<div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: "Asterisk Development Team" <<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>><br>Data: 03/02/2016 11:55 PM<br>Assunto: [asterisk-dev] Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1 Now Available (Security Release)<br>Para: <<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>><br>Cc: <br><br type="attribution">The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security releases<br>
are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of these versions resolves the following security vulnerabilities:<br>
<br>
* AST-2016-001: BEAST vulnerability in HTTP server<br>
<br>
The Asterisk HTTP server currently has a default configuration which allows<br>
the BEAST vulnerability to be exploited if the TLS functionality is enabled.<br>
This can allow a man-in-the-middle attack to decrypt data passing through it.<br>
<br>
* AST-2016-002: File descriptor exhaustion in chan_sip<br>
<br>
Setting the sip.conf timert1 value to a value higher than 1245 can cause an<br>
integer overflow and result in large retransmit timeout times. These large<br>
timeout values hold system file descriptors hostage and can cause the system<br>
to run out of file descriptors.<br>
<br>
* AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data.<br>
<br>
If no UDPTL packets are lost there is no problem. However, a lost packet<br>
causes Asterisk to use the available error correcting redundancy packets. If<br>
those redundancy packets have zero length then Asterisk uses an uninitialized<br>
buffer pointer and length value which can cause invalid memory accesses later<br>
when the packet is copied.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert12" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert12</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert3" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert3</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.7.1" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.7.1</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2016-001.pdf" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-001.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2016-002.pdf" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-002.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2016-003.pdf" rel="noreferrer" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-003.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div>