[SECURITY] Fedora 16 Update: asterisk-1.8.15.1-1.fc16

updates at fedoraproject.org updates at fedoraproject.org
Mon Sep 17 17:46:45 UTC 2012 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-13437
2012-09-07 10:40:36
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 16
Version     : 1.8.15.1
Release     : 1.fc16
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones
resolve the following two issues:

* A permission escalation vulnerability in Asterisk Manager Interface.  This
  would potentially allow remote authenticated users the ability to execute
  commands on the system shell with the privileges of the user running the
  Asterisk application.  Please note that the README-SERIOUSLY.bestpractices.txt
  file delivered with Asterisk has been updated due to this and other related
  vulnerabilities fixed in previous versions of Asterisk.

* When an IAX2 call is made using the credentials of a peer defined in a
  dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that
  peer are not applied to the call attempt. This allows for a remote attacker
  who is aware of a peer's credentials to bypass the ACL rules set for that
  peer.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2012-012 and AST-2012-013, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2012-012.pdf
 * http://downloads.asterisk.org/pub/security/AST-2012-013.pdf

--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep  4 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.15.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
- released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones
- resolve the following two issues:
-
- * A permission escalation vulnerability in Asterisk Manager Interface.  This
-   would potentially allow remote authenticated users the ability to execute
-   commands on the system shell with the privileges of the user running the
-   Asterisk application.  Please note that the README-SERIOUSLY.bestpractices.txt
-   file delivered with Asterisk has been updated due to this and other related
-   vulnerabilities fixed in previous versions of Asterisk.
-
- * When an IAX2 call is made using the credentials of a peer defined in a
-   dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that
-   peer are not applied to the call attempt. This allows for a remote attacker
-   who is aware of a peer's credentials to bypass the ACL rules set for that
-   peer.
-
- These issues and their resolutions are described in the security advisories.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2012-012 and AST-2012-013, which were released at the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-012.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-013.pdf
* Tue Sep  4 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.15.0-1
- The Asterisk Development Team has announced the release of Asterisk 1.8.15.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.15.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix deadlock potential with ast_set_hangupsource() calls.
-   (Closes issue ASTERISK-19801. Reported by Alec Davis)
-
- * --- Fix request routing issue when outboundproxy is used.
-   (Closes issue ASTERISK-20008. Reported by Marcus Hunger)
-
- * --- Make the address family filter specific to the transport.
-   (Closes issue ASTERISK-16618. Reported by Leif Madsen)
-
- * --- Fix NULL pointer segfault in ast_sockaddr_parse()
-   (Closes issue ASTERISK-20006. Reported by Michael L. Young)
-
- * --- Do not perform install on existing directories
-   (Closes issue ASTERISK-19492. Reported by Karl Fife)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.15.0
* Tue Sep  4 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.14.1-1
- The Asterisk Development Team has announced the release of Asterisk 1.8.14.1.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.14.1 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- Remove a superfluous and dangerous freeing of an SSL_CTX.
-   (Closes issue ASTERISK-20074. Reported by Trevor Helmsley)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.14.1
* Tue Sep  4 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.14.0-1
- The Asterisk Development Team has announced the release of Asterisk 1.8.14.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.14.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- format_mp3: Fix a possible crash in mp3_read().
-   (Closes issue ASTERISK-19761. Reported by Chris Maciejewsk)
-
- * --- Fix local channel chains optimizing themselves out of a call.
-   (Closes issue ASTERISK-16711. Reported by Alec Davis)
-
- * --- Update a peer's LastMsgsSent when the peer is notified of
-       waiting messages
-   (Closes issue ASTERISK-17866. Reported by Steve Davies)
-
- * --- Prevent sip_pvt refleak when an ast_channel outlasts its
-       corresponding sip_pvt.
-   (Closes issue ASTERISK-19425. Reported by David Cunningham)
-
- * --- Send more accurate identification information in dialog-info SIP
-       NOTIFYs.
