russellbryant.net

The Asterisk.org development team has released Asterisk versions 1.4.21.2 and 1.2.30. Both of these releases include fixes for two security issues. Both of these issues affect users of the IAX2 channel driver. For more details on these vulnerabilities, see the published security advisories, AST-2008-010 and AST-2008-011. Thank you for your continued support of Asterisk!

[Read more →]

The asterisk.org development team has released Asterisk version 1.2.29. This release contains a fix for a security issue that is documented in AST-2008-008. The SIP channel driver in Asterisk 1.2 had a remote crash vulnerability when pedantic mode is enabled. For more information on the vulnerability, see the advisory: http://downloads.digium.com/pub/security/AST-2008-008.html Thank you for your continued [...]

[Read more →]

This release is related to my IAX2 performance improvements. ————————— The Asterisk.org development team has released Asterisk version 1.4.19.2. This release includes some IAX2 channel driver updates. Asterisk 1.4.19.1 was released to address an IAX2 security vulnerability. Unfortunately, the changes to address the security issue had an unfortunate negative impact on IAX2 performance in Asterisk. [...]

[Read more →]

As a part of the latest Asterisk security release, the IAX2 channel driver in Asterisk got various changes to make it more difficult to abuse IAX2 in Asterisk in a traffic amplification attack. IAX2 uses call numbers to specify which packets are associated with which call. One of the changes that I made for the [...]

[Read more →]

The Asterisk development team has released versions 1.2.28, 1.4.19.1, and 1.6.0-beta8. All of these releases contain a security patch for the vulnerability described in the AST-2008-006 security advisory. 1.6.0-beta8 is also a regular update to the 1.6.0 series with a number of bug fixes over the previous beta release. Early last year, we made some [...]

[Read more →]

The Asterisk.org development team has released four new versions of Asterisk to address critical security vulnerabilities. AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling. http://downloads.digium.com/pub/security/AST-2008-002.pdf All users of SIP in Asterisk 1.4 and 1.6 are affected. AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and [...]

[Read more →]

I have pointed out this file before, but I’d like to point it out again. If you’re curious what new features have been added for Asterisk 1.6 since 1.4 was released, then check out the CHANGES file. The current version of it can be found here. There are a lot of cool features in there, [...]

[Read more →]

The Asterisk Development Team has released version 1.4.13. This release fixes a couple of security issues in the implementation of IMAP storage for voicemail. One of the issues is remotely exploitable. Any systems that do not use IMAP storage for voicemail are not affected by these issues. For more details on this issue, see the [...]

[Read more →]

The Asterisk development team has published a security advisory for a minor security issue related to IMAP storage of voicemail. A properly crafted email in the mailbox that Asterisk tries to open to play voicemail messages can cause the application to crash. See the security advisory for details on the issue.

[Read more →]