[SECURITY] Fedora 19 Update: asterisk-11.5.1-2.fc19

updates at fedoraproject.org updates at fedoraproject.org
Sat Sep 14 02:37:45 UTC 2013 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-15560
2013-08-30 21:41:24
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 19
Version     : 11.5.1
Release     : 2.fc19
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

* Thu Aug 29 2013 Jeffrey Ollie <jeff at ocjtech.us> - 11.5.1-2:
- Enable hardened build BZ#954338
- Significant clean ups

* Thu Aug 29 2013 Jeffrey Ollie <jeff at ocjtech.us> - 11.5.1-1:
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security releases
- are released as versions 1.8.15-cert2, 11.2-cert2, 1.8.23.1, 10.12.3, 10.12.3-digiumphones,
- and 11.5.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following issues:
-
- * A remotely exploitable crash vulnerability exists in the SIP channel driver if
-   an ACK with SDP is received after the channel has been terminated. The
-   handling code incorrectly assumes that the channel will always be present.
-
- * A remotely exploitable crash vulnerability exists in the SIP channel driver if
-   an invalid SDP is sent in a SIP request that defines media descriptions before
-   connection information. The handling code incorrectly attempts to reference
-   the socket address information even though that information has not yet been
-   set.
-
- These issues and their resolutions are described in the security advisories.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2013-004 and AST-2013-005, which were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.23.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.5.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2013-004.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-005.pdf
-
- The Asterisk Development Team has announced the release of Asterisk 11.5.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.5.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix Segfault In app_queue When "persistentmembers" Is Enabled
-       And Using Realtime
-   (Closes issue ASTERISK-21738. Reported by JoshE)
-
- * --- IAX2: fix race condition with nativebridge transfers.
-   (Closes issue ASTERISK-21409. Reported by alecdavis)
-
- * --- Fix The Payload Being Set On CN Packets And Do Not Set Marker
-       Bit
-   (Closes issue ASTERISK-21246. Reported by Peter Katzmann)
-
- * --- Fix One-Way Audio With auto_* NAT Settings When SIP Calls
-       Initiated By PBX
-   (Closes issue ASTERISK-21374. Reported by Michael L. Young)
-
- * --- chan_sip: NOTIFYs for BLF start queuing up and fail to be sent
-       out after retries fail
-   (Closes issue ASTERISK-21677. Reported by Dan Martens)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.5.0
--------------------------------------------------------------------------------
ChangeLog:

* Thu Aug 29 2013 Jeffrey Ollie <jeff at ocjtech.us> - 11.5.1-2:
- Enable hardened build BZ#954338
- Significant clean ups
* Thu Aug 29 2013 Jeffrey Ollie <jeff at ocjtech.us> - 11.5.1-1:
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security releases
- are released as versions 1.8.15-cert2, 11.2-cert2, 1.8.23.1, 10.12.3, 10.12.3-digiumphones,
- and 11.5.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolve the following issues:
-
- * A remotely exploitable crash vulnerability exists in the SIP channel driver if
-   an ACK with SDP is received after the channel has been terminated. The
-   handling code incorrectly assumes that the channel will always be present.
-
- * A remotely exploitable crash vulnerability exists in the SIP channel driver if
-   an invalid SDP is sent in a SIP request that defines media descriptions before
-   connection information. The handling code incorrectly attempts to reference
-   the socket address information even though that information has not yet been
-   set.
-
- These issues and their resolutions are described in the security advisories.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2013-004 and AST-2013-005, which were
- released at the same time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.23.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.3-digiumphones
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.5.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2013-004.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2013-005.pdf
-
- The Asterisk Development Team has announced the release of Asterisk 11.5.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.5.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following is a sample of the issues resolved in this release:
-
- * --- Fix Segfault In app_queue When "persistentmembers" Is Enabled
-       And Using Realtime
-   (Closes issue ASTERISK-21738. Reported by JoshE)
-
- * --- IAX2: fix race condition with nativebridge transfers.
-   (Closes issue ASTERISK-21409. Reported by alecdavis)
-
- * --- Fix The Payload Being Set On CN Packets And Do Not Set Marker
-       Bit
-   (Closes issue ASTERISK-21246. Reported by Peter Katzmann)
-
- * --- Fix One-Way Audio With auto_* NAT Settings When SIP Calls
-       Initiated By PBX
-   (Closes issue ASTERISK-21374. Reported by Michael L. Young)
-
- * --- chan_sip: NOTIFYs for BLF start queuing up and fail to be sent
-       out after retries fail
-   (Closes issue ASTERISK-21677. Reported by Dan Martens)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.5.0
* Sat Aug  3 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 11.4.0-2.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar <ppisar at redhat.com> - 11.4.0-2.1
- Perl 5.18 rebuild
* Fri May 24 2013 Rex Dieter <rdieter at fedoraproject.org> 11.4.0-2
- rebuild (libical)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1002044 - CVE-2013-5641 CVE-2013-5642 asterisk: two denial of service flaws in the SIP channel driver (AST-2013-004, AST-2013-005)
        https://bugzilla.redhat.com/show_bug.cgi?id=1002044
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list