[SECURITY] Fedora 21 Update: asterisk-11.14.1-1.fc21
updates at fedoraproject.org
updates at fedoraproject.org
Fri Dec 12 04:30:25 UTC 2014
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-15621
2014-11-22 19:57:26
--------------------------------------------------------------------------------
Name : asterisk
Product : Fedora 21
Version : 11.14.1
Release : 1.fc21
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
--------------------------------------------------------------------------------
Update Information:
* Fri Nov 21 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.14.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
- security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
- 11.14.1, 12.7.1, and 13.0.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerabilities:
-
- * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
- address families
-
- Many modules in Asterisk that service incoming IP traffic have ACL options
- ("permit" and "deny") that can be used to whitelist or blacklist address
- ranges. A bug has been discovered where the address family of incoming
- packets is only compared to the IP address family of the first entry in the
- list of access control rules. If the source IP address for an incoming
- packet is not of the same address as the first ACL entry, that packet
- bypasses all ACL rules.
-
- * AST-2014-018: Permission Escalation through DB dialplan function
-
- The DB dialplan function when executed from an external protocol, such as AMI,
- could result in a privilege escalation. Users with a lower class authorization
- in AMI can access the internal Asterisk database without the required SYSTEM
- class authorization.
-
- In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
- security vulnerability:
-
- * AST-2014-014: High call load with ConfBridge can result in resource exhaustion
-
- The ConfBridge application uses an internal bridging API to implement
- conference bridges. This internal API uses a state model for channels within
- the conference bridge and transitions between states as different things
- occur. Unload load it is possible for some state transitions to be delayed
- causing the channel to transition from being hung up to waiting for media. As
- the channel has been hung up remotely no further media will arrive and the
- channel will stay within ConfBridge indefinitely.
-
- In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
- the following security vulnerability:
-
- * AST-2014-017: Permission Escalation via ConfBridge dialplan function and
- AMI ConfbridgeStartRecord Action
-
- The CONFBRIDGE dialplan function when executed from an external protocol (such
- as AMI) can result in a privilege escalation as certain options within that
- function can affect the underlying system. Additionally, the AMI
- ConfbridgeStartRecord action has options that would allow modification of the
- underlying system, and does not require SYSTEM class authorization in AMI.
-
- Finally, the release of 12.7.1 and 13.0.1 resolves the following security
- vulnerabilities:
-
- * AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack
-
- The Asterisk module res_pjsip provides the ability to configure ACLs that may
- be used to reject SIP requests from various hosts. However, the module
- currently fails to create and apply the ACLs defined in its configuration
- file on initial module load.
-
- * AST-2014-015: Remote crash vulnerability in PJSIP channel driver
-
- The chan_pjsip channel driver uses a queue approach for relating to SIP
- sessions. There exists a race condition where actions may be queued to answer
- a session or send ringing after a SIP session has been terminated using a
- CANCEL request. The code will incorrectly assume that the SIP session is still
- active and attempt to send the SIP response. The PJSIP library does not
- expect the SIP session to be in the disconnected state when sending the
- response and asserts.
-
- * AST-2014-016: Remote crash vulnerability in PJSIP channel driver
-
- When handling an INVITE with Replaces message the res_pjsip_refer module
- incorrectly assumes that it will be operating on a channel that has just been
- created. If the INVITE with Replaces message is sent in-dialog after a session
- has been established this assumption will be incorrect. The res_pjsip_refer
- module will then hang up a channel that is actually owned by another thread.
