Both of these releases include fixes for two security issues. Both of these issues affect users of the IAX2 channel driver. For more details on these vulnerabilities, see the published security advisories, AST-2008-010 and AST-2008-011.

Thank you for your continued support of Asterisk!

This release contains a fix for a security issue that is documented in AST-2008-008. The SIP channel driver in Asterisk 1.2 had a remote crash vulnerability when pedantic mode is enabled. For more information on the vulnerability, see the advisory:

http://downloads.digium.com/pub/security/AST-2008-008.html

Thank you for your continued support of Asterisk!

—————————

The Asterisk.org development team has released Asterisk version 1.4.19.2.

This release includes some IAX2 channel driver updates. Asterisk 1.4.19.1 was released to address an IAX2 security vulnerability. Unfortunately, the changes to address the security issue had an unfortunate negative impact on IAX2 performance in Asterisk. These issues have been addressed and the related fixes are included in this release. The performance of IAX2 in Asterisk due to these changes should be far better than it was even before the changes were made for the security issue.

Anyone that uses IAX2 should use this release instead of 1.4.19.1.

The release is available for download from the Digium downloads site.

http://downloads.digium.com/pub/telephony/asterisk/

Thank you for your continued support of Asterisk!

This change had an unfortunate side effect. It highlighted a part of chan_iax2 that was extremely inefficient. The higher the call number, the worse this piece of code performed. By choosing a very high call number, the performance of the server would plummet. On a small embedded platform, this may have meant that it couldn’t handle a single call. On my Intel Core 2 Duo machine @ 2.33 GHz, this meant that I couldn’t handle much more than about 16 IAX2 channels. That is terrible.

So, this got me motivated to fix up this code once and for all. I reworked some of the IAX2 code in Asterisk to index calls in a hash table in such a way that the lookup that previously had such terrible performance could be performed very quickly.

Testing my new code against chan_iax2 with my security fixes yielded a 3600% concurrent IAX2 channel increase! However, even when compared with the code before the security fixes, the IAX2 channel driver is still able to handle a lot more calls. On my machine, the most recent code can handle 55% more concurrent IAX2 channels than the code could handle before the security changes.

Asterisk 1.4.20 will contain these changes. Normally I would not put enhancements like this in the 1.4 release version of Asterisk. However, this was a special situation. So, enjoy!

There has been criticism of IAX2 performance in the past. However, during the 1.4 release series, I have put a lot of work into re-doing a lot of data structure management. Most of the changes were inspired by bugs that came up, but had nice performance impacts as a beneficial side effect.

At this point, I can not see any reason that the IAX2 channel driver in Asterisk would perform any worse than SIP. It would be interesting to do some more IAX2 versus SIP comparisons with the most recent code. In Asterisk trunk, a lot of work has gone into the data structures supporting both protocols. All critical data structures have been carefully converted to be indexed in hash tables using the astobj2 object model. Not only are lookups much faster with the hash tables, but the astobj2 object model has a lot of very nice locking features which provide even more performance improvements.

Anyway, thank you all for your continued support of Asterisk!

All of these releases contain a security patch for the vulnerability described in the AST-2008-006 security advisory. 1.6.0-beta8 is also a regular update to the 1.6.0 series with a number of bug fixes over the previous beta release.

Early last year, we made some modifications to the IAX2 channel driver to combat potential usage of IAX2 in traffic amplification attacks. Unfortunately, our fix was not complete and we were not notified of this until the original reporter of the issue decided to release information on how to exploit it to the
public.

This issue affects all users of IAX2 that have allowed non-authenticated calls. For more information on the vulnerability, see the published security advisory.

• http://downloads.digium.com/pub/security/AST-2008-006.pdf

All releases are available for download from the following location:

• http://downloads.digium.com/pub/telephony/asterisk/

Thank you for your continued support of Asterisk!

AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling.

• http://downloads.digium.com/pub/security/AST-2008-002.pdf
• All users of SIP in Asterisk 1.4 and 1.6 are affected.

AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf.

• http://downloads.digium.com/pub/security/AST-2008-003.pdf
• All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected.

AST-2008-004 details some format string vulnerabilities that were found in the code handling the Asterisk logger and the Asterisk manager interface.

• http://downloads.digium.com/pub/security/AST-2008-004.pdf
• All users of Asterisk 1.6 are affected.

Asterisk 1.2.27 and 1.4.18.1 are releases that only contain changes to fix these security vulnerabilities.

In addition to fixes for these security issues, 1.4.19-rc3 and 1.6.0-beta6 contain a number of other bug fixes over the previous release candidates and beta releases for the upcoming 1.4.19 and 1.6.0 releases.

We encourage all affected users of these security vulnerabilities to upgrade their installations as time permits.

Thank you for your continued support of Asterisk!

There are a lot of cool features in there, so I’ll pull some out from time to time to highlight them.

One of the nice features in this version is native TLS support for the Asterisk manager interface as well as the built-in HTTP server. This was developed by one of our outstanding community developers, Luigi Rizzo. This means that it is easier to make applications that use these interfaces more secure. For example, users of the AsteriskGUI that is bundled with AsteriskNOW will have an easier time setting up secure access to configure Asterisk from a web browser. Previously, the way to do this was to proxy communication with Asterisk through a web server such as Apache or lighttpd.

Turning on this feature is easy. For the manager interface, only two options are required in the [general] section of manager.conf:

sslenable = yes
sslcert = /var/lib/asterisk/asterisk.pem


For the HTTP interface, the exact same two options are required, but for http.conf.

We take security very seriously in the Asterisk project. This has really been demonstrated through our current process for handling security issues that get reported to us. Now, in Asterisk 1.6, with TLS support for SIP signalling, The Asterisk Manager Interface (AMI), as well as the HTTP interface, we’re making it even easier to secure communications with your Asterisk server.

This release fixes a couple of security issues in the implementation of IMAP storage for voicemail. One of the issues is remotely exploitable. Any systems that do not use IMAP storage for voicemail are not affected by these issues. For more details on this issue, see the Asterisk security advisory here:

http://downloads.digium.com/pub/asa/AST-2007-022.pdf

This release also contains some other bug fixes that have been merged in the past week or so. The other fixes include resolutions for a few different deadlocks, a couple of problems in res_jabber, chan_sip and RTP fixes, and a few more minor issues. See the ChangeLog for a full listing of the changes:

http://downloads.digium.com/pub/telephony/asterisk/ChangeLog-1.4.13

Thank you very much for your support!

See the security advisory for details on the issue.