-   (Closes issue ASTERISK-16735. Reported by Maciej Krajewski)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.14.0
* Tue Sep  4 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.13.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
- released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones
- resolve the following two issues:
-
- * If Asterisk sends a re-invite and an endpoint responds to the re-invite with
-   a provisional response but never sends a final response, then the SIP dialog
-   structure is never freed and the RTP ports for the call are never released. If
-   an attacker has the ability to place a call, they could create a denial of
-   service by using all available RTP ports.
-
- * If a single voicemail account is manipulated by two parties simultaneously,
-   a condition can occur where memory is freed twice causing a crash.
-
- These issues and their resolution are described in the security advisories.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2012-010 and AST-2012-011, which were released at the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert4
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.13.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2-digiumphones
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-010.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-011.pdf
* Tue Sep  4 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.13.0-1
- The Asterisk Development Team has announced the release of Asterisk 1.8.13.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.13.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Turn off warning message when bind address is set to any.
-   (Closes issue ASTERISK-19456. Reported by Michael L. Young)
-
- * --- Prevent overflow in calculation in ast_tvdiff_ms on 32-bit
-       machines
-   (Closes issue ASTERISK-19727. Reported by Ben Klang)
-
- * --- Make DAHDISendCallreroutingFacility wait 5 seconds for a reply
-       before disconnecting the call.
-   (Closes issue ASTERISK-19708. Reported by mehdi Shirazi)
-
- * --- Fix recalled party B feature flags for a failed DTMF atxfer.
-   (Closes issue ASTERISK-19383. Reported by lgfsantos)
-
- * --- Fix DTMF atxfer running h exten after the wrong bridge ends.
-   (Closes issue ASTERISK-19717. Reported by Mario)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.13.0
* Wed May 30 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.12.2-1
- The Asterisk Development Team has announced the release of Asterisk 1.8.12.2.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.12.2 resolves an issue reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is the issue resolved in this release:
-
- * --- Resolve crash in subscribing for MWI notifications
-  (Closes issue ASTERISK-19827. Reported by B. R)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.2
* Wed May 30 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.12.1-1:
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
- released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following
- two issues:
-
- * A remotely exploitable crash vulnerability exists in the IAX2 channel
-  driver if an established call is placed on hold without a suggested music
-  class. Asterisk will attempt to use an invalid pointer to the music
-  on hold class name, potentially causing a crash.
-
- * A remotely exploitable crash vulnerability was found in the Skinny (SCCP)
-  Channel driver. When an SCCP client closes its connection to the server,
-  a pointer in a structure is set to NULL.  If the client was not in the
-  on-hook state at the time the connection was closed, this pointer is later
-  dereferenced. This allows remote authenticated connections the ability to
-  cause a crash in the server, denying services to legitimate users.
-
- These issues and their resolution are described in the security advisories.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2012-007 and AST-2012-008, which were released at the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.12.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.4.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-007.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-008.pdf
* Thu May  3 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.12.0-1:
- The Asterisk Development Team has announced the release of Asterisk 1.8.12.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 1.8.12.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- * --- Prevent chanspy from binding to zombie channels
-  (Closes issue ASTERISK-19493. Reported by lvl)
-
- * --- Fix Dial m and r options and forked calls generating warnings
-      for voice frames.
-  (Closes issue ASTERISK-16901. Reported by Chris Gentle)
-
- * --- Remove ISDN hold restriction for non-bridged calls.
-  (Closes issue ASTERISK-19388. Reported by Birger Harzenetter)
-
- * --- Fix copying of CDR(accountcode) to local channels.
