[asterisk-dev] Asterisk 1.2.36, 1.4.26.3, 1.6.0.17, and 1.6.1.9 Now Available

Asterisk Development Team asteriskteam at digium.com
Wed Nov 4 14:21:58 CST 2009


The Asterisk Development Team has announced security releases for Asterisk as
the following versions:

  * 1.2.36
  * 1.4.26.3
  * 1.6.0.17
  * 1.6.1.9

These releases are available for immediate download at
   http://downloads.asterisk.org/pub/telephony/asterisk/


The release of 1.2.36 resolves an issue where sending a REGISTER with a
differing username in the From URI and Authorization header would reveal whether
it was valid or not. For more information about the details of this
vulnerability, please read the security advisory AST-2009-008, which was
released at the same time as this announcement.

The releases of Asterisk 1.4.26.3, 1.6.0.17, and 1.6.1.9 include the fix
described in security advisory AST-2009-008, and also contain a fix  where it
may be possible for someone to execute a cross-site AJAX request exploit. For
more information about the details of this vulnerability, please read the
security advisory AST-2009-009, which was released at the same time as this
announcement.

In addition, Asterisk users may notice that we skipped the version number
1.6.0.16. This was intentional, in an effort to avoid confusion about what a
particular release contains. Asterisk 1.6.0.16 had candidates for release made,
so backtracking on those changes in a release with the same version number might
be confusing. The next release candidate, which would have been 1.6.0.16-rc3,
will be released with additional changes as 1.6.0.18-rc1.

Also of note, that the previous release announcement for 1.6.1.8 stated that the
next set of 1.6.1 release candidates would be 1.6.1.9-rc1. As release candidates
for 1.6.1.9 were not yet released, 1.6.1.9 is only a security release, and the
next release candidate in the 1.6.1 series is expected to be 1.6.1.10-rc1.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.2.36
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.26.3
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.17
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.9


Security advisory AST-2009-008 is available at:

http://downloads.asterisk.org/pub/security/AST-2009-008.pdf


Security advisory AST-2009-009 is available at:

http://downloads.asterisk.org/pub/security/AST-2009-009.pdf


Thank you for your continued support of Asterisk!



More information about the asterisk-dev mailing list