<div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: "Asterisk Development Team" <<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>><br>Data: 14/04/2016 7:20 PM<br>Assunto: [asterisk-dev] Asterisk 13.1-cert5 and 13.8.1 Now Available (Security Release)<br>Para: "Asterisk Developers Mailing List" <<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>><br>Cc: <br><br type="attribution"><div dir="ltr"><div><div>The Asterisk Development Team has announced security releases for Certified</div><div>Asterisk 13.1 and Asterisk 13. The available security releases are released as<br>versions 13.1-cert5, and 13.8.1.</div><div><br></div><div>These releases are available for immediate download at</div><div><a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a></div><div><br></div><div>The release of these versions resolves the following security vulnerabilities:</div><div><br></div><div>* AST-2016-004: Long contact URIs in REGISTER requests can crash Asterisk<br></div><br> Asterisk may crash when processing an incoming REGISTER request if that<br> REGISTER contains a Contact header with a lengthy URI. This crash will only<br> happen for requests that pass authentication. Unauthenticated REGISTER<br> requests will not result in a crash occurring.<br><br><div>* AST-2016-005: TCP denial of service in PJProject<br><br> PJProject has a limit on the number of TCP connections that it can accept.<br> Furthermore, PJProject does not close TCP connections it accepts. By default,<br> this value is approximately 60. An attacker can deplete the number of allowed<br> TCP connections by opening TCP connections and sending no data to Asterisk.<br><br> If PJProject has been compiled in debug mode, then once the number of allowed<br> TCP connections has been depleted, the next attempted TCP connection to<br> Asterisk will crash due to an assertion in PJProject. If PJProject has not<br> been compiled in debug mode, then any further TCP connection attempts will be<br> rejected. This makes Asterisk unable to process TCP SIP traffic.<br></div><br><div>For a full list of changes in the current releases, please see the ChangeLogs:</div><div><br></div><div><a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert5" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert5</a></div><div><a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.8.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.8.1</a></div><div><br></div><div>The security advisories are available at:</div><div><br></div><div> * <a href="http://downloads.asterisk.org/pub/security/AST-2016-004.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-004.pdf</a></div><div> * <a href="http://downloads.asterisk.org/pub/security/AST-2016-005.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2016-005.pdf</a></div><div><br></div><div>Thank you for your continued support of Asterisk!</div></div></div>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br></div>