[SECURITY] Fedora 16 Update: asterisk-1.8.10.1-1.fc16

updates at fedoraproject.org updates at fedoraproject.org
Sat Mar 31 03:16:38 UTC 2012 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-4318
2012-03-21 01:56:06
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 16
Version     : 1.8.10.1
Release     : 1.fc16
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

Update to 1.8.10.1, which fixes 2 security vulnerabilities.
--------------------------------------------------------------------------------
ChangeLog:

* Sat Mar 17 2012 Russell Bryant <russell at russellbryant.net> - 1.8.10.1-1
- Update to 1.8.10.1 from upstream.
- Fix remote stack overflow in app_milliwatt.
- Fix remote stack overflow, including possible code injection, in HTTP digest
  authentication handling.
- Resolves: rhbz#804045, rhbz#804038, rhbz#804042
* Thu Nov 17 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.4.rc4
- The Asterisk Development Team has announced the fourth release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc4 resolves a particular issue with BLF
- subscriptions. A change in Asterisk 1.8.8.0-rc3 had the potential to cause a
- segfault, and this release candidate was created to resolve that.
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc4
* Thu Nov 10 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.3.rc3
- The Asterisk Development Team has announced the third release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc3 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * Prevent BLF subscriptions from causing deadlocks.
-  (Closes issue ASTERISK-18663)
-  Review: https://reviewboard.asterisk.org/r/1563/
-
- * Fix deadlock if peer is destroyed while sending MWI notice.
-  (Closes issue ASTERISK-18747)
-  Reported by: Gregory Hinton Nietsky
-
- * Fix issue with setting defaultenabled on categories that are already enabled
-  by default.
-  (Closes issue ASTERISK-18738)
-  Reported by: Paul Belanger
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc3
* Tue Nov  8 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.2.rc2
- The Asterisk Development Team has announced the second release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc2 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
- * --- Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012) ---
-  http://downloads.asterisk.org/pub/security/AST-2011-012.pdf
-
- * --- Fix locking order in app_queue.c which caused deadlocks ---
-  (Closes issue ASTERISK-18101. Reported by Paul Rolfe, patched by Gregory Nietsky)
-  (Closes issue ASTERISK-18487. Reported by Jason Legault, patched by Gregory
- Nietsky)
-
- * --- Fix regression in configure script for libpri capability checks ---
-  (Closes issue ASTERISK-18687. Reported by norbert, patched by Richard Mudgett)
-
- * --- Properly ignore AST_CONTROL_UPDATE_RTP_PEER in more places ---
-  (Closes issue ASTERISK-18610. Reported by Kristijan_Vrban, patched by Terry
- Wilson, and again by Kristijan_Vrban)
-
- * --- Fix issue with removing peers by IP ---
-  (Closes issue ASTERISK-18696. Reported by rsw686, patched by Terry Wilson)
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc2
* Tue Nov  8 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.8.0-0.1.rc1
- The Asterisk Development Team announces the first release candidate of
- Asterisk 1.8.8.0. This release candidate is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/
-
- The release of Asterisk 1.8.8.0-rc1 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release candidate:
-
-  * Updated SIP 484 handling; added Incomplete control frame
-   When a SIP phone uses the dial application and receives a 484 Address
-   Incomplete response, if overlapped dialing is enabled for SIP, then the 484
-   Address Incomplete is forwarded back to the SIP phone and the HANGUPCAUSE
-   channel variable is set to 28. Previously, the Incomplete application
-   dialplan logic was automatically triggered; now, explicit dialplan usage of
-   the application is required.
-   (Closes ASTERISK-17288. Reported by: Mikael Carlsson Tested by: Matthew
-    Jordan Review: https://reviewboard.asterisk.org/r/1416/)
-
-  * Prevent IAX2 from getting IPv6 addresses via DNS IAX2 does not support IPv6
-   and getting such addresses from DNS can cause error messages on the remote
-   end involving bad IPv4 address casts in the presence of IPv6/IPv4 tunnels.
-   (Closes issue ASTERISK-18090. Patched by Kinsey Moore)
-
-  * Fix bad RTP media bridges in directmedia calls on peers separated by multiple
-   Asterisk nodes.
-   (Closes issue ASTERISK-18340. Reported by: Thomas Arimont. Closes issue
-    ASTERISK-17725. Reported by: kwk. Tested by: twilson, jrose)
-
-  * Fix crashes in ast_rtcp_write()
-   (Closes issue ASTERISK-18570)
-   Related issues that look like they are the same problem:
-   (Issue ASTERISK-17560, ASTERISK-15406, ASTERISK-15257, ASTERISK-13334,
-    ASTERISK-9977, ASTERISK-9716)
-   Review: https://reviewboard.asterisk.org/r/1444/
-   Patched by: Russell Bryant
-
-  * Fix for incorrect voicemail duration in external notifications.
-   This patch fixes an issue where the voicemail duration was being reported
-   with a duration significantly less than the actual sound file duration.
-   (Closes ASTERISK-16981. Reported by: Mary Ciuciu, Byron Clark, Brad House,
-    Karsten Wemheuer, KevinH Tested by: Matt Jordan
-    Review: https://reviewboard.asterisk.org/r/1443)
-
-  * Prevent segfault if call arrives before Asterisk is fully booted.
-   (Patched by alecdavis. https://reviewboard.asterisk.org/r/1407/)
-
- For a full list of changes in this release candidate, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0-rc1
* Mon Oct 17 2011 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.7.1-1
- The Asterisk Development Team has announced a security release for Asterisk 1.8.
- The available security release is released as version 1.8.7.1.
-
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing which can
- lead to a remotely exploitable crash:
-
-    Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
-
- The issue and resolution is described in the AST-2011-012 security
- advisory.
-
- For more information about the details of this vulnerability, please read the
- security advisory AST-2011-012, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.7.1
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #804038 - CVE-2012-1183 asterisk: Stack-based buffer overwrite by processing large audio packet in Miliwatt application (AST-2012-002)
        https://bugzilla.redhat.com/show_bug.cgi?id=804038
  [ 2 ] Bug #804042 - CVE-2012-1184 asterisk: Stack-based buffer overflow by processing certain HTTP Digest Authentication headers (AST-2012-003)
        https://bugzilla.redhat.com/show_bug.cgi?id=804042
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list