Back to news

New releases of Zaptel, LibPRI, Asterisk (Some security fixes)

#
Author: Matt Riddell
Daily Asterisk News
Ask Question

While there has not been an announcement I noticed in the SVN-Commits that there have been new versions of pretty much every release of Zaptel, LibPRI and Asterisk released.

LibPRI 1.2.4 Released
Asterisk-Addons 1.2.5 released
Asterisk-Addons 1.4.0-beta2 released
Zaptel 1.2.10 released
Zaptel 1.4.0-beta2 released
Asterisk 1.2.13 released
Asterisk 1.4.0-beta3 released
Asterisk 1.0.12 released

  • chan_skinny
    • An exploitable buffer overflow in this channel driver was fixed.
Update: The Announcements are through now:

The Asterisk Development team has released an update to Asterisk 1.0, Asterisk 1.0.12.

This release contains a fix for a security vulnerability recently found in the chan_skinny channel driver (for Cisco SCCP phones). This vulnerability would enable an attacker to remotely execute code as the system user running Asterisk (frequently 'root'). The exploit does not require that the skinny.conf contain any valid phone entries, only that chan_skinny is loaded and operational.

All Asterisk 1.0 users are urged to update to this release if they use the chan_skinny channel driver, or to stop loading it if it is not needed ('noload=>chan_skinny.so' in modules.conf will cause this behavior).

As always, the release files are available on the Digium FTP servers at ftp://ftp.digium.com, in both tarball and patch file form. All of the release files have been signed with our GPG keys and the signature files are available in the same directories as the release files.

Thanks for using and supporting Asterisk!

The Asterisk Development team has released an update to Asterisk 1.2, Asterisk 1.2.13.

This release contains a fix for a security vulnerability recently found in the chan_skinny channel driver (for Cisco SCCP phones). This vulnerability would enable an attacker to remotely execute code as the system user running Asterisk (frequently 'root'). The exploit does not require that the skinny.conf contain any valid phone entries, only that chan_skinny is loaded and operational.

This release also contains a number of bug fixes, and some improvements to the chan_sip channel driver (for SIP devices) to mitigate the impacts of a certain class of denial-of-service attacks that have recently been published.

All Asterisk 1.2 users are urged to update to this release if they use the chan_skinny channel driver, or to stop loading it if it is not needed ('noload=>chan_skinny.so' in modules.conf will cause this behavior).

The team has also released Zaptel 1.2.10, Asterisk-Addons 1.2.5 and libpri 1.2.5; these releases contain only bug fixes and minor improvements.

As always, the release files are available on the Digium FTP servers at ftp://ftp.digium.com, in both tarball and patch file form. All of the release files have been signed with our GPG keys and the signature files are available in the same directories as the release files.

The Asterisk Development team has released another beta test release of Asterisk 1.4, 1.4.0-beta3.

This release also contains a number of bug fixes, and some improvements to the chan_sip channel driver (for SIP devices) to mitigate the impacts of a certain class of denial-of-service attacks that have recently been published.

Note that Asterisk 1.4 is not vulnerable to the chan_skinny exploit that resulted in updated releases of Asterisk 1.0 and Asterisk 1.2.

The team has also released Zaptel 1.4.0-beta2 and Asterisk-Addons 1.4.0-beta2; these releases contain only bug fixes and minor improvements.

As always, the release files are available on the Digium FTP servers at ftp://ftp.digium.com, in both tarball and patch file form. All of the release files have been signed with our GPG keys and the signature files are available in the same directories as the release files.

Thanks for using and supporting Asterisk!


Comments


Related posts

Back to top

Ready to supercharge your business?

Dialer pricing from only $300 per month!