- When this other thread attempts to use the just hung up channel it will end up
- using a freed channel which will likely result in a crash.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
- AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
- time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1
-
- The security advisories are available at:
-
- * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
* Fri Nov 21 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.14.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.14.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.14.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- Bugs fixed in this release:
- -----------------------------------
- * ASTERISK-24348 - Built-in editline tab complete segfault with
- MALLOC_DEBUG (Reported by Walter Doekes)
- * ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
- INVITE retransmissions of rejected calls (Reported by Torrey
- Searle)
- * ASTERISK-23768 - [patch] Asterisk man page contains a (new)
- unquoted minus sign (Reported by Jeremy Lainé)
- * ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
- (Reported by Jeremy Lainé)
- * ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
- Cohen)
- * ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
- realtime peers (Reported by ibercom)
- * ASTERISK-24384 - chan_motif: format capabilities leak on module
- load error (Reported by Corey Farrell)
- * ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
- (Reported by Corey Farrell)
- * ASTERISK-24378 - Release AMI connections on shutdown (Reported
- by Corey Farrell)
- * ASTERISK-24354 - AMI sendMessage closes AMI connection on error
- (Reported by Peter Katzmann)
- * ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
- ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
- * ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
- incorrectly attempted (Reported by Joshua Colp)
- * ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
- high on linux systems with lots of RAM (Reported by Michael
- Myles)
- * ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
- received for component (Reported by Kevin Harwell)
- * ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
- results in a SIP channel leak (Reported by NITESH BANSAL)
- * ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
- Re-INVITE results in a SIP channel leak (Reported by Torrey
- Searle)
- * ASTERISK-24406 - Some caller ID strings are parsed differently
- since 11.13.0 (Reported by Etienne Lessard)
- * ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
- (Reported by Tzafrir Cohen)
- * ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
- Tzafrir Cohen)
- * ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
- (Reported by Paolo Compagnini)
- * ASTERISK-18923 - res_fax_spandsp usage counter is wrong
- (Reported by Grigoriy Puzankin)
- * ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
- Corey Farrell)
- * ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
- (Reported by Dmitry Melekhov)
- * ASTERISK-23846 - Unistim multilines. Loss of voice after second
- call drops (on a second line). (Reported by Rustam Khankishyiev)
- * ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
- when sending qualify requests (Reported by Damian Ivereigh)
- * ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
- SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
- abelbeck)
- * ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
- against libsrtp-1.5.0 (Reported by Patrick Laimbock)
- * ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
- leak (Reported by Corey Farrell)
- * ASTERISK-24430 - missing letter "p" in word response in
- OriginateResponse event documentation (Reported by Dafi Ni)
- * ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
- Corey Farrell)
- * ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
- (Reported by Olle Johansson)
- * ASTERISK-24304 - asterisk crashing randomly because of unistim
- channel (Reported by dhanapathy sathya)
- * ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
- Nick Adams)
- * ASTERISK-24466 - app_queue: fix a couple leaks to struct
- call_queue (Reported by Corey Farrell)
- * ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
- (Reported by Corey Farrell)
- * ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
- leaks (Reported by Corey Farrell)
- * ASTERISK-24307 - Unintentional memory retention in stringfields
- (Reported by Etienne Lessard)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0
--------------------------------------------------------------------------------
ChangeLog:
* Fri Nov 21 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.14.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
- security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
- 11.14.1, 12.7.1, and 13.0.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerabilities:
-
- * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
- address families
-
- Many modules in Asterisk that service incoming IP traffic have ACL options
- ("permit" and "deny") that can be used to whitelist or blacklist address
- ranges. A bug has been discovered where the address family of incoming
- packets is only compared to the IP address family of the first entry in the
- list of access control rules. If the source IP address for an incoming
- packet is not of the same address as the first ACL entry, that packet
- bypasses all ACL rules.
-
- * AST-2014-018: Permission Escalation through DB dialplan function
-
- The DB dialplan function when executed from an external protocol, such as AMI,
- could result in a privilege escalation. Users with a lower class authorization
- in AMI can access the internal Asterisk database without the required SYSTEM
- class authorization.
-
- In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
- security vulnerability:
-
- * AST-2014-014: High call load with ConfBridge can result in resource exhaustion
-
- The ConfBridge application uses an internal bridging API to implement
- conference bridges. This internal API uses a state model for channels within
- the conference bridge and transitions between states as different things
- occur. Unload load it is possible for some state transitions to be delayed
- causing the channel to transition from being hung up to waiting for media. As
- the channel has been hung up remotely no further media will arrive and the
- channel will stay within ConfBridge indefinitely.
-
- In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
- the following security vulnerability:
-
- * AST-2014-017: Permission Escalation via ConfBridge dialplan function and
- AMI ConfbridgeStartRecord Action
-
- The CONFBRIDGE dialplan function when executed from an external protocol (such
- as AMI) can result in a privilege escalation as certain options within that
- function can affect the underlying system. Additionally, the AMI
- ConfbridgeStartRecord action has options that would allow modification of the
- underlying system, and does not require SYSTEM class authorization in AMI.
-
- Finally, the release of 12.7.1 and 13.0.1 resolves the following security
- vulnerabilities:
-
- * AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack
-
- The Asterisk module res_pjsip provides the ability to configure ACLs that may
- be used to reject SIP requests from various hosts. However, the module
- currently fails to create and apply the ACLs defined in its configuration
- file on initial module load.
