Top Asterisk Coders Revealed!
December 21, 2007
Earlier today on the Asterisk Dev list, there was a little thread about source maintainers of the SVN version of Asterisk. Not that these stats are useful for anything more than fun, they are still fun to look at if you like pretty graphs as much as I do.
Checkem Here: http://bugs.digium.com/svnstat
[asterisk-security] Asterisk 1.4.16 and 1.2.26 released
December 19, 2007
The Asterisk.org development team has released Asterisk versions 1.4.16 and
1.2.26. Both releases contain a fix for a security vulnerability. The 1.4.16
release also contains a number of other bug fixes made over the past few weeks.
The details of the security issue have been published in a security advisory:
http://downloads.digium.com
The issue affects users of the dynamic realtime configuration method for IAX2 or
SIP that use host based authentication. Systems that do not use host based
authentication with realtime are not affected.
A full list of changes is available in the ChangeLog, which is distributed with
the release and is also available on the downloads page.
http://downloads.digium.com
The releases are available for immediate download from http://downloads.digium.com/.
Thank you for your support!
[asterisk-security] AST-2007-027 – Database matching order permits host-based authentication to be ignored
December 19, 2007
Asterisk Project Security Advisory - AST-2007-027
+-----------------------------
| Product | Asterisk |
|--------------------+--------
| Summary | Database matching order permits host-based |
| | authentication to be ignored |
|--------------------+--------
| Nature of Advisory | Logic error |
|--------------------+--------
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+--------
| Severity | Moderate |
|--------------------+--------
| Exploits Known | No |
|--------------------+--------
| Reported On | October 30, 2007 |
|--------------------+--------
| Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
|--------------------+--------
| Posted On | December 18, 2007 |
|--------------------+--------
| Last Updated On | December 18, 2007 |
|--------------------+--------
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|--------------------+--------
| CVE Name | CVE-2007-6430 |
+-----------------------------
+-----------------------------
| Description | Due to the way database-based registrations ("realtime") |
| | are processed, IP addresses are not checked when the |
| | username is correct and there is no password. An |
| | attacker may impersonate any user using host-based |
| | authentication without a secret, simply by guessing the |
| | username of that user. This is limited in scope to |
| | administrators who have set up the registration database |
| | ("realtime") for authentication and are using only |
| | host-based authentication, not passwords. However, both |
| | the SIP and IAX protocols are affected. |
+-----------------------------
+-----------------------------
| Resolution | As a workaround, administrators may set a password for |
| | all users and peers in their registration "realtime" |
| | database. A fix is included in the newest release of |
| | Asterisk, as provided below. |
+-----------------------------
+-----------------------------
| Affected Versions |
|-----------------------------
| Product | Release | |
| | Series | |
|----------------------------+
| Asterisk Open Source | 1.0.x | Not affected |
|----------------------------+
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.26 |
|----------------------------+
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.16 |
|----------------------------+
| Asterisk Business Edition | A.x.x | Not affected |
|----------------------------+
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.3.6 |
|----------------------------+
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.0-beta8 |
|----------------------------+
| AsteriskNOW | pre-release | Not affected |
|----------------------------+
| Asterisk Appliance | 0.x.x | Not affected |
| Developer Kit | | |
|----------------------------+
| s800i (Asterisk Appliance) | 1.0.x | Not affected |
+-----------------------------
+-----------------------------
| Corrected In |
|-----------------------------
| Product | Release |
|-----------------------------
| Asterisk Open Source | 1.2.26 |
|-----------------------------
| Asterisk Open Source | 1.4.16 |
|-----------------------------
| Asterisk Business Edition | B.2.3.6 |
|-----------------------------
| Asterisk Business Edition | C.1.0-beta8 |
|-----------------------------
+-----------------------------
+-----------------------------
| Links | |
+-----------------------------
+-----------------------------
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com
| http://downloads.digium.com
+-----------------------------
+-----------------------------
| Revision History |
|-----------------------------
| Date | Editor | Revisions Made |
|-----------------+-----------
| 2007-12-18 | Tilghman Lesher | Initial Release |
+-----------------------------
Asterisk Project Security Advisory - AST-2007-027
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Trixbox phones home — good news tomorrow though.
December 17, 2007
A set of scripts were recently discovered in the trixbox line of PBX products, which connect to a remote host every 24 hours, to retrieve an arbitrary list of commands to be executed locally. These scripts were added under the guise of submitting 'anonymous usage statistics', however, with the help of DNS pollution, or malice on the part of the sponsoring company (Fonality), all up-to-date versions of trixbox could be instantly disabled, or worse.
According to trixbox Community Director, Kerry Gerrison, a new version of trixbox will be available by December 18th which will allow you to 'opt-out' (meaning that it will still be enabled by default) of this behavior.
Further details:
http://www.trixbox.org/forums
http://www.trixbox.org/trixboxs
asterisk-users] Libpri 1.2.7 and 1.4.3 released
December 15, 2007
The Asterisk.org development team has released Libpri versions 1.2.7 and 1.4.3.
These releases fix one small compilation error that occurred with the newest
release of glibc.
Thank you for your support!
[asterisk-users] Zaptel 1.2.22.1 and 1.4.7.1 released
December 15, 2007
The Asterisk.org development team has released Zaptel versions 1.2.22.1 and
1.4.7.1. These releases contain one small change and are otherwise the same as
1.2.22 and 1.4.7. The change is to support the new TE122 card from Digium.
Thank you for your support!
Cisco 7940 SIP Phone INVITE Message Remote Denial of Service Vulnerability
December 6, 2007
| Bugtraq ID: | 26711 |
| Class: | Failure to Handle Exceptional Conditions |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 05 2007 12:00AM |
| Updated: | Dec 05 2007 07:32PM |
| Credit: | Humberto J. Abdelnur, Radu State, and Olivier Festor are credited with the discovery of this vulnerability. |
from: securityfocus
