[AsteriskBrasil] Fwd: [asterisk-users] Asterisk 13.1-cert5 and 13.8.1 Now Available (Security Release)

Marcelo Terres mhterres em gmail.com
Quinta Abril 14 19:49:12 BRT 2016 

Marcelo H. Terres <mhterres at gmail.com>
IM: mhterres at jabber.mundoopensource.com.br
https://www.mundoopensource.com.br
https://twitter.com/mhterres
https://linkedin.com/in/marceloterres



---------- Forwarded message ----------
From: Asterisk Development Team <asteriskteam at digium.com>
Date: Thu, Apr 14, 2016 at 7:19 PM
Subject: [asterisk-users] Asterisk 13.1-cert5 and 13.8.1 Now Available
(Security Release)
To: Asterisk Users Mailing List <asterisk-users at lists.digium.com>


The Asterisk Development Team has announced security releases for Certified
Asterisk 13.1 and Asterisk 13. The available security releases are released as
versions 13.1-cert5, and 13.8.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerabilities:

* AST-2016-004: Long contact URIs in REGISTER requests can crash Asterisk

  Asterisk may crash when processing an incoming REGISTER request if that
  REGISTER contains a Contact header with a lengthy URI. This crash will only
  happen for requests that pass authentication. Unauthenticated REGISTER
  requests will not result in a crash occurring.

* AST-2016-005: TCP denial of service in PJProject

  PJProject has a limit on the number of TCP connections that it can accept.
  Furthermore, PJProject does not close TCP connections it accepts. By default,
  this value is approximately 60. An attacker can deplete the number of allowed
  TCP connections by opening TCP connections and sending no data to Asterisk.

  If PJProject has been compiled in debug mode, then once the number of allowed
  TCP connections has been depleted, the next attempted TCP connection to
  Asterisk will crash due to an assertion in PJProject. If PJProject has not
  been compiled in debug mode, then any further TCP connection attempts will be
  rejected. This makes Asterisk unable to process TCP SIP traffic.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert5
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.8.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2016-004.pdf
 * http://downloads.asterisk.org/pub/security/AST-2016-005.pdf

Thank you for your continued support of Asterisk!

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Mais detalhes sobre a lista de discussão AsteriskBrasil