ANNOUNCEMENT: Safi Systems Releases Asterisk Visual Call Flow Designer+Server

Hi all,

I'm happy to announce the alpha release of our product SafiWorkshop.
This release is a fully functional trial version for non-commercial
use and will give Asterisk administrators the ability to fully
evaluate the software without time restriction.

SafiWorkshop is a visual call flow designer that allows Asterisk
administrators to quickly create and deploy powerful IVR,
auto-attendants, and call routing applications by creating diagrams
that reflect the desired function. These diagrams, or Saflets, can
then be executed remotely on Safi Systems' standalone server
component: SafiServer.

Trial version and more info available from our website:
http://www.safisystems.com

Zac Wolfe
Safi Systems LLC

jabberd-2.1.24.1 release

Next jabberd 2.1 series release is available.

Get 2.1.24.1 release as usual at:
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.24.1.tar.gz
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.24.1.tar.bz2

and read: http://svn.xiaoka.com/jabberd2/trunk/UPGRADE

This is a bugfix release for compilation problems.
Nothing new really to 2.1.24 release.

ANNOUNCE: aspsms-t 1.2.4 (jabber2sms) transport

This is a bugfix release of aspsms-t (jabber2sms) transport.

Whats new?
https://svn.noc.micressor.ch/public/aspsms-t/trunk/docs/NEWS

Source tarball:
https://svn.noc.micressor.ch/public/aspsms-t/files/aspsms-t-1.2.4.tar.gz

More information at:
http://web.swissjabber.ch/index.php/Aspsms-t
http://www.aspsms.com/solutions/3rd-party/jabbertosms/

jabberd-2.1.24 released to the world

It's finally time for next jabberd 2.1 series release.

Get 2.1.24 release as usual at:
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.24.tar.gz
http://ftp.xiaoka.com/jabberd2/releases/jabberd-2.1.24.tar.bz2

and read: http://svn.xiaoka.com/jabberd2/trunk/UPGRADE

This is a maintenance release with minor enhancements.

ChangeLog:
* Check for non configured c2s local.id
* Added tool to migrate from jabberd14 to jabberd2 SQLite. BBN.com
contribution.
* Fix for authreg_pipe. Fixes #204
* Updated bdb2mysql.rb to jabberd 2.1 DB schema
* Do not handle disco to nodes
* Fixed empty node check
* Restored reading [jabberd] group from my.cnf
* Unified way utf-8 is selected in MySQL backend
* Merged crypted passwords support for MySQL. Closes #184 and 197
* Removed debug that might cause segfault. Fixes #196.
* Do not handle vCard request destined to full JIDs. Fixes #190
* Fixes segfault that happened when there are multiple sessions
and privacy list was changed. Fixes #188
* Really fix gsasl ANONYMOUS login
* Webstatus presence resource enabled only when service enabled
* Added server component presence resources
* Added maxstanzasize debug message
* Fix --enable-pgsql
* Fixed compatibility with VC++ and ANSI, variables must be
declared at the beginning of the block.
* Check for Win32 OpenSSL and Visual C++ 2005 SP1 Redistributable
Package (x86), and raise error if not found in the installer.
* Updated Makefile.am with new README.protocol file
* Unified URI/URN definitions

For a full ChangeLog see:
http://svn.xiaoka.com/jabberd2/tags/jabberd-2.1.24/ChangeLog

Asterisk 1.2.28, 1.4.19.1, and 1.6.0-beta8 Released

The Asterisk development team has released versions 1.2.28, 1.4.19.1, and
1.6.0-beta8.

All of these releases contain a security patch for the vulnerability described
in the AST-2008-006 security advisory. 1.6.0-beta8 is also a regular update to
the 1.6.0 series with a number of bug fixes over the previous beta release.

Early last year, we made some modifications to the IAX2 channel driver to combat
potential usage of IAX2 in traffic amplification attacks. Unfortunately, our
fix was not complete and we were not notified of this until the original
reporter of the issue decided to release information on how to exploit it to the
public.

This issue affects all users of IAX2 that have allowed non-authenticated calls.
For more information on the vulnerability, see the published security advisory.

* http://downloads.digium.com/pub/security/AST-2008-006.pdf

All releases are available for download from the following location:

* http://downloads.digium.com/pub/telephony/asterisk/

Thank you for your continued support of Asterisk!

