[asterisk-dev] Asterisk 13.1-cert5 and 13.8.1 Now Available (Security Release)
Asterisk Development Team
asteriskteam at digium.com
Thu Apr 14 17:20:03 CDT 2016
The Asterisk Development Team has announced security releases for Certified
Asterisk 13.1 and Asterisk 13. The available security releases are released
as
versions 13.1-cert5, and 13.8.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security
vulnerabilities:
* AST-2016-004: Long contact URIs in REGISTER requests can crash Asterisk
Asterisk may crash when processing an incoming REGISTER request if that
REGISTER contains a Contact header with a lengthy URI. This crash will
only
happen for requests that pass authentication. Unauthenticated REGISTER
requests will not result in a crash occurring.
* AST-2016-005: TCP denial of service in PJProject
PJProject has a limit on the number of TCP connections that it can accept.
Furthermore, PJProject does not close TCP connections it accepts. By
default,
this value is approximately 60. An attacker can deplete the number of
allowed
TCP connections by opening TCP connections and sending no data to
Asterisk.
If PJProject has been compiled in debug mode, then once the number of
allowed
TCP connections has been depleted, the next attempted TCP connection to
Asterisk will crash due to an assertion in PJProject. If PJProject has not
been compiled in debug mode, then any further TCP connection attempts
will be
rejected. This makes Asterisk unable to process TCP SIP traffic.
For a full list of changes in the current releases, please see the
ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert5
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.8.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2016-004.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-005.pdf
Thank you for your continued support of Asterisk!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20160414/1e3a5a98/attachment.html>
More information about the asterisk-dev
mailing list