-  (Closes issue ASTERISK-19384. Reported by jamicque)
-
- * --- Ensure Asterisk acknowledges ACKs to 4xx on Replaces errors
-  (Closes issue ASTERISK-19303. Reported by Jon Tsiros)
-
- * --- Eliminate double close of file descriptor in manager.c
-  (Closes issue ASTERISK-18453. Reported by Jaco Kroon)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.0
* Tue Apr 24 2012 Jeffrey Ollie <jeff at ocjtech.us> - 1.8.11.1-1:
- The Asterisk Development Team has announced security releases for Asterisk 1.6.2,
- 1.8, and 10. The available security releases are released as versions 1.6.2.24,
- 1.8.11.1, and 10.3.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the following two
- issues:
-
-  * A permission escalation vulnerability in Asterisk Manager Interface.  This
-   would potentially allow remote authenticated users the ability to execute
-   commands on the system shell with the privileges of the user running the
-   Asterisk application.
-
-  * A heap overflow vulnerability in the Skinny Channel driver.  The keypad
-   button message event failed to check the length of a fixed length buffer
-   before appending a received digit to the end of that buffer.  A remote
-   authenticated user could send sufficient keypad button message events that the
-   buffer would be overrun.
-
- In addition, the release of Asterisk 1.8.11.1 and 10.3.1 resolve the following
- issue:
-
-  * A remote crash vulnerability in the SIP channel driver when processing UPDATE
-   requests.  If a SIP UPDATE request was received indicating a connected line
-   update after a channel was terminated but before the final destruction of the
-   associated SIP dialog, Asterisk would attempt a connected line update on a
-   non-existing channel, causing a crash.
-
- These issues and their resolution are described in the security advisories.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2012-004, AST-2012-005, and AST-2012-006, which were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.24
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.11.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.3.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2012-004.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-005.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2012-006.pdf
* Fri Mar 30 2012 Russell Bryant <russell at russellbryant.net> - 1.8.11.0-1
- Update to 1.8.11.0
* Sat Mar 17 2012 Russell Bryant <russell at russellbryant.net> - 1.8.10.1-1
- Update to 1.8.10.1 from upstream.
- Fix remote stack overflow in app_milliwatt.
- Fix remote stack overflow, including possible code injection, in HTTP digest
  authentication handling.
- Diable build of SRTP on ppc64, as it doesn't build right now.
- Resolves: rhbz#804045, rhbz#804038, rhbz#804042
* Fri Dec  9 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.7.2-1
- The Asterisk Development Team has announced security releases for Asterisk 1.4,
- 1.6.2 and 1.8. The available security releases are released as versions 1.4.43,
- 1.6.2.21 and 1.8.7.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk versions 1.4.43, 1.6.2.21, and 1.8.7.2 resolves an issue
- with possible remote enumeration of SIP endpoints with differing NAT settings.
-
- The release of Asterisk versions 1.6.2.21 and 1.8.7.2 resolves a remote crash
- possibility with SIP when the "automon" feature is enabled.
-
- The issues and resolutions are described in the AST-2011-013 and AST-2011-014
- security advisories.
-
- For more information about the details of these vulnerabilities, please read the
- security advisories AST-2011-013 and AST-2011-014, which were released at the
- same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.43
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.21
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.2
-
- Security advisory AST-2011-013 is available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2011-013.pdf
-
- Security advisory AST-2011-014 is available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2011-014.pdf
* Thu Nov 17 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.4.rc4
- The Asterisk Development Team has announced the fourth release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc4 resolves a particular issue with BLF
- subscriptions. A change in Asterisk 1.8.8.0-rc3 had the potential to cause a
- segfault, and this release candidate was created to resolve that.
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc4
* Thu Nov 10 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.3.rc3
- The Asterisk Development Team has announced the third release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc3 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * Prevent BLF subscriptions from causing deadlocks.
-  (Closes issue ASTERISK-18663)
-  Review: https://reviewboard.asterisk.org/r/1563/
-
- * Fix deadlock if peer is destroyed while sending MWI notice.
-  (Closes issue ASTERISK-18747)
-  Reported by: Gregory Hinton Nietsky
-
- * Fix issue with setting defaultenabled on categories that are already enabled
-  by default.
