[AsteriskBrasil] Fwd: [asterisk-dev] Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1 Now Available (Security Release)

Sylvio Jollenbeck sylvio.jollenbeck em gmail.com
Quarta Fevereiro 3 23:56:24 BRST 2016


---------- Mensagem encaminhada ----------
De: "Asterisk Development Team" <asteriskteam em digium.com>
Data: 03/02/2016 11:55 PM
Assunto: [asterisk-dev] Asterisk 11.6-cert12, 11.21.1, 13.1-cert3, 13.7.1
Now Available (Security Release)
Para: <asterisk-dev em lists.digium.com>
Cc:

The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security
releases
are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security
vulnerabilities:

* AST-2016-001: BEAST vulnerability in HTTP server

  The Asterisk HTTP server currently has a default configuration which
allows
  the BEAST vulnerability to be exploited if the TLS functionality is
enabled.
  This can allow a man-in-the-middle attack to decrypt data passing through
it.

* AST-2016-002: File descriptor exhaustion in chan_sip

  Setting the sip.conf timert1 value to a value higher than 1245 can cause
an
  integer overflow and result in large retransmit timeout times. These large
  timeout values hold system file descriptors hostage and can cause the
system
  to run out of file descriptors.

* AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data.

  If no UDPTL packets are lost there is no problem. However, a lost packet
  causes Asterisk to use the available error correcting redundancy packets.
If
  those redundancy packets have zero length then Asterisk uses an
uninitialized
  buffer pointer and length value which can cause invalid memory accesses
later
  when the packet is copied.

For a full list of changes in the current releases, please see the
ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert12
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.1-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.7.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2016-001.pdf
 * http://downloads.asterisk.org/pub/security/AST-2016-002.pdf
 * http://downloads.asterisk.org/pub/security/AST-2016-003.pdf

Thank you for your continued support of Asterisk!


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20160203/31352a93/attachment.html>


Mais detalhes sobre a lista de discussão AsteriskBrasil