, patched by jpeeler)
-
-  * Fix SIP peers memory leak.
-    (Closes issue #17774. Reported, patched by kkm)
-
-  * Add Danish support to say.conf.sample
-    (Closes issue #17836. Reported, patched by RoadKill)
-
-  * Ensure SSRC is changed when media source is changed to resolve audio delay.
-    (Closes issue #17404. Reported, tested by sdolloff. Patched by jpeeler)
-
-  * Only do magic pickup when notifycid is enabled.
-    A new way of doing BLF pickup was introduced into 1.6.2. This feature adds a
-    call-id value into the XML of a SIP_NOTIFY message sent to alert a subscriber
-    that a device is ringing. This option should only be enabled when the new
-    'notifycid' option is set, but this was not the case. Instead the call-id
-    value was included for every RINGING Notify message, which caused a
-    regression for people who used other methods for call pickup.
-    (Closes issue #17633. Reported, patched by urosh. Patched by dvossel.
-     Tested by: dvossel, urosh, okrief, alecdavis)
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.12-rc1
* Wed Aug 11 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.11-1
-
- The following are a few of the issues resolved by community developers:
-
-  * Send DialPlanComplete as a response, not as a separate event. Otherwise, it
-    goes to all manager sessions and may exclude the current session, if the
-    Events mask excludes it.
-    (Closes issue #17504. Reported, patched by rrb3942)
-
-  * Allow the "useragent" value to be restored into memory from the realtime
-    backend. This value is purely informational. It does not alter configuration
-    at all.
-    (Closes issue #16029. Reported, patched by Guggemand)
-
-  * Fix rt(c)p set debug ip taking wrong argument Also clean up some coding
-    errors.
-    (Closes issue #17469. Reported, patched by wdoekes)
-
-  * Ensure channel placed in meetme in ringing state is properly hung up. An
-    outgoing channel placed in meetme while still ringing which was then hung up
-    would not exit meetme and the channel was not properly destroyed.
-    (Closes issue #15871. Reported, patched by Ivan)
-
-  * Correct how 100, 200, 300, etc. is said. Also add the crazy British numbers.
-    (Closes issue #16102. Reported, patched by Delvar)
-
-  * cdr_pgsql does not detect when a table is found. This change adds an ERROR
-    message to let you know when a failure exists to get the columns from the
-    pgsql database, which typically means that the table does not exist.
-    (Closes issue #17478. Reported, patched by kobaz)
-
-  * Avoid crashing when installing a duplicate translation path with a lower
-    cost.
-    (Closes issue #17092. Reported, patched by moy)
-
-  * Add missing handling for ringing state for use with queue empty options.
-    (Closes issue #17471. Reported, patched by jazzy)
-
-  * Fix reporting estimated queue hold time. Just say the number of seconds
-    (after minutes) rather than doing some incorrect calculation with respect to
-    minutes.
-    (Closes issue #17498. Reported, patched by corruptor)
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.11
* Sat Jul 31 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.10-1
-
- The following are a few of the issues resolved by community developers:
-
-  * Allow users to specify a port for DUNDI peers.
-    (Closes issue #17056. Reported, patched by klaus3000)
-
-  * Decrease the module ref count in sip_hangup when SIP_DEFER_BYE_ON_TRANSFER is
-    set.
-    (Closes issue #16815. Reported, patched by rain)
-
-  * If there is realtime configuration, it does not get re-read on reload unless
-    the config file also changes.
-    (Closes issue #16982. Reported, patched by dmitri)
-
-  * Send AgentComplete manager event for attended transfers.
-    (Closes issue #16819. Reported, patched by elbriga)
-
-  * Correct manager variable 'EventList' case.
-    (Closes issue #17520. Reported, patched by kobaz)
-
- In addition, changes to res_timing_pthread that should make it more stable have
- also been implemented.
-
- For a full list of changes in the current release, please see the
- ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.10
* Wed Jul 14 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.8-0.3.rc1
- Add patch to remove requirement on latex2html
* Tue Jun  1 2010 Marcela Maslanova <mmaslano at redhat.com> - 1.6.2.8-0.2.rc1
- Mass rebuild with perl-5.12.0
* Tue May  4 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.7-1
-  * Fix building CDR and CEL SQLite3 modules.
-    (Closes issue #17017. Reported by alephlg. Patched by seanbright)
-
-  * Resolve crash in SLAtrunk when the specified trunk doesn't exist.
-    (Reported in #asterisk-dev by philipp64. Patched by seanbright)
-
-  * Include an extra newline after "Aliased CLI command" to get back the prompt.
-    (Issue #16978. Reported by jw-asterisk. Tested, patched by seanbright)
-
-  * Prevent segfault if bad magic number is encountered.
-    (Issue #17037. Reported, patched by alecdavis)
-
-  * Update code to reflect that handle_speechset has 4 arguments.
-    (Closes issue #17093. Reported, patched by gpatri. Tested by pabelanger,
-     mmichelson)
-
-  * Resolve a deadlock in chan_local.
-    (Closes issue #16840. Reported, patched by bzing2, russell. Tested by bzing2)
* Mon May  3 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.7-0.2.rc3
- Update to 1.6.2.7-rc3
* Thu Apr 15 2010 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.6.2.7-0.1.rc2
- Update to 1.6.2.7-rc2
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #670777 - CVE-2011-0495 Asterisk: Stack-based buffer overflow by forming an outgoing SIP request with specially-crafted caller ID information (AST-2011-001)
        https://bugzilla.redhat.com/show_bug.cgi?id=670777
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list