Asterisk 1.2.31.1, 1.4.22.2, 1.4.23.1, and 1.6.0.5 released

The Asterisk.org development team has announced the release of Asterisk 1.2.31.1, 1.4.22.2, 1.4.23.1, and 1.6.0.5. These releases are available for immediate download from http://downloads.digium.com/.

This update for Asterisk includes a security fix for chan_iax2. Please see the associated security adivisory for more details:

http://downloads.digium.com/pub/security/AST-2009-001.html

These updates are a fix to a previous security release (released as versions 1.2.31, 1.4.22.1, and 1.6.0.3).

The new versions are being released after additional testing revealed some issues with the way that scanning for users was blocked. Those issues have been corrected in this release.

This security issue affects the 1.2, 1.4, and 1.6 series of Asterisk.

Also note, that Asterisk 1.6.0.4-rc1 was released yesterday prior to the security update. That release has been removed as there will be no 1.6.0.4 release, but rather will be reincarnated as 1.6.0.6-rc1. The reason for the dead release is to avoid 5 digit release numbers.

ChangeLogs for the various releases are available at:

http://downloads.digium.com/pub/asterisk/ChangeLog-1.2.31.1

http://downloads.digium.com/pub/asterisk/ChangeLog-1.4.22.2

http://downloads.digium.com/pub/asterisk/ChangeLog-1.4.23.1

http://downloads.digium.com/pub/asterisk/ChangeLog-1.6.0.5

Thank you for your continued support of Asterisk!

Asterisk 1.6.0.4 Release Candidate 1 Now Available

The Asterisk Development Team is pleased to announce the first release candidate of Asterisk 1.6.0.4, tagged as version 1.6.0.4-rc1. Release candidate

1.6.0.4-rc1 is available for immediate download at http://downloads.digium.com/.

This release candidate includes fixes for OS build compatibility, terminal compatibility, documentation updates, and resolves several crash issues. Issues found in this release candidate can be reported at http://bugs.digium.com/.

For a full list of changes in this release candidate, please see the

ChangeLog:

http://svn.digium.com/view/asterisk/tags/1.6.0.4-rc1/ChangeLog?view=markup

Thank you for your continued support of Asterisk!

Asterisk 1.2.31, 1.4.22.1, and 1.6.0.3 released

The Asterisk.org development team has announced the release of Asterisk 1.2.31, 1.4.22.1, and 1.6.0.3. These releases are available for immediate download from http://downloads.digium.com/.

This update for Asterisk includes a security fix for chan_iax2. Please see the associated security adivisory for more details:

http://downloads.digium.com/pub/security/AST-2009-001.html

This security issue affects the 1.2, 1.4, and 1.6 series of Asterisk. Asterisk releases 1.2.31, and 1.4.22.1 only contain the security fix.

Asterisk release 1.6.0.3 has additional changes from 1.6.0.2, including a fix to the Makefile that caused menuselect to break in certain cases.

Also, some issues related to memory leaks and more appropriate SIP dialog responses when receiving 4XX messages have been fixed.

ChangeLogs for the various releases are available at:

http://downloads.digium.com/pub/asterisk/ChangeLog-1.2.31

http://downloads.digium.com/pub/asterisk/ChangeLog-1.4.22.1

http://downloads.digium.com/pub/asterisk/ChangeLog-1.6.0.3

Thank you for your continued support of Asterisk!

Asterisk 1.6.1-beta4 released

The Asterisk.org development team has created the fourth
beta release for Asterisk 1.6.1. 1.6.1-beta4 is available for immediate
download from http://downloads.digium.com/.

 

This beta release contains fixes for multiple issues
since 1.6.1-beta3 including crashes and a problem in chan_sip that would cause
incorrect user and peer matching. For a full list of the changes in this
release, please see the ChangeLog:

 

http://svn.digium.com/view/asterisk/tags/1.6.1-beta4/ChangeLog?view=markup

 

Thank you for your continued support of Asterisk!

Digium call for help in response to IC3/FBI Asterisk Security Issue announced last Friday

In a story earlier today we posted about the FBI announcement regarding pwning asterisk systems. Digium has posted a response to this on the Asterisk Mailing Lists asking the community for help in response to the FBI's warning and other various news outlets misrepresenting the issue or not fully informing their audience. Here's the message posted by Digium;

On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their website that contained a fairly vaguely worded warning about Asterisk systems being