[asterisk-users] Asterisk-addons 1.4.5 Released
November 30, 2007
The Asterisk.org development team has released Asterisk-addons version 1.4.5.
This release contains a few bug fixes, but is required for compatibility with
the latest version of Asterisk, 1.4.15.
Thank you for your support!
[asterisk-users] v33 of codec_g729a released
November 30, 2007
Version 33 of codec_g729a for Asterisk 1.4 has been released. This release is a
compatibility update to work with the latest version of Asterisk. Users of this
module upgrading to Asterisk 1.4.15 will need to upgrade to this version of
codec_g729a.
The module is available for download at the following location:
http://downloads.digium.com
Thank you!
[asterisk-security] Asterisk 1.4.15 and 1.2.25 Released
November 30, 2007
The Asterisk.org development team has released Asterisk versions 1.4.15 and
1.2.25. These releases contain two fixes for security issues.
http://downloads.digium.com
* This is a SQL injection vulnerability in the res_config_pgsql module.
Default installations of Asterisk are not affected. However, any system using
the Postgres Realtime Engine may be remotely exploitable. This issue only
affects Asterisk 1.4, as this module was not in Asterisk 1.2.
http://downloads.digium.com
* This is another SQL injection vulnerability. The input for the ANI and DNIS
fields were not properly escaped. Default installations of Asterisk are not
vulnerable. However, systems that use the Postgres CDR logging module may be
remotely exploitable. This issue affects both Asterisk 1.2 and 1.4.
Both releases are available on http://downloads.digium.com.
Thank you very much for your support!
[asterisk-security] AST-2007-025 – SQL Injection issue in res_config_pgsql
November 30, 2007
Asterisk Project Security Advisory - AST-2007-025
+-----------------------------
| Product | Asterisk |
|----------------------+------
| Summary | SQL Injection issue in res_config_pgsql |
|----------------------+------
| Nature of Advisory | SQL Injection |
|----------------------+------
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+------
| Severity | Moderate |
|----------------------+------
| Exploits Known | No |
|----------------------+------
| Reported On | November 29, 2007 |
|----------------------+------
| Reported By | P. Chisteas <p_christ AT hol DOT gr> |
|----------------------+------
| Posted On | November 29, 2007 |
|----------------------+------
| Last Updated On | November 29, 2007 |
|----------------------+------
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+------
| CVE Name | |
+-----------------------------
+-----------------------------
| Description | Input buffers were not properly escaped when providing |
| | lookup data to the Postgres Realtime Engine. An attacker |
| | could potentially compromise the administrative database |
| | containing users' usernames and passwords used for SIP |
| | authentication, among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+-----------------------------
+-----------------------------
| Workaround | Convert your installation to use res_config_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+-----------------------------
+-----------------------------
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+-----------------------------
+-----------------------------
| Affected Versions |
|-----------------------------
| Product | Release | |
| | Series | |
|-----------------------------
| Asterisk Open Source | 1.0.x | None |
|-----------------------------
| Asterisk Open Source | 1.2.x | None |
|-----------------------------
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
| | | versions |
|-----------------------------
| Asterisk Business Edition | A.x.x | None |
|-----------------------------
| Asterisk Business Edition | B.x.x | None |
|-----------------------------
| AsteriskNOW | pre-release | None |
|-----------------------------
| Asterisk Appliance Developer | 0.x.x | None |
| Kit | | |
|-----------------------------
| s800i (Asterisk Appliance) | 1.0.x | None |
+-----------------------------
+-----------------------------
| Corrected In |
|-----------------------------
| Product | Release |
|-----------------------------
| Asterisk Open Source | 1.4.15 |
|-----------------------------
|-----------------------------
+-----------------------------
+-----------------------------
| Links | |
+-----------------------------
+-----------------------------
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com
| http://downloads.digium.com
+-----------------------------
+-----------------------------
| Revision History |
|-----------------------------
| Date | Editor | Revisions Made |
|-----------------+-----------
| 2007-11-29 | Tilghman Lesher | Initial release |
+-----------------------------
Asterisk Project Security Advisory - AST-2007-025
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
[asterisk-security] AST-2007-026 – SQL Injection issue in cdr_pgsql
November 30, 2007
Asterisk Project Security Advisory - AST-2007-026
+-----------------------------
| Product | Asterisk |
|----------------------+------
| Summary | SQL Injection issue in cdr_pgsql |
|----------------------+------
| Nature of Advisory | SQL Injection |
|----------------------+------
| Susceptibility | Remote Authenticated Sessions |
|----------------------+------
| Severity | Moderate |
|----------------------+------
| Exploits Known | No |
|----------------------+------
| Reported On | November 29, 2007 |
|----------------------+------
| Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+------
| Posted On | November 29, 2007 |
|----------------------+------
| Last Updated On | November 29, 2007 |
|----------------------+------
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+------
| CVE Name | CVE-2007-6170 |
+-----------------------------
+-----------------------------
