<p>Psc</p>
<div class="gmail_quote">Em 03/01/2013 15:08, "Asterisk Development Team" <<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>> escreveu:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The Asterisk Development Team has announced a security release for Asterisk 11,<br>
Asterisk 11.1.2. This release addresses the security vulnerabilities reported in<br>
AST-2012-014 and AST-2012-015, and replaces the previous version of Asterisk 11<br>
released for these security vulnerabilities. The prior release left open a<br>
vulnerability in res_xmpp that exists only in Asterisk 11; as such, other<br>
versions of Asterisk were resolved correctly by the previous releases.<br>
<br>
This release is available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of these versions resolve the following two issues:<br>
<br>
* Stack overflows that occur in some portions of Asterisk that manage a TCP<br>
connection. In SIP, this is exploitable via a remote unauthenticated session;<br>
in XMPP and HTTP connections, this is exploitable via remote authenticated<br>
sessions. The vulnerabilities in SIP and HTTP were corrected in a prior<br>
release of Asterisk; the vulnerability in XMPP is resolved in this release.<br>
<br>
* A denial of service vulnerability through exploitation of the device state<br>
cache. Anonymous calls had the capability to create devices in Asterisk that<br>
would never be disposed of. Handling the cachability of device states<br>
aggregated via XMPP is handled in this release.<br>
<br>
These issues and their resolutions are described in the security advisories.<br>
<br>
For more information about the details of these vulnerabilities, please read<br>
security advisories AST-2012-014 and AST-2012-015.<br>
<br>
For a full list of changes in the current release, please see the ChangeLog:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2012-014.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-014.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2012-015.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-015.pdf</a><br>
<br>
Thank you for your continued support of Asterisk - and we apologize for having<br>
to do this twice!<br>
<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</blockquote></div>