
<p dir="ltr">Psc</p>

<div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: &quot;Asterisk Development Team&quot; &lt;<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>&gt;<br>Data: 28/01/2015 21:14<br>Assunto: [asterisk-dev] Asterisk 1.8.28-cert4, 1.8.32.2, 11.6-cert10, 11.15.1, 12.8.1, 13.1.1 Now Available (Security Release)<br>Para:  &lt;<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>&gt;<br>Cc: <br><br type="attribution">The Asterisk Development Team has announced security releases for Certified<br>

Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available<br>

security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,<br>

11.15.1, 12.8.1, and 13.1.1.<br>

<br>

These releases are available for immediate download at<br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>

<br>

The release of these versions resolves the following security vulnerabilities:<br>

<br>

* AST-2015-001: File descriptor leak when incompatible codecs are offered<br>

<br>

                Asterisk may be configured to only allow specific audio or<br>

                video codecs to be used when communicating with a<br>

                particular endpoint. When an endpoint sends an SDP offer<br>

                that only lists codecs not allowed by Asterisk, the offer<br>

                is rejected. However, in this case, RTP ports that are<br>

                allocated in the process are not reclaimed.<br>

<br>

                This issue only affects the PJSIP channel driver in<br>

                Asterisk. Users of the chan_sip channel driver are not<br>

                affected.<br>

<br>

* AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability<br>

<br>

                CVE-2014-8150 reported an HTTP request injection<br>

                vulnerability in libcURL. Asterisk uses libcURL in its<br>

                func_curl.so module (the CURL() dialplan function), as well<br>

                as its res_config_curl.so (cURL realtime backend) modules.<br>

<br>

                Since Asterisk may be configured to allow for user-supplied<br>

                URLs to be passed to libcURL, it is possible that an<br>

                attacker could use Asterisk as an attack vector to inject<br>

                unauthorized HTTP requests if the version of libcURL<br>

                installed on the Asterisk server is affected by<br>

                CVE-2014-8150.<br>

<br>

For more information about the details of these vulnerabilities, please read<br>

security advisory AST-2015-001 and AST-2015-002, which were released at the same<br>

time as this announcement.<br>

<br>

For a full list of changes in the current releases, please see the ChangeLogs:<br>

<br>

<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1</a><br>

<br>

The security advisories are available at:<br>

<br>

 * <a href="http://downloads.asterisk.org/pub/security/AST-2015-001.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-001.pdf</a><br>

 * <a href="http://downloads.asterisk.org/pub/security/AST-2015-002.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002.pdf</a><br>

<br>

Thank you for your continued support of Asterisk!<br>

<br>

<br>

<br>--<br>

_____________________________________________________________________<br>

-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>

<br>

asterisk-dev mailing list<br>

To UNSUBSCRIBE or update options visit:<br>

   <a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br></div>