Softpedia >Mac >Communications >Asterisk >  Changelog

Asterisk Changelog

What's new in Asterisk 13.3.2

Apr 10, 2015
  • Mitigate MitM attack potential from certificate with NULL byte in CN.

New in Asterisk 13.3.1 (Apr 10, 2015)

  • pjsip: resolve ABI compatibility problem with external modules

New in Asterisk 13.1.1 (Jan 29, 2015)

  • Mitigate possible HTTP injection attacks using CURL() function in Asterisk:
  • CVE-2014-8150 disclosed a vulnerability in libcURL where HTTP request injection can be performed given properly-crafted URLs.
  • Since Asterisk makes use of libcURL, and it is possible that users of Asterisk may get cURL URLs from user input or remote sources, we have made a patch to Asterisk to prevent such HTTP injection attacks from originating from Asterisk.
  • Fix file descriptor leak in RTP code:
  • SIP requests that offered codecs incompatible with configured values could result in the allocation of RTP and RTCP ports that would not get reclaimed later.

New in Asterisk 13.0.0 (Dec 30, 2014)

  • Asterisk security events are now provided via AMI, allowing end users to monitor their Asterisk system in real time for security related issues.
  • Both AMI and ARI now allow external systems to control the state of a mailbox. Using AMI actions or ARI resources, external systems can programmatically trigger Message Waiting Indicators (MWI) on subscribed phones. This is of particular use to those who want to build their own VoiceMail application using ARI.
  • ARI now supports the reception/transmission of out of call text messages using any supported channel driver/protocol stack through ARI. Users receive out of call text messages as JSON events over the ARI websocket connection, and can send out of call text messages using HTTP requests.
  • The PJSIP stack now supports RFC 4662 Resource Lists, allowing Asterisk to act as a Resource List Server. This includes defining lists of presence state, mailbox state, or lists of presence state/mailbox state; managing subscriptions to lists; and batched delivery of NOTIFY requests to subscribers.
  • The PJSIP stack can now be used as a means of distributing device state or mailbox state via PUBLISH requests to other Asterisk instances. This is analogous to Asterisk’s clustering support using XMPP or Corosync; unlike existing clustering mechanisms, using the PJSIP stack to perform the distribution of state does not rely on another daemon or server to perform the work.

New in Asterisk 11.12.1 (Sep 23, 2014)

  • AST-2014-010: Resolve crash when the Message channel technology enters into the ReceiveFax application using res_fax_spandsp

New in Asterisk 11.8.1 (Mar 18, 2014)

  • AST-2012-002: chan_sip: Exit early on bad session timers request
  • AST-2014-001: Stack overflow in HTTP processing of Cookie headers.

New in Asterisk 11.5.1 (Aug 28, 2013)

  • AST-2013-005: Remote crash from invalid SDP:
  • If the SIP channel driver processes an invalid SDP that defines media descriptions before connection information, it may attempt to reference the socket address information even though that information has not yet been set. This will cause a crash.
  • This patch adds checks when handling the various media descriptions that ensures the media descriptions are handled only if we have connection information suitable for that media.
  • AST-2013-004: Fix crash when handling ACK on dialog that has no channel:
  • A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumed that the channel would always be present.
  • This patch adds a check such that the SDP will only be parsed and applied if Asterisk has a channel present that is associated with the dialog.
  • Note that the patch being applied was modified only slightly from the patch provided by Walter Doekes of OSSO B.V.

New in Asterisk 11.5.0 (Jul 16, 2013)

  • Properly lock and safely handle a transfer failure in IAX2
  • When touching the bridgecallno, we need to lock it - otherwise a race condition can occur. This patch does the proper locking of the bridgecallno before modifying its state.

New in Asterisk 11.2.2 (Mar 28, 2013)

  • AST-2013-001: Prevent buffer overflow through H.264 format negotiation:
  • The format attribute resource for H.264 video performs an unsafe read against a media attribute when parsing the SDP. The value passed in with the format attribute is not checked for its length when parsed into a fixed length buffer.
  • This patch resolves the vulnerability by only reading as many characters from the SDP value as will fit into the buffer.
  • AST-2013-002: Prevent denial of service in HTTP server:
  • AST-2012-014, fixed in January of this year, contained a fix for Asterisk's HTTP server for a remotely-triggered crash. While the fix put in place fixed the possibility for the crash to be triggered, a denial of service vector still exists with that solution if an attacker sends one or more HTTP POST requests with very large Content-Length values. This patch resolves this by capping the Content-Length at 1024 bytes. Any attempt to send an HTTP POST with Content-Length greater than this cap will not result in any memory allocation. The POST will be responded to with an HTTP 413 "Request Entity Too Large" response.
  • This issue was reported by Christoph Hebeisen of TELUS Security Labs
  • AST-2013-003: Prevent username disclosure in SIP channel driver:
  • When authenticating a SIP request with alwaysauthreject enabled, allowguest disabled, and autocreatepeer disabled, Asterisk discloses whether a user exists for INVITE, SUBSCRIBE, and REGISTER transaction in multiple ways. The information is disclosed when: * A "407 Proxy Authentication Required" response is sent instead of a "401 Unauthorized" response * The presence or absence of additional tags occurs at the end of "403 Forbidden" (such as "(Bad Auth)") * A "401 Unauthorized" response is sent instead of "403 Forbidden" response after a retransmission * Retransmission are sent when a matching peer did not exist, but not when a matching peer did exist.
  • This patch resolves these various vectors by ensuring that the responses sent in all scenarios is the same, regardless of the presence of a matching peer.
  • This issue was reported by Walter Doekes, OSSO B.V. A substantial portion of the testing and the solution to this problem was done by Walter as well - a huge thanks to his tireless efforts in finding all the ways in which this setting didn't work, providing automated tests, and working with Kinsey on getting this fixed.