AST-2008-006 – 3-way handshake in IAX2 incomplete – VULN FIX

Asterisk Project Security Advisory - AST-2008-006

+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | 3-way handshake in IAX2 incomplete |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Remote amplification attack |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | Yes |
|--------------------+---------------------------------------------------|
| Reported On | April 18, 2008 |
|--------------------+---------------------------------------------------|
| Reported By | Joel R. Voss aka. Javantea < jvoss AT altsci DOT |
| | com > |
|--------------------+---------------------------------------------------|
| Posted On | April 22, 2008 |
|--------------------+---------------------------------------------------|
| Last Updated On | April 22, 2008 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2008-1897 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | Javantea originally reported an issue in IAX2, whereby |
| | an attacker could send a spoofed IAX2 NEW message, and |
| | Asterisk would start sending early audio to the target |
| | address, without ever receiving an initial response. |
| | That original vulnerability was addressed in June 2007, |
| | by requiring a response to the initial NEW message |
| | before starting to send any audio. |
| | |
| | Javantea subsequently found that we were doing |
| | insufficent verification of the ACK response and that |
| | the ACK response could be spoofed, just like the initial |
| | NEW message. We have addressed this failure with two |
| | changes. First, we have started to require that the ACK |
| | response contains the unique source call number that we |
| | send in our reply to the NEW message. Any ACK response |
| | that does not contain the source call number that we |
| | have created will be silently thrown away. Second, we |
| | have made the generation of our source call number a |
| | little more difficult to predict, by randomly selecting |
| | a source call number, instead of allocating them |
| | sequentially. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Workaround | Disable remote unauthenticated IAX2 sessions, by |
| | disallowing guest access. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | Upgrade your Asterisk installation to revision 114561 or |
| | later, or install one of the releases shown below. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Commentary | We would like to thank Javantea for notifying us of this |
| | problem; however, we note that he posted exploit code |
| | prior to that notification, which is considered |
| | irresponsible behavior in the whitehat security industry. |
| | In the future, advance notice of any such release would |
| | be appreciated. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.28 |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.20 |
|-------------------------------+------------+---------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|-------------------------------+------------+---------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.2 |
|-------------------------------+------------+---------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.8.1 |
|-------------------------------+------------+---------------------------|
| AsteriskNOW | 1.0.x | All versions prior to |
| | | 1.0.3 |
|-------------------------------+------------+---------------------------|
| Asterisk Appliance Developer | 0.x.x | All versions |
| Kit | | |
|-------------------------------+------------+---------------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.1.0.3 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.2.28 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.4.20 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | B.2.5.2 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.1.8.1 |
|---------------------------------------------+--------------------------|
| AsteriskNOW | 1.0.3 |
|---------------------------------------------+--------------------------|
| s800i (Asterisk Appliance) | 1.1.0.3 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | https://www.altsci.com/concepts/page.php?s=asteri&p=2 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-006.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-006.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|---------------------+----------------------+---------------------------|
| April 22, 2008 | Tilghman Lesher | Initial release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2008-006
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Adding TinyMCE to your ProjectPier or ActiveCollab Installation

Many of you are project managers, and may be using Activecollab or ProjectPier.

We were tired of their lame editor, so we decided to add TinyMCE into our installed version, both for ease of client use, and internal use.

The instructions are very simple.

1. Go to ProjectPier, grab the latest version (or svn)

2. Install ProjectPier as you would normally

3. Install any custom patches or addons to project pier.

4. Download TinyMCE

5. Uncompress TinyMCE, and enter the newly extracted directory. You will see a javascript directory. Rename this to tiny_mce.

6. Copy your newly renamed "tiny_mce" directory to the root of your ProjectPier installation.

# cp -R tiny_mce /var/www/yoursite/htdocs/projectpier/

7. Now, this is the only "complicated" part. Go into your ProjectPier installation directory, and then enter the applications directory. Like this.

# cd /var/www/yoursite/htdocs/projectpier/
# cd application
# cd layouts

8. Now you're going to want to edit three files

# nano administration.php dashboard.php project_website.php

9. Now in these files, you're going to want to add the include for tiny_mce. Add the following code after the last "add_javascript_to_page" line at the top of each file and then you are done.

<?php echo add_javascript_to_page('dropdown.js') ?>
<script language="javascript" type="text/javascript" src="http://www.yoursite.com/projectpier/tiny_mce/tiny_mce.js"></script>

<script language="javascript" type="text/javascript">
tinyMCE.init({
force_p_newlines: "false",
forced_root_block : '',
theme : "advanced",
mode : "textareas"
});
</script>

10. That's It! You are finished adding TinyMCE to your Project Management Installation! It should look something like this.

Enjoy!

Next Page »