[SECURITY] Fedora 16 Update: asterisk-1.8.10.1-1.fc16
updates at fedoraproject.org
updates at fedoraproject.org
Sat Mar 31 03:16:38 UTC 2012
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-4318
2012-03-21 01:56:06
--------------------------------------------------------------------------------
Name : asterisk
Product : Fedora 16
Version : 1.8.10.1
Release : 1.fc16
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
--------------------------------------------------------------------------------
Update Information:
Update to 1.8.10.1, which fixes 2 security vulnerabilities.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Mar 17 2012 Russell Bryant <russell at russellbryant.net> - 1.8.10.1-1
- Update to 1.8.10.1 from upstream.
- Fix remote stack overflow in app_milliwatt.
- Fix remote stack overflow, including possible code injection, in HTTP digest
authentication handling.
- Resolves: rhbz#804045, rhbz#804038, rhbz#804042
* Thu Nov 17 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.4.rc4
- The Asterisk Development Team has announced the fourth release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc4 resolves a particular issue with BLF
- subscriptions. A change in Asterisk 1.8.8.0-rc3 had the potential to cause a
- segfault, and this release candidate was created to resolve that.
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc4
* Thu Nov 10 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.3.rc3
- The Asterisk Development Team has announced the third release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc3 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * Prevent BLF subscriptions from causing deadlocks.
- (Closes issue ASTERISK-18663)
- Review: https://reviewboard.asterisk.org/r/1563/
-
- * Fix deadlock if peer is destroyed while sending MWI notice.
- (Closes issue ASTERISK-18747)
- Reported by: Gregory Hinton Nietsky
-
- * Fix issue with setting defaultenabled on categories that are already enabled
- by default.
- (Closes issue ASTERISK-18738)
- Reported by: Paul Belanger
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc3
* Tue Nov 8 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.2.rc2
- The Asterisk Development Team has announced the second release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc2 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * --- Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012) ---
- http://downloads.asterisk.org/pub/security/AST-2011-012.pdf
-
- * --- Fix locking order in app_queue.c which caused deadlocks ---
- (Closes issue ASTERISK-18101. Reported by Paul Rolfe, patched by Gregory Nietsky)
- (Closes issue ASTERISK-18487. Reported by Jason Legault, patched by Gregory
- Nietsky)
-
- * --- Fix regression in configure script for libpri capability checks ---
- (Closes issue ASTERISK-18687. Reported by norbert, patched by Richard Mudgett)
-
- * --- Properly ignore AST_CONTROL_UPDATE_RTP_PEER in more places ---
- (Closes issue ASTERISK-18610. Reported by Kristijan_Vrban, patched by Terry
- Wilson, and again by Kristijan_Vrban)
-
- * --- Fix issue with removing peers by IP ---
- (Closes issue ASTERISK-18696. Reported by rsw686, patched by Terry Wilson)
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc2
* Tue Nov 8 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.1.rc1
- The Asterisk Development Team announces the first release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * Updated SIP 484 handling; added Incomplete control frame
- When a SIP phone uses the dial application and receives a 484 Address
- Incomplete response, if overlapped dialing is enabled for SIP, then the 484
- Address Incomplete is forwarded back to the SIP phone and the HANGUPCAUSE
- channel variable is set to 28. Previously, the Incomplete application
- dialplan logic was automatically triggered; now, explicit dialplan usage of
- the application is required.
- (Closes ASTERISK-17288. Reported by: Mikael Carlsson Tested by: Matthew
- Jordan Review: https://reviewboard.asterisk.org/r/1416/)
-
- * Prevent IAX2 from getting IPv6 addresses via DNS IAX2 does not support IPv6
- and getting such addresses from DNS can cause error messages on the remote
- end involving bad IPv4 address casts in the presence of IPv6/IPv4 tunnels.
- (Closes issue ASTERISK-18090. Patched by Kinsey Moore)
-
- * Fix bad RTP media bridges in directmedia calls on peers separated by multiple
- Asterisk nodes.
- (Closes issue ASTERISK-18340. Reported by: Thomas Arimont. Closes issue
- ASTERISK-17725. Reported by: kwk. Tested by: twilson, jrose)
-
- * Fix crashes in ast_rtcp_write()
- (Closes issue ASTERISK-18570)
- Related issues that look like they are the same problem:
- (Issue ASTERISK-17560, ASTERISK-15406, ASTERISK-15257, ASTERISK-13334,
- ASTERISK-9977, ASTERISK-9716)
- Review: https://reviewboard.asterisk.org/r/1444/
- Patched by: Russell Bryant
-
- * Fix for incorrect voicemail duration in external notifications.
- This patch fixes an issue where the voicemail duration was being reported
- with a duration significantly less than the actual sound file duration.
- (Closes ASTERISK-16981. Reported by: Mary Ciuciu, Byron Clark, Brad House,
- Karsten Wemheuer, KevinH Tested by: Matt Jordan
- Review: https://reviewboard.asterisk.org/r/1443)
-
- * Prevent segfault if call arrives before Asterisk is fully booted.
- (Patched by alecdavis. https://reviewboard.asterisk.org/r/1407/)
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc1
* Mon Oct 17 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.7.1-1
- The Asterisk Development Team has announced a security release for Asterisk 1.8.
- The available security release is released as version 1.8.7.1.
-
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which can
- lead to a remotely exploitable crash:
-
- Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
-
- The issue and resolution is described in the AST-2011-012 security
- advisory.
-
- For more information about the details of this vulnerability, please read the
- security advisory AST-2011-012, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #804038 - CVE-2012-1183 asterisk: Stack-based buffer overwrite by processing large audio packet in Miliwatt application (AST-2012-002)
https://bugzilla.redhat.com/show_bug.cgi?id=804038
[ 2 ] Bug #804042 - CVE-2012-1184 asterisk: Stack-based buffer overflow by processing certain HTTP Digest Authentication headers (AST-2012-003)
https://bugzilla.redhat.com/show_bug.cgi?id=804042
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list