<div dir="ltr"><div class="gmail_quote">The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available<br>
security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,<br>
11.14.1, 12.7.1, and 13.0.1.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of these versions resolves the following security vulnerabilities:<br>
<br>
* AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP<br>
address families<br>
<br>
Many modules in Asterisk that service incoming IP traffic have ACL options<br>
("permit" and "deny") that can be used to whitelist or blacklist address<br>
ranges. A bug has been discovered where the address family of incoming<br>
packets is only compared to the IP address family of the first entry in the<br>
list of access control rules. If the source IP address for an incoming<br>
packet is not of the same address as the first ACL entry, that packet<br>
bypasses all ACL rules.<br>
<br>
* AST-2014-018: Permission Escalation through DB dialplan function<br>
<br>
The DB dialplan function when executed from an external protocol, such as AMI,<br>
could result in a privilege escalation. Users with a lower class authorization<br>
in AMI can access the internal Asterisk database without the required SYSTEM<br>
class authorization.<br>
<br>
In addition, the release of 11.6-cert8 and 11.14.1 resolves the following<br>
security vulnerability:<br>
<br>
* AST-2014-014: High call load with ConfBridge can result in resource exhaustion<br>
<br>
The ConfBridge application uses an internal bridging API to implement<br>
conference bridges. This internal API uses a state model for channels within<br>
the conference bridge and transitions between states as different things<br>
occur. Unload load it is possible for some state transitions to be delayed<br>
causing the channel to transition from being hung up to waiting for media. As<br>
the channel has been hung up remotely no further media will arrive and the<br>
channel will stay within ConfBridge indefinitely.<br>
<br>
In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves<br>
the following security vulnerability:<br>
<br>
* AST-2014-017: Permission Escalation via ConfBridge dialplan function and<br>
AMI ConfbridgeStartRecord Action<br>
<br>
The CONFBRIDGE dialplan function when executed from an external protocol (such<br>
as AMI) can result in a privilege escalation as certain options within that<br>
function can affect the underlying system. Additionally, the AMI<br>
ConfbridgeStartRecord action has options that would allow modification of the<br>
underlying system, and does not require SYSTEM class authorization in AMI.<br>
<br>
Finally, the release of 12.7.1 and 13.0.1 resolves the following security<br>
vulnerabilities:<br>
<br>
* AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack<br>
<br>
The Asterisk module res_pjsip provides the ability to configure ACLs that may<br>
be used to reject SIP requests from various hosts. However, the module<br>
currently fails to create and apply the ACLs defined in its configuration<br>
file on initial module load.<br>
<br>
* AST-2014-015: Remote crash vulnerability in PJSIP channel driver<br>
<br>
The chan_pjsip channel driver uses a queue approach for relating to SIP<br>
sessions. There exists a race condition where actions may be queued to answer<br>
a session or send ringing after a SIP session has been terminated using a<br>
CANCEL request. The code will incorrectly assume that the SIP session is still<br>
active and attempt to send the SIP response. The PJSIP library does not<br>
expect the SIP session to be in the disconnected state when sending the<br>
response and asserts.<br>
<br>
* AST-2014-016: Remote crash vulnerability in PJSIP channel driver<br>
<br>
When handling an INVITE with Replaces message the res_pjsip_refer module<br>
incorrectly assumes that it will be operating on a channel that has just been<br>
created. If the INVITE with Replaces message is sent in-dialog after a session<br>
has been established this assumption will be incorrect. The res_pjsip_refer<br>
module will then hang up a channel that is actually owned by another thread.<br>
When this other thread attempts to use the just hung up channel it will end up<br>
using a freed channel which will likely result in a crash.<br>
<br>
For more information about the details of these vulnerabilities, please read<br>
security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,<br>
AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same<br>
time as this announcement.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-012.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-012.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-013.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-013.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-014.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-014.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-015.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-015.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-016.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-016.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-017.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-017.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-018.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-018.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck</span><div><span style="font-family:trebuchet ms,sans-serif">skype: sylvio.jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br><img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br></div></div></div>
</div>