PSC<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Development Team</b> <span dir="ltr"><<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>></span><br>
Date: 2012/8/30<br>Subject: [asterisk-dev] Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, 10.7.1-digiumphones Now Available (Security Release)<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br>
<br><br>The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are<br>
released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones<br>
resolve the following two issues:<br>
<br>
* A permission escalation vulnerability in Asterisk Manager Interface. This<br>
would potentially allow remote authenticated users the ability to execute<br>
commands on the system shell with the privileges of the user running the<br>
Asterisk application. Please note that the README-SERIOUSLY.bestpractices.txt<br>
file delivered with Asterisk has been updated due to this and other related<br>
vulnerabilities fixed in previous versions of Asterisk.<br>
<br>
* When an IAX2 call is made using the credentials of a peer defined in a<br>
dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that<br>
peer are not applied to the call attempt. This allows for a remote attacker<br>
who is aware of a peer's credentials to bypass the ACL rules set for that<br>
peer.<br>
<br>
These issues and their resolutions are described in the security advisories.<br>
<br>
For more information about the details of these vulnerabilities, please read<br>
security advisories AST-2012-012 and AST-2012-013, which were released at the<br>
same time as this announcement.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert7</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.15.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.7.1-digiumphones</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2012-012.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-012.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2012-013.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-013.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div><br>