[AsteriskBrasil] [asterisk-dev] Asterisk 11.1.2 Now Available (Security Release)

Sylvio Jollenbeck sylvio.jollenbeck em gmail.com
Quinta Janeiro 3 15:23:30 BRST 2013


Psc
Em 03/01/2013 15:08, "Asterisk Development Team" <asteriskteam em digium.com>
escreveu:

> The Asterisk Development Team has announced a security release for
> Asterisk 11,
> Asterisk 11.1.2. This release addresses the security vulnerabilities
> reported in
> AST-2012-014 and AST-2012-015, and replaces the previous version of
> Asterisk 11
> released for these security vulnerabilities. The prior release left open a
> vulnerability in res_xmpp that exists only in Asterisk 11; as such, other
> versions of Asterisk were resolved correctly by the previous releases.
>
> This release is available for immediate download at
> http://downloads.asterisk.org/pub/telephony/asterisk/releases
>
> The release of these versions resolve the following two issues:
>
> * Stack overflows that occur in some portions of Asterisk that manage a TCP
>   connection. In SIP, this is exploitable via a remote unauthenticated
> session;
>   in XMPP and HTTP connections, this is exploitable via remote
> authenticated
>   sessions. The vulnerabilities in SIP and HTTP were corrected in a prior
>   release of Asterisk; the vulnerability in XMPP is resolved in this
> release.
>
> * A denial of service vulnerability through exploitation of the device
> state
>   cache. Anonymous calls had the capability to create devices in Asterisk
> that
>   would never be disposed of. Handling the cachability of device states
>   aggregated via XMPP is handled in this release.
>
> These issues and their resolutions are described in the security
> advisories.
>
> For more information about the details of these vulnerabilities, please
> read
> security advisories AST-2012-014 and AST-2012-015.
>
> For a full list of changes in the current release, please see the
> ChangeLog:
>
>
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2
>
> The security advisories are available at:
>
>  * http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
>  * http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
>
> Thank you for your continued support of Asterisk - and we apologize for
> having
> to do this twice!
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20130103/7d674fcd/attachment.htm 


Mais detalhes sobre a lista de discussão AsteriskBrasil