<div dir="ltr"><div class="gmail_quote"><br>The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available<br>
security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,<br>
11.13.1, 12.6.1, and 13.0.0-beta3.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of these versions resolves the following security vulnerability:<br>
<br>
* AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability<br>
<br>
Asterisk is susceptible to the POODLE vulnerability in two ways:<br>
1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their<br>
encrypted connections.<br>
2) The core TLS handling in Asterisk, which is used by the chan_sip channel<br>
driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by<br>
default allow a TLS connection to fallback to SSLv3. This allows for a<br>
MITM to potentially force a connection to fallback to SSLv3, exposing it<br>
to the POODLE vulnerability.<br>
<br>
These issues have been resolved in the versions released in conjunction with<br>
this security advisory.<br>
<br>
For more information about the details of this vulnerability, please read<br>
security advisory AST-2014-011, which was released at the same time as this<br>
announcement.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3</a><br>
<br>
The security advisory is available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-011.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-011.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck</span><div><span style="font-family:trebuchet ms,sans-serif">skype: sylvio.jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br><img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br></div></div>
</div>