-  (Closes issue ASTERISK-18738)
-  Reported by: Paul Belanger
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc3
* Tue Nov  8 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.2.rc2
- The Asterisk Development Team has announced the second release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc2 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * --- Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012) ---
-  http://downloads.asterisk.org/pub/security/AST-2011-012.pdf
-
- * --- Fix locking order in app_queue.c which caused deadlocks ---
-  (Closes issue ASTERISK-18101. Reported by Paul Rolfe, patched by Gregory Nietsky)
-  (Closes issue ASTERISK-18487. Reported by Jason Legault, patched by Gregory
- Nietsky)
-
- * --- Fix regression in configure script for libpri capability checks ---
-  (Closes issue ASTERISK-18687. Reported by norbert, patched by Richard Mudgett)
-
- * --- Properly ignore AST_CONTROL_UPDATE_RTP_PEER in more places ---
-  (Closes issue ASTERISK-18610. Reported by Kristijan_Vrban, patched by Terry
- Wilson, and again by Kristijan_Vrban)
-
- * --- Fix issue with removing peers by IP ---
-  (Closes issue ASTERISK-18696. Reported by rsw686, patched by Terry Wilson)
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc2
* Tue Nov  8 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.1.rc1
- The Asterisk Development Team announces the first release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
-  * Updated SIP 484 handling; added Incomplete control frame
-   When a SIP phone uses the dial application and receives a 484 Address
-   Incomplete response, if overlapped dialing is enabled for SIP, then the 484
-   Address Incomplete is forwarded back to the SIP phone and the HANGUPCAUSE
-   channel variable is set to 28. Previously, the Incomplete application
-   dialplan logic was automatically triggered; now, explicit dialplan usage of
-   the application is required.
-   (Closes ASTERISK-17288. Reported by: Mikael Carlsson Tested by: Matthew
-    Jordan Review: https://reviewboard.asterisk.org/r/1416/)
-
-  * Prevent IAX2 from getting IPv6 addresses via DNS IAX2 does not support IPv6
-   and getting such addresses from DNS can cause error messages on the remote
-   end involving bad IPv4 address casts in the presence of IPv6/IPv4 tunnels.
-   (Closes issue ASTERISK-18090. Patched by Kinsey Moore)
-
-  * Fix bad RTP media bridges in directmedia calls on peers separated by multiple
-   Asterisk nodes.
-   (Closes issue ASTERISK-18340. Reported by: Thomas Arimont. Closes issue
-    ASTERISK-17725. Reported by: kwk. Tested by: twilson, jrose)
-
-  * Fix crashes in ast_rtcp_write()
-   (Closes issue ASTERISK-18570)
-   Related issues that look like they are the same problem:
-   (Issue ASTERISK-17560, ASTERISK-15406, ASTERISK-15257, ASTERISK-13334,
-    ASTERISK-9977, ASTERISK-9716)
-   Review: https://reviewboard.asterisk.org/r/1444/
-   Patched by: Russell Bryant
-
-  * Fix for incorrect voicemail duration in external notifications.
-   This patch fixes an issue where the voicemail duration was being reported
-   with a duration significantly less than the actual sound file duration.
-   (Closes ASTERISK-16981. Reported by: Mary Ciuciu, Byron Clark, Brad House,
-    Karsten Wemheuer, KevinH Tested by: Matt Jordan
-    Review: https://reviewboard.asterisk.org/r/1443)
-
-  * Prevent segfault if call arrives before Asterisk is fully booted.
-   (Patched by alecdavis. https://reviewboard.asterisk.org/r/1407/)
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc1
* Mon Oct 17 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.7.1-1
- The Asterisk Development Team has announced a security release for Asterisk 1.8.
- The available security release is released as version 1.8.7.1.
-
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which can
- lead to a remotely exploitable crash:
-
-    Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
-
- The issue and resolution is described in the AST-2011-012 security
- advisory.
-
- For more information about the details of this vulnerability, please read the
- security advisory AST-2011-012, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.1
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #853541 - CVE-2012-2186 Asterisk: Asterisk Manager User Unauthorized Shell Access
        https://bugzilla.redhat.com/show_bug.cgi?id=853541
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list