[asterisk-users] Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 Released

Asterisk Development Team asteriskteam at digium.com
Tue Feb 2 16:28:59 CST 2010


The Asterisk Development Team has announced security releases for Asterisk as
the following versions:

* 1.6.0.22
* 1.6.1.14
* 1.6.2.2

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/

The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix
described in security advisory AST-2010-001.

The issue is that an attacker attempting to negotiate T.38 over SIP can remotely
crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain
either a negative or exceptionally large value.  The same crash will occur when
the FaxMaxDatagram field is omitted from the SDP, as well.

For more information about the details of this vulnerability, please read the
security advisory AST-2009-009, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.22
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.2

Security advisory AST-2010-001 is available at:

http://downloads.asterisk.org/pub/security/AST-2010-001.pdf

Thank you for your continued support of Asterisk!



More information about the asterisk-users mailing list