<p dir="ltr">Psc</p>
<div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: "Asterisk Development Team" <<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>><br>Data: 28/01/2015 21:14<br>Assunto: [asterisk-dev] Asterisk 1.8.28-cert4, 1.8.32.2, 11.6-cert10, 11.15.1, 12.8.1, 13.1.1 Now Available (Security Release)<br>Para: <<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>><br>Cc: <br><br type="attribution">The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available<br>
security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,<br>
11.15.1, 12.8.1, and 13.1.1.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of these versions resolves the following security vulnerabilities:<br>
<br>
* AST-2015-001: File descriptor leak when incompatible codecs are offered<br>
<br>
Asterisk may be configured to only allow specific audio or<br>
video codecs to be used when communicating with a<br>
particular endpoint. When an endpoint sends an SDP offer<br>
that only lists codecs not allowed by Asterisk, the offer<br>
is rejected. However, in this case, RTP ports that are<br>
allocated in the process are not reclaimed.<br>
<br>
This issue only affects the PJSIP channel driver in<br>
Asterisk. Users of the chan_sip channel driver are not<br>
affected.<br>
<br>
* AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability<br>
<br>
CVE-2014-8150 reported an HTTP request injection<br>
vulnerability in libcURL. Asterisk uses libcURL in its<br>
func_curl.so module (the CURL() dialplan function), as well<br>
as its res_config_curl.so (cURL realtime backend) modules.<br>
<br>
Since Asterisk may be configured to allow for user-supplied<br>
URLs to be passed to libcURL, it is possible that an<br>
attacker could use Asterisk as an attack vector to inject<br>
unauthorized HTTP requests if the version of libcURL<br>
installed on the Asterisk server is affected by<br>
CVE-2014-8150.<br>
<br>
For more information about the details of these vulnerabilities, please read<br>
security advisory AST-2015-001 and AST-2015-002, which were released at the same<br>
time as this announcement.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2015-001.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-001.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2015-002.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br></div>