Asterisk Development Team
2011-Feb-22 13:02 UTC
[asterisk-users] Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 Now Available
The Asterisk Development Team has announced security releases for Asterisk branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple stack and heap based arrays can be made to overflow by specially crafted packets. Systems configured for T.38 pass through or termination are vulnerable. The issue and resolution are described in the AST-2011-002 security advisory. For more information about the details of this vulnerability, please read the security advisory AST-2011-002, which was released at the same time as this announcement. For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.39.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.22 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.4 Security advisory AST-2011-002 is available at: http://downloads.asterisk.org/pub/security/AST-2011-002.pdf Thank you for your continued support of Asterisk!
Ishfaq Malik
2011-Feb-22 15:16 UTC
[asterisk-users] Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 Now Available
Has this issue been fixed in this release of 1.8 (or even in the previous 1.8.2.3)? https://issues.asterisk.org/bug_view_advanced_page.php?bug_id=18403 Thanks Ish On Tue, 2011-02-22 at 08:02 -0500, Asterisk Development Team wrote:> The Asterisk Development Team has announced security releases for Asterisk > branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are > released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4. > > These releases are available for immediate download at > http://downloads.asterisk.org/pub/telephony/asterisk/releases > > The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an > issue that when decoding UDPTL packets, multiple stack and heap based arrays can > be made to overflow by specially crafted packets. Systems configured for > T.38 pass through or termination are vulnerable. The issue and resolution are > described in the AST-2011-002 security advisory. > > For more information about the details of this vulnerability, please read the > security advisory AST-2011-002, which was released at the same time as this > announcement. > > For a full list of changes in the current release, please see the ChangeLog: > > http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.39.2 > http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.22 > http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2 > http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.4 > > Security advisory AST-2011-002 is available at: > > http://downloads.asterisk.org/pub/security/AST-2011-002.pdf > > Thank you for your continued support of Asterisk! > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062
Andrew Latham
2011-Feb-22 15:23 UTC
[asterisk-users] Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 Now Available
On Tue, Feb 22, 2011 at 12:16 PM, Ishfaq Malik <ish at pack-net.co.uk> wrote:> Has this issue been fixed in this release of 1.8 (or even in the > previous 1.8.2.3)? > > https://issues.asterisk.org/bug_view_advanced_page.php?bug_id=18403 > > Thanks > > Ish< snip >> -- > Ishfaq Malik > Software Developer > PackNet Ltd > > Office: ? 0161 660 3062Yes, you can take the two minutes to search for "Must release lock" in http://svn.asterisk.org/svn/asterisk/tags/1.8.2.4/channels/chan_sip.c ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~
Andrew Latham
2011-Feb-25 02:24 UTC
[asterisk-users] Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 Now Available
On Tue, Feb 22, 2011 at 12:16 PM, Ishfaq Malik <ish at pack-net.co.uk> wrote:> Has this issue been fixed in this release of 1.8 (or even in the > previous 1.8.2.3)? > > https://issues.asterisk.org/bug_view_advanced_page.php?bug_id=18403 > > Thanks > > IshIshfaq, I spoke to soon and was looking at the wrong checkout. The 1.8.2.4 does NOT have the patch from issue 18403. Asterisk Branch 1.8.3 does have the patch which happened just 1 day after the 1.8.2.4 release. I must have lost the release email because I can only find the tag in SVN. I was confused and hope I did not cause you any confusion. ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~