From security at asterisk.org Thu Jan 19 17:40:00 2012 From: security at asterisk.org (Asterisk Security Team) Date: Jan 19 2012 17:40:00 Subject: [asterisk-security] AST-2012-001: SRTP Video Remote Crash Vulnerability Message-ID: <201201192334.q0JNYJVJ015335@mjordan-desktop.digium.internal> Asterisk Project Security Advisory - AST-2012-001 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | SRTP Video Remote Crash Vulnerability | |----------------------+-------------------------------------------------| | Nature of Advisory | Denial of Service | |----------------------+-------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |----------------------+-------------------------------------------------| | Severity | Moderate | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | 2012-01-15 | |----------------------+-------------------------------------------------| | Reported By | Catalin Sanda | |----------------------+-------------------------------------------------| | Posted On | 2012-01-19 | |----------------------+-------------------------------------------------| | Last Updated On | January 19, 2012 | |----------------------+-------------------------------------------------| | Advisory Contact | Joshua Colp < jcolp AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | An attacker attempting to negotiate a secure video | | | stream can crash Asterisk if video support has not been | | | enabled and the res_srtp Asterisk module is loaded. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to one of the versions of Asterisk listed in the | | | "Corrected In" section, or apply a patch specified in the | | | "Patches" section. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.8.x | All versions | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 10.x | All versions | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------------+-----------------------------| | Asterisk Open Source | 1.8.8.2 | |------------------------------------------+-----------------------------| | Asterisk Open Source | 10.0.1 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Patches | |------------------------------------------------------------------------| | SVN URL |Branch| |-----------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 | |-----------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2012-001.pdf and | | http://downloads.digium.com/pub/security/AST-2012-001.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+--------------------+---------------------------------| | 12-01-19 | Joshua Colp | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2012-001 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. From asteriskteam at digium.com Thu Jan 19 18:00:00 2012 From: asteriskteam at digium.com (Asterisk Development Team) Date: Jan 19 2012 18:00:00 Subject: [asterisk-security] Asterisk 1.8.8.2 and 10.0.1 Now Available (Security Release) Message-ID: <201201192354.q0JNs499015594@mjordan-desktop.digium.internal> The Asterisk Development Team has announced security releases for Asterisk 1.8 and 10. The available security releases are released as versions 1.8.8.2 and 10.0.1. Please note that the security vulnerability in Asterisk 1.8 and 10 does not exist for Asterisk versions 1.4 or 1.6.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk versions 1.8.8.2 and 10.0.1 resolves an issue wherein an attacker attempting to negotiate a secure video stream can crash Asterisk if video support has not been enabled and the res_srtp Asterisk module is loaded. The issue and its resolution is described in the security advisory. For more information about the details of these vulnerabilities, please read the security advisory AST-2012-001, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.8.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.0.1 Security advisory AST-2012-001 is available at: * http://downloads.asterisk.org/pub/security/AST-2012-001.pdf Thank you for your continued support of Asterisk!