Asterisk Development Team
2014-Dec-10 18:30 UTC
[asterisk-announce] Asterisk 11.6-cert9, 11.14.2, 12.7.2, 13.0.2 Now Available (Security Release)
The Asterisk Development Team has announced security releases for Certified Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of these versions resolves the following security vulnerability: * AST-2014-019: Remote Crash Vulnerability in WebSocket Server When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash. For more information about the details of this vulnerability, please read security advisory AST-2014-019, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2 The security advisory is available at: ??* http://downloads.asterisk.org/pub/security/AST-2014-019.pdf Thank you for your continued support of Asterisk!
Reasonably Related Threads
- Asterisk 11.6-cert9, 11.14.2, 12.7.2, 13.0.2 Now Available (Security Release)
- AST-2014-019: Remote Crash Vulnerability in WebSocket Server
- AST-2014-019: Remote Crash Vulnerability in WebSocket Server
- Asterisk 13.18.4, 14.7.4, 15.1.4 and Certified Asterisk 13.13-cert9 Now Available
- Asterisk 13.23.1, 14.7.8, 15.6.1 and 13.21-cert3 Now Available (Security)