[AsteriskBrasil] Fwd: [asterisk-dev] Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 Now Available

Denis Galvão denisgalvao em gmail.com
Sexta Fevereiro 19 11:26:58 BRST 2010 

--
Denis Galvão
AsteriskBrasil.org

Ajude a comunidade AsteriskBrasil.org, compre uma camiseta!
http://www.voipmania.com.br


Begin forwarded message:

> From: Asterisk Development Team <asteriskteam em digium.com>
> Date: 18 de fevereiro de 2010 21h51min58s GMT-02:00
> To: asteriskteam em digium.com
> Subject: [asterisk-dev] Asterisk 1.2.40, 1.4.29.1, 1.6.0.24,  
> 1.6.1.16, and 1.6.2.4 Now Available
> Reply-To: Asterisk Developers Mailing List <asterisk-dev em lists.digium.com 
> >
>
> The Asterisk Development Team has announced security releases for  
> the following
> versions of Asterisk:
>
> * 1.2.40
> * 1.4.29.1
> * 1.6.0.24
> * 1.6.1.16
> * 1.6.2.4
>
> These releases are available for immediate download at
> http://downloads.asterisk.org/pub/telephony/asterisk/
>
> The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and  
> 1.6.2.4
> include documention describing a possible dialplan string injection  
> with common
> usage of the ${EXTEN} (and other expansion variables). The issue and  
> resolution
> are described in the AST-2010-002 security advisory.
>
> If you have a channel technology which can accept characters other  
> than numbers
> and letters (such as SIP) it may be possible to craft an INVITE  
> which sends data
> such as 300&Zap/g1/4165551212 which would create an additional  
> outgoing channel
> leg that was not originally intended by the dialplan programmer.
>
> Please note that this is not limited to an specific protocol or the  
> Dial()
> application.
>
> The expansion of variables into programmatically-interpreted strings  
> is a common
> behavior in many script or script-like languages, Asterisk included.  
> The ability
> for a variable to directly replace components of a command is a  
> feature, not a
> bug - that is the entire point of string expansion.
>
> However, it is often the case due to expediency or design  
> misunderstanding that
> a developer will not examine and filter string data from external  
> sources before
> passing it into potentially harmful areas of their dialplan.
>
> With the flexibility of the design of Asterisk come these risks if  
> the dialplan
> designer is not suitably cautious as to how foreign data is allowed  
> to enter the
> system unchecked.
>
> This security release is intended to raise awareness of how it is  
> possible to
> insert malicious strings into dialplans, and to advise developers to  
> read the
> best practices documents so that they may easily avoid these dangers.
>
> For more information about the details of this vulnerability, please  
> read the
> security advisory AST-2010-002, which was released at the same time  
> as this
> announcement.
>
> Asterisk 1.2.40 also contains a backported dialplan function called  
> FILTER() in
> order to allow the filtering of strings as described in the best  
> practices
> document.
>
> It should also be noted that the 1.6.x series of Asterisk had  
> release candidates
> available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2.  
> These will
> either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another  
> round of
> RC changes is necessary, those versions numbers will be used with - 
> rc1 appended.
>
> For a full list of changes in the current releases, please see the  
> ChangeLog:
>
> http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40
> http://downloads.asterisk.org/pub/telephony/asterisk/ 
> ChangeLog-1.4.29.1
> http://downloads.asterisk.org/pub/telephony/asterisk/ 
> ChangeLog-1.6.0.24
> http://downloads.asterisk.org/pub/telephony/asterisk/ 
> ChangeLog-1.6.1.16
> http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4
>
> Security advisory AST-2010-002 is available at:
>
> http://downloads.asterisk.org/pub/security/AST-2010-002.pdf
>
> The README-SERIOUSLY.bestpractices.txt document is available in the  
> top-level
> directory of your Asterisk sources, or available in all Asterisk  
> branches from
> 1.2 and up.
>
> http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
>
> Thank you for your continued support of Asterisk!
>
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev

Mais detalhes sobre a lista de discussão AsteriskBrasil