New in Asterisk 11.2.1 (Jan 23, 2013)

  • Fix astcanary startup problem due to wrong pid value from before daemon call
  • Update init.d scripts to handle stderr; readd splash screen for remote consoles
  • Not displaying the splash screen on a remote console.
  • Displaying an error message on stderr when a remote console cannot connect to a running instance of Asterisk.
  • Reset RTP timestamp; sequence number on SSRC change

New in Asterisk 11.1.2 (Jan 4, 2013)

  • Prevent crashes in res_xmpp when receiving large messages
  • Similar to r378287, res_xmpp was marshaling data read from an external source onto the stack. For a sufficiently large message, this could cause a stack overflow. This patch modifies res_xmpp in a similar fashion to res_jabber by removing the stack allocation, as it was unnecessary.
  • Prevent exhaustion of system resources through exploitation of event cache
  • This patch changes res_xmpp to no longer cache events under certain circumstances.

New in Asterisk 11.1.1 (Jan 3, 2013)

  • AST-2012-015: Resolve crashes due to large stack allocations when using TCP
  • Asterisk had several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack.
  • This patch modifies those portions of Asterisk using TCP to either favor heap allocations or use an upper bound to ensure that the stack will not overflow: For SIP, the allocation now has an upper limit For HTTP, the allocation is now a heap allocation instead of a stack allocation For XMPP (in res_jabber), the allocation has been eliminated since it was unnecesary.
  • AST-2012-014: Prevent exhaustion of system resources through exploitation of event cache
  • Asterisk maintains an internal cache for devices in the event subsystem. The device state cache holds the state of each device known to Asterisk, such that consumers of device state information can query for the last known state for a particular device, even if it is not part of an active call. The concept of a device in Asterisk can include entities that do not have a physical representation. One way that this occurred was when anonymous calls are allowed in Asterisk. A device was automatically created and stored in the cache for each anonymous call that occurred; this was possible in the SIP and IAX2 channel drivers and through channel drivers that utilized the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). These devices are never removed from the system, allowing anonymous calls to potentially exhaust a system's resources.
  • This patch changes the event cache subsystem and device state management to no longer cache devices that are not associated with a physical entity.

New in Asterisk 11.1.0 RC 3 (Dec 11, 2012)

  • chan_local: Fix local_pvt ref leak in local_devicestate().
  • Regression introduced by ASTERISK-20390 fix.

New in Asterisk 11.1.0 RC 2 (Dec 11, 2012)

  • Fix a SIP request memory leak with TLS connections.
  • During the TLS re-work in chan_sip some TLS specific code was moved into a separate function. This function operates on a copy of the incoming SIP request. This copy was never deinitialized causing a memory leak for each request processed.
  • This function is now given a SIP request structure which it can use to copy the incoming request into. This reduces the amount of memory allocations done since the internal allocated components are reused between packets and also ensures the SIP request structure is deinitialized when the TLS connection is torn down.

New in Asterisk 11.0.2 (Dec 7, 2012)

  • chan_local: Fix local_pvt ref leak in local_devicestate().
  • Regression introduced by ASTERISK-20390 fix.

New in Asterisk 11.1.0 RC 1 (Nov 17, 2012)

  • Fix execution of 'i' extension due to uninitialized variable.
  • Prevent resetting of NATted realtime peer address on reload.
  • Fix ConfBridge crash if no timing module loaded.
  • Fix the Park 'r' option when a channel parks itself.
  • Fix an issue where outgoing calls would fail to establish audio due to ICE negotiation failures.

New in Asterisk 11.0.1 (Nov 17, 2012)

  • Fix a bug which made ConfBridge not record conferences when the record command was initiated from AMI/CLI commands
  • Fix a bug causing SIP reloads to remove all entries from the registry
  • Fix an issue with res_http_websocket where the chan_sip WebSocket handler could not be registered.
  • On some systems the optional API support uses the GCC compiler attribute "weakref" to provide its functionality. This code changes the function names and prefixes "__" to the front. The res_http_websocket exports file did not take this into account, thereby not allowing those functions to be global and ultimately found.