<div dir="ltr"><div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: "Asterisk Development Team" <<a href="mailto:asteriskteam@digium.com" target="_blank">asteriskteam@digium.com</a>><br>
Data: 12/06/2014 17:40<br>Assunto: [asterisk-dev] Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1 Now Available (Security Release)<br>
Para: <<a href="mailto:asterisk-dev@lists.digium.com" target="_blank">asterisk-dev@lists.digium.com</a>><br>Cc: <br><br type="attribution">The Asterisk Development Team has announced security releases for Certified<br>
Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security<br>
releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1,<br>
and 12.3.1.<br>
<br>
These releases are available for immediate download at<br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<br>
The release of these versions resolves the following issue:<br>
<br>
* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP<br>
Connections<br>
<br>
Establishing a TCP or TLS connection to the configured HTTP or HTTPS port<br>
respectively in http.conf and then not sending or completing a HTTP request<br>
will tie up a HTTP session. By doing this repeatedly until the maximum number<br>
of open HTTP sessions is reached, legitimate requests are blocked.<br>
<br>
Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the<br>
following issue:<br>
<br>
* AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized<br>
Shell Access<br>
<br>
Manager users can execute arbitrary shell commands with the MixMonitor manager<br>
action. Asterisk does not require system class authorization for a manager<br>
user to use the MixMonitor action, so any manager user who is permitted to use<br>
manager commands can potentially execute shell commands as the user executing<br>
the Asterisk process.<br>
<br>
Additionally, the release of 12.3.1 resolves the following issues:<br>
<br>
* AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe<br>
Framework<br>
<br>
A remotely exploitable crash vulnerability exists in the PJSIP channel<br>
driver's pub/sub framework. If an attempt is made to unsubscribe when not<br>
currently subscribed and the endpoint's “sub_min_expiry” is set to zero,<br>
Asterisk tries to create an expiration timer with zero seconds, which is not<br>
allowed, so an assertion raised.<br>
<br>
* AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions<br>
<br>
When a SIP transaction timeout caused a subscription to be terminated, the<br>
action taken by Asterisk was guaranteed to deadlock the thread on which SIP<br>
requests are serviced. Note that this behavior could only happen on<br>
established subscriptions, meaning that this could only be exploited if an<br>
attacker bypassed authentication and successfully subscribed to a real<br>
resource on the Asterisk server.<br>
<br>
These issues and their resolutions are described in the security advisories.<br>
<br>
For more information about the details of these vulnerabilities, please read<br>
security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008,<br>
which were released at the same time as this announcement.<br>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3" target="_blank">http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1</a><br>
<a href="http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1" target="_blank">http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1</a><br>
<br>
The security advisories are available at:<br>
<br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-005.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-005.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-006.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-006.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-007.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-007.pdf</a><br>
* <a href="http://downloads.asterisk.org/pub/security/AST-2014-008.pdf" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-008.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!<br>
<br>
<br>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br></div>
</div>