-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2012-4318 2012-03-21 01:56:06 --------------------------------------------------------------------------------
Name : asterisk Product : Fedora 16 Version : 1.8.10.1 Release : 1.fc16 URL : http://www.asterisk.org/ Summary : The Open Source PBX Description : Asterisk is a complete PBX in software. It runs on Linux and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in three protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware.
-------------------------------------------------------------------------------- Update Information:
Update to 1.8.10.1, which fixes 2 security vulnerabilities. -------------------------------------------------------------------------------- ChangeLog:
* Sat Mar 17 2012 Russell Bryant russell@russellbryant.net - 1.8.10.1-1 - Update to 1.8.10.1 from upstream. - Fix remote stack overflow in app_milliwatt. - Fix remote stack overflow, including possible code injection, in HTTP digest authentication handling. - Resolves: rhbz#804045, rhbz#804038, rhbz#804042 * Thu Nov 17 2011 Jeffrey C. Ollie jeff@ocjtech.us - 1.8.8.0-0.4.rc4 - The Asterisk Development Team has announced the fourth release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc4 resolves a particular issue with BLF - subscriptions. A change in Asterisk 1.8.8.0-rc3 had the potential to cause a - segfault, and this release candidate was created to resolve that. - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc4 * Thu Nov 10 2011 Jeffrey C. Ollie jeff@ocjtech.us - 1.8.8.0-0.3.rc3 - The Asterisk Development Team has announced the third release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc3 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * Prevent BLF subscriptions from causing deadlocks. - (Closes issue ASTERISK-18663) - Review: https://reviewboard.asterisk.org/r/1563/ - - * Fix deadlock if peer is destroyed while sending MWI notice. - (Closes issue ASTERISK-18747) - Reported by: Gregory Hinton Nietsky - - * Fix issue with setting defaultenabled on categories that are already enabled - by default. - (Closes issue ASTERISK-18738) - Reported by: Paul Belanger - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc3 * Tue Nov 8 2011 Jeffrey C. Ollie jeff@ocjtech.us - 1.8.8.0-0.2.rc2 - The Asterisk Development Team has announced the second release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc2 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * --- Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012) --- - http://downloads.asterisk.org/pub/security/AST-2011-012.pdf - - * --- Fix locking order in app_queue.c which caused deadlocks --- - (Closes issue ASTERISK-18101. Reported by Paul Rolfe, patched by Gregory Nietsky) - (Closes issue ASTERISK-18487. Reported by Jason Legault, patched by Gregory - Nietsky) - - * --- Fix regression in configure script for libpri capability checks --- - (Closes issue ASTERISK-18687. Reported by norbert, patched by Richard Mudgett) - - * --- Properly ignore AST_CONTROL_UPDATE_RTP_PEER in more places --- - (Closes issue ASTERISK-18610. Reported by Kristijan_Vrban, patched by Terry - Wilson, and again by Kristijan_Vrban) - - * --- Fix issue with removing peers by IP --- - (Closes issue ASTERISK-18696. Reported by rsw686, patched by Terry Wilson) - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc2 * Tue Nov 8 2011 Jeffrey C. Ollie jeff@ocjtech.us - 1.8.8.0-0.1.rc1 - The Asterisk Development Team announces the first release candidate of - Asterisk 1.8.8.0. This release candidate is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/ - - The release of Asterisk 1.8.8.0-rc1 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release candidate: - - * Updated SIP 484 handling; added Incomplete control frame - When a SIP phone uses the dial application and receives a 484 Address - Incomplete response, if overlapped dialing is enabled for SIP, then the 484 - Address Incomplete is forwarded back to the SIP phone and the HANGUPCAUSE - channel variable is set to 28. Previously, the Incomplete application - dialplan logic was automatically triggered; now, explicit dialplan usage of - the application is required. - (Closes ASTERISK-17288. Reported by: Mikael Carlsson Tested by: Matthew - Jordan Review: https://reviewboard.asterisk.org/r/1416/) - - * Prevent IAX2 from getting IPv6 addresses via DNS IAX2 does not support IPv6 - and getting such addresses from DNS can cause error messages on the remote - end involving bad IPv4 address casts in the presence of IPv6/IPv4 tunnels. - (Closes issue ASTERISK-18090. Patched by Kinsey Moore) - - * Fix bad RTP media bridges in directmedia calls on peers separated by multiple - Asterisk nodes. - (Closes issue ASTERISK-18340. Reported by: Thomas Arimont. Closes issue - ASTERISK-17725. Reported by: kwk. Tested by: twilson, jrose) - - * Fix crashes in ast_rtcp_write() - (Closes issue ASTERISK-18570) - Related issues that look like they are the same problem: - (Issue ASTERISK-17560, ASTERISK-15406, ASTERISK-15257, ASTERISK-13334, - ASTERISK-9977, ASTERISK-9716) - Review: https://reviewboard.asterisk.org/r/1444/ - Patched by: Russell Bryant - - * Fix for incorrect voicemail duration in external notifications. - This patch fixes an issue where the voicemail duration was being reported - with a duration significantly less than the actual sound file duration. - (Closes ASTERISK-16981. Reported by: Mary Ciuciu, Byron Clark, Brad House, - Karsten Wemheuer, KevinH Tested by: Matt Jordan - Review: https://reviewboard.asterisk.org/r/1443) - - * Prevent segfault if call arrives before Asterisk is fully booted. - (Patched by alecdavis. https://reviewboard.asterisk.org/r/1407/) - - For a full list of changes in this release candidate, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc1 * Mon Oct 17 2011 Jeffrey C. Ollie jeff@ocjtech.us - 1.8.7.1-1 - The Asterisk Development Team has announced a security release for Asterisk 1.8. - The available security release is released as version 1.8.7.1. - - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which can - lead to a remotely exploitable crash: - - Remote Crash Vulnerability in SIP channel driver (AST-2011-012) - - The issue and resolution is described in the AST-2011-012 security - advisory. - - For more information about the details of this vulnerability, please read the - security advisory AST-2011-012, which was released at the same time as this - announcement. - - For a full list of changes in the current release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.... -------------------------------------------------------------------------------- References:
[ 1 ] Bug #804038 - CVE-2012-1183 asterisk: Stack-based buffer overwrite by processing large audio packet in Miliwatt application (AST-2012-002) https://bugzilla.redhat.com/show_bug.cgi?id=804038 [ 2 ] Bug #804042 - CVE-2012-1184 asterisk: Stack-based buffer overflow by processing certain HTTP Digest Authentication headers (AST-2012-003) https://bugzilla.redhat.com/show_bug.cgi?id=804042 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update asterisk' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------