[asterisk-dev] Asterisk 1.8.15-cert5, 1.8.26.1, 11.6-cert2, 11.8.1, 12.1.1 Now Available (Security Release)

Asterisk Development Team asteriskteam at digium.com
Mon Mar 10 17:10:00 CDT 2014


The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security
releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1,
and 12.1.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following issues:

* AST-2014-001: Stack overflow in HTTP processing of Cookie headers.

  Sending a HTTP request that is handled by Asterisk with a large number of
  Cookie headers could overflow the stack.

  Another vulnerability along similar lines is any HTTP request with a
  ridiculous number of headers in the request could exhaust system memory.

* AST-2014-002: chan_sip: Exit early on bad session timers request

  This change allows chan_sip to avoid creation of the channel and
  consumption of associated file descriptors altogether if the inbound
  request is going to be rejected anyway.

Additionally, the release of 12.1.1 resolves the following issue:

* AST-2014-003: res_pjsip: When handling 401/407 responses don't assume a
  request will have an endpoint.

  This change removes the assumption that an outgoing request will always
  have an endpoint and makes the authenticate_qualify option work once again.

Finally, a security advisory, AST-2014-004, was released for a vulnerability
fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to
12.1.1 to resolve both vulnerabilities.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004,
which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert5
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.26.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.8.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.1.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-003.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-004.pdf

Thank you for your continued support of Asterisk!





More information about the asterisk-dev mailing list