Asterisk Development Team
2014-Jun-13 06:40 UTC
[asterisk-announce] Asterisk 1.8.15-cert7, 1.8.28.2, 11.6-cert4, 11.10.2, 12.3.2 Now Available (Security/Regression Release)
The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert7, 11.6-cert4, 1.8.28.2, 11.10.2, and 12.3.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases These releases resolve security vulnerabilities that were previously fixed in 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1. Unfortunately, the fix for AST-2014-007 inadvertently introduced a regression in Asterisk's TCP and TLS handling that prevented Asterisk from sending data over these transports. This regression and the security vulnerabilities have been fixed in the versions specified in this release announcement. The security patches for AST-2014-007 have been updated with the fix for the regression, and are available at http://downloads.asterisk.org/pub/security Please note that the release of these versions resolves the following security vulnerabilities: * AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe ?? ?? ?? ?? ?? ?? ?? ?? Framework * AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized ?? ?? ?? ?? ?? ?? ?? ?? Shell Access * AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP ?? ?? ?? ?? ?? ?? ?? ?? Connections * AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions For more information about the details of these vulnerabilities, please read security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008, which were released with the previous versions that addressed these vulnerabilities. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert7 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.2 http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert4 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.2 The security advisories are available at: ??* http://downloads.asterisk.org/pub/security/AST-2014-005.pdf ??* http://downloads.asterisk.org/pub/security/AST-2014-006.pdf ??* http://downloads.asterisk.org/pub/security/AST-2014-007.pdf ??* http://downloads.asterisk.org/pub/security/AST-2014-008.pdf Thank you for your continued support of Asterisk!
Maybe Matching Threads
- Asterisk 1.8.15-cert7, 1.8.28.2, 11.6-cert4, 11.10.2, 12.3.2 Now Available (Security/Regression Release)
- Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1 Now Available (Security Release)
- Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1 Now Available (Security Release)
- AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections
- AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections