<p dir="ltr">Psc</p>
<div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: "Asterisk Development Team" <<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>><br>Data: 16/12/2013 20:44<br>Assunto: [asterisk-dev] Asterisk 1.8.15-cert4, 1.8.24.1, 10.12.4, 10.12.4-digiumphones, 11.2-cert3, 11.6.1 Now Available (Security Release)<br>
Para: <<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>><br>Cc: <br><br type="attribution">The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security<br>
releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,<br>
10.12.4-digiumphones, and 11.6.1.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of these versions resolve the following issues:<br>
<br>
* A buffer overflow when receiving odd length 16 bit messages in app_sms. An<br>
infinite loop could occur which would overwrite memory when a message is<br>
received into the unpacksms16() function and the length of the message is an<br>
odd number of bytes.<br>
<br>
* Prevent permissions escalation in the Asterisk Manager Interface. Asterisk<br>
now marks certain individual dialplan functions as 'dangerous', which will<br>
inhibit their execution from external sources.<br>
<br>
A 'dangerous' function is one which results in a privilege escalation. For<br>
example, if one were to read the channel variable SHELL(rm -rf /) Bad<br>
Things(TM) could happen; even if the external source has only read<br>
permissions.<br>
<br>
Execution from external sources may be enabled by setting 'live_dangerously'<br>
to 'yes' in the [options] section of asterisk.conf. Although doing so is not<br>
recommended.<br>
<br>
These issues and their resolutions are described in the security advisories.<br>
<br>
For more information about the details of these vulnerabilities, please read<br>
security advisories AST-2013-006 and AST-2013-007, which were<br>
released at the same time as this announcement.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2013-006.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-006.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2013-007.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-007.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div>