PSC<br><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Development Team</b> <span dir="ltr"><<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>></span><br>
Date: 2012/7/5<br>Subject: [asterisk-dev] Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, 10.5.2-digiumphones Now Available (Security Release)<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br>
<br><br>The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are<br>
released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones<br>
resolve the following two issues:<br>
<br>
* If Asterisk sends a re-invite and an endpoint responds to the re-invite with<br>
a provisional response but never sends a final response, then the SIP dialog<br>
structure is never freed and the RTP ports for the call are never released. If<br>
an attacker has the ability to place a call, they could create a denial of<br>
service by using all available RTP ports.<br>
<br>
* If a single voicemail account is manipulated by two parties simultaneously,<br>
a condition can occur where memory is freed twice causing a crash.<br>
<br>
These issues and their resolution are described in the security advisories.<br>
<br>
For more information about the details of these vulnerabilities, please read<br>
security advisories AST-2012-010 and AST-2012-011, which were released at the<br>
same time as this announcement.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert4" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert4</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.13.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.13.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2-digiumphones" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2-digiumphones</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2012-010.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-010.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2012-011.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-011.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div><br>