[asterisk-security] Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1 Now Available (Security Release)
Asterisk Development Team
asteriskteam at digium.com
Wed Feb 3 19:55:00 CST 2016
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security releases
are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following security vulnerabilities:
* AST-2016-001: BEAST vulnerability in HTTP server
The Asterisk HTTP server currently has a default configuration which allows
the BEAST vulnerability to be exploited if the TLS functionality is enabled.
This can allow a man-in-the-middle attack to decrypt data passing through it.
* AST-2016-002: File descriptor exhaustion in chan_sip
Setting the sip.conf timert1 value to a value higher than 1245 can cause an
integer overflow and result in large retransmit timeout times. These large
timeout values hold system file descriptors hostage and can cause the system
to run out of file descriptors.
* AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data.
If no UDPTL packets are lost there is no problem. However, a lost packet
causes Asterisk to use the available error correcting redundancy packets. If
those redundancy packets have zero length then Asterisk uses an uninitialized
buffer pointer and length value which can cause invalid memory accesses later
when the packet is copied.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert12
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.7.1
The security advisories are available at:
 * http://downloads.asterisk.org/pub/security/AST-2016-001.pdf
 * http://downloads.asterisk.org/pub/security/AST-2016-002.pdf
 * http://downloads.asterisk.org/pub/security/AST-2016-003.pdf
Thank you for your continued support of Asterisk!
More information about the asterisk-security
mailing list