| Description | Input buffers were not properly escaped when providing |
| | the ANI and DNIS strings to the Call Detail Record |
| | Postgres logging engine. An attacker could potentially |
| | compromise the administrative database containing users' |
| | usernames and passwords used for SIP authentication, |
| | among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+-----------------------------
+-----------------------------
| Workaround | Convert your installation to use cdr_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+-----------------------------
+-----------------------------
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+-----------------------------
+-----------------------------
| Affected Versions |
|-----------------------------
| Product | Release | |
| | Series | |
|-----------------------------
| Asterisk Open Source | 1.0.x | All versions |
|-----------------------------
| Asterisk Open Source | 1.2.x | 1.2.24 and previous |
|-----------------------------
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
|-----------------------------
| Asterisk Business Edition | A.x.x | All versions |
|-----------------------------
| Asterisk Business Edition | B.x.x | B.2.3.3 and previous |
|-----------------------------
| Asterisk Business Edition | C.x.x | C.1.0-beta5 and previous |
|-----------------------------
| AsteriskNOW | pre-release | None |
|-----------------------------
| Asterisk Appliance Developer | 0.x.x | None |
| Kit | | |
|-----------------------------
| s800i (Asterisk Appliance) | 1.0.x | None |
+-----------------------------
+-----------------------------
| Corrected In |
|-----------------------------
| Product | Release |
|-----------------------------
| Asterisk Open Source | 1.2.25 |
|-----------------------------
| Asterisk Open Source | 1.4.15 |
|-----------------------------
| Asterisk Business Edition | B.2.3.4 |
|-----------------------------
| Asterisk Business Edition | C.1.0-beta6 |
+-----------------------------
+-----------------------------
| Links | |
+-----------------------------
+-----------------------------
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com
| http://downloads.digium.com
+-----------------------------
+-----------------------------
| Revision History |
|-----------------------------
| Date | Editor | Revisions Made |
|----------------+------------
| 2007-11-29 | Tilghman Lesher | Initial release |
|----------------+------------
| 2007-11-29 | Tilghman Lesher | Added CVE, ABE C version |
+-----------------------------
Asterisk Project Security Advisory - AST-2007-026
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
[asterisk-dev] Zaptel 1.2.22 and 1.4.7 released
November 27, 2007
The Asterisk.org development team has announced the release of Zaptel
versions 1.2.22 and 1.4.7. These releases contain (among other things)
many bug fixes to the TC400B driver, a bug fix on the wctdm24xxp driver
for users with a VPM150M, as well as numerous improvements and fixes to
the Xorcom driver suite. The much better performing version of fxotune
from 1.4 has now been put into 1.2, so you may wish to rerun this tool
with the new version. As always, please see the respective Changelogs
for additional information.
Both releases are available as a tarball as well as a patch against the
previous release. They are available for download from downloads.digium.com.
Thank you for your support!
FreePBX Music on Hold with Madplay instead of Format_mp3
November 22, 2007
We've just recently replaced our company PBX with FreePBX and Asterisk 1.4. We were getting complaints about format_mp3 and how it plays the same song, from the beginning every time you put someone on hold. This is honestly a bad way to do hold music, and I'm not sure why the Asterisk Developers haven't fixed it, but, it's easy enough to fix. Here are the steps to take to use madplay instead. Note that we're using Ubuntu Linux, so the commands may change a bit.
1. Install madplay
# apt-get install madplay
2. Login to the FreePBX Control Console and create a Music On Hold context. Next you will want to upload all your mp3's to this context.
3. Once your satisfied with the mp3's you've uploaded to your context, you will have to ssh to your box
# ssh your.pbx.ip
4. After logging in, and su'ing to root, go to /etc/asterisk and edit musiconhold_additional.conf. It should end up looking like this. Replace [Flewid] with your Music on Hold context.
[Flewid]
mode=custom
directory=/var/lib/asterisk/mohmp3/Flewid/
application=/usr/bin/madplay -Qzr -o raw:- --mono -R 8000 -a -12
random=yes
5. Now you will have to stop and start asterisk. Something like this should do the trick.
# /etc/init.d/asterisk stop
# /etc/init.d/asterisk start
6. Now when you issue a ps you should see that madplay is now running. You should see something like the following.
# ps aux | grep madplay
asterisk 15921 0.0 0.4 5732 2156 ? S Nov21 0:00 /usr/bin/madplay -Qzr -o raw:- --mono -R 8000 -a -12 Party 1992 Intromusic.mp3 A Touch of Spring.mp3 Ice Frontier.mp3 imphobia.mp3 Aquaphobia - 1993 spring.mp3 Lavender Hill.mp3 M16A.mp3 M16C.mp3 MENU.mp3 Minimum Velocity.mp3 Purple Sky II.mp3 Satellite one..mp3 technology.mp3 Turbulence.mp3 Unreal Symphony.mp3 When the heavens fall.mp3
7. That's it. Now you should have fancy music on hold that won't start at the beginning of every song, and when people are put on music on hold they will hear the song immediately, instead of waiting for it to start.
There is one problem with this method, in that if you decide to upload any more music on hold files to your context, musiconhold_additional.conf will get overwritten, and you will have to apply this fix again.
It would be nice if the freepbx developers added the option of using madplay from the administration interface. But this isn't really too big of a deal since musiconhold is changed infrequently (at least for us).