-
- * AST-2014-015: Remote crash vulnerability in PJSIP channel driver
-
- The chan_pjsip channel driver uses a queue approach for relating to SIP
- sessions. There exists a race condition where actions may be queued to answer
- a session or send ringing after a SIP session has been terminated using a
- CANCEL request. The code will incorrectly assume that the SIP session is still
- active and attempt to send the SIP response. The PJSIP library does not
- expect the SIP session to be in the disconnected state when sending the
- response and asserts.
-
- * AST-2014-016: Remote crash vulnerability in PJSIP channel driver
-
- When handling an INVITE with Replaces message the res_pjsip_refer module
- incorrectly assumes that it will be operating on a channel that has just been
- created. If the INVITE with Replaces message is sent in-dialog after a session
- has been established this assumption will be incorrect. The res_pjsip_refer
- module will then hang up a channel that is actually owned by another thread.
- When this other thread attempts to use the just hung up channel it will end up
- using a freed channel which will likely result in a crash.
-
- For more information about the details of these vulnerabilities, please read
- security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
- AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
- time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1
-
- The security advisories are available at:
-
- * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
- * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
* Fri Nov 21 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 11.14.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.14.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.14.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- Bugs fixed in this release:
- -----------------------------------
- * ASTERISK-24348 - Built-in editline tab complete segfault with
- MALLOC_DEBUG (Reported by Walter Doekes)
- * ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
- INVITE retransmissions of rejected calls (Reported by Torrey
- Searle)
- * ASTERISK-23768 - [patch] Asterisk man page contains a (new)
- unquoted minus sign (Reported by Jeremy Lainé)
- * ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
- (Reported by Jeremy Lainé)
- * ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
- Cohen)
- * ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
- realtime peers (Reported by ibercom)
- * ASTERISK-24384 - chan_motif: format capabilities leak on module
- load error (Reported by Corey Farrell)
- * ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
- (Reported by Corey Farrell)
- * ASTERISK-24378 - Release AMI connections on shutdown (Reported
- by Corey Farrell)
- * ASTERISK-24354 - AMI sendMessage closes AMI connection on error
- (Reported by Peter Katzmann)
- * ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
- ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
- * ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
- incorrectly attempted (Reported by Joshua Colp)
- * ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
- high on linux systems with lots of RAM (Reported by Michael
- Myles)
- * ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
- received for component (Reported by Kevin Harwell)
- * ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
- results in a SIP channel leak (Reported by NITESH BANSAL)
- * ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
- Re-INVITE results in a SIP channel leak (Reported by Torrey
- Searle)
- * ASTERISK-24406 - Some caller ID strings are parsed differently
- since 11.13.0 (Reported by Etienne Lessard)
- * ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
- (Reported by Tzafrir Cohen)
- * ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
- Tzafrir Cohen)
- * ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
- (Reported by Paolo Compagnini)
- * ASTERISK-18923 - res_fax_spandsp usage counter is wrong
- (Reported by Grigoriy Puzankin)
- * ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
- Corey Farrell)
- * ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
- (Reported by Dmitry Melekhov)
- * ASTERISK-23846 - Unistim multilines. Loss of voice after second
- call drops (on a second line). (Reported by Rustam Khankishyiev)
- * ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
- when sending qualify requests (Reported by Damian Ivereigh)
- * ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
- SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
- abelbeck)
- * ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
- against libsrtp-1.5.0 (Reported by Patrick Laimbock)
- * ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
- leak (Reported by Corey Farrell)
- * ASTERISK-24430 - missing letter "p" in word response in
- OriginateResponse event documentation (Reported by Dafi Ni)
- * ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
- Corey Farrell)
- * ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
- (Reported by Olle Johansson)
- * ASTERISK-24304 - asterisk crashing randomly because of unistim
- channel (Reported by dhanapathy sathya)
- * ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
- Nick Adams)
- * ASTERISK-24466 - app_queue: fix a couple leaks to struct
- call_queue (Reported by Corey Farrell)
- * ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
- (Reported by Corey Farrell)
- * ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
- leaks (Reported by Corey Farrell)
- * ASTERISK-24307 - Unintentional memory retention in stringfields
- (Reported by Etienne Lessard)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1166692 - asterisk: AMI permission escalation through DB dialplan function [AST-2014-018] [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1166692
[ 2 ] Bug #1166690 - asterisk: Permission escalation through ConfBridge actions/dialplan functions [AST-2014-017] [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1166690
[ 3 ] Bug #1166684 - asterisk: High call load may result in hung channels in ConfBridge [AST-2014-014] [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1166684
[ 4 ] Bug #1166676 - asterisk: Mixed IP address families in access control lists may permit unwanted traffic [AST-2014-012] [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1166676
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list