
<div dir="ltr">PSC<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Development Team</b> <span dir="ltr">&lt;<a href="mailto:asteriskteam@digium.com">asteriskteam@digium.com</a>&gt;</span><br>

Date: 2014-03-10 19:10 GMT-03:00<br>Subject: [asterisk-dev] Asterisk 1.8.15-cert5, 1.8.26.1, 11.6-cert2, 11.8.1, 12.1.1 Now Available (Security Release)<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br>

<br><br>The Asterisk Development Team has announced security releases for Certified<br>

Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security<br>

releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1,<br>

and 12.1.1.<br>

<br>

These releases are available for immediate download at<br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>

<br>

The release of these versions resolve the following issues:<br>

<br>

* AST-2014-001: Stack overflow in HTTP processing of Cookie headers.<br>

<br>

  Sending a HTTP request that is handled by Asterisk with a large number of<br>

  Cookie headers could overflow the stack.<br>

<br>

  Another vulnerability along similar lines is any HTTP request with a<br>

  ridiculous number of headers in the request could exhaust system memory.<br>

<br>

* AST-2014-002: chan_sip: Exit early on bad session timers request<br>

<br>

  This change allows chan_sip to avoid creation of the channel and<br>

  consumption of associated file descriptors altogether if the inbound<br>

  request is going to be rejected anyway.<br>

<br>

Additionally, the release of 12.1.1 resolves the following issue:<br>

<br>

* AST-2014-003: res_pjsip: When handling 401/407 responses don&#39;t assume a<br>

  request will have an endpoint.<br>

<br>

  This change removes the assumption that an outgoing request will always<br>

  have an endpoint and makes the authenticate_qualify option work once again.<br>

<br>

Finally, a security advisory, AST-2014-004, was released for a vulnerability<br>

fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to<br>

12.1.1 to resolve both vulnerabilities.<br>

<br>

These issues and their resolutions are described in the security advisories.<br>

<br>

For more information about the details of these vulnerabilities, please read<br>

security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004,<br>

which were released at the same time as this announcement.<br>

<br>

For a full list of changes in the current releases, please see the ChangeLogs:<br>

<br>

<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert5" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert5</a><br>


<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.26.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.26.1</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert2" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert2</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.8.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.8.1</a><br>

<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.1.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.1.1</a><br>

<br>

The security advisories are available at:<br>

<br>

 * <a href="http://downloads.asterisk.org/pub/security/AST-2014-001.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-001.pdf</a><br>

 * <a href="http://downloads.asterisk.org/pub/security/AST-2014-002.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-002.pdf</a><br>

 * <a href="http://downloads.asterisk.org/pub/security/AST-2014-003.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-003.pdf</a><br>

 * <a href="http://downloads.asterisk.org/pub/security/AST-2014-004.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-004.pdf</a><br>

<br>

Thank you for your continued support of Asterisk!<br>

<span class="HOEnZb"><font color="#888888"><br>

<br>

<br>

--<br>

_____________________________________________________________________<br>

-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>

<br>

asterisk-dev mailing list<br>

To UNSUBSCRIBE or update options visit:<br>

   <a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>

</font></span></div><br><br clear="all"><div><br></div>-- <br><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br>

<img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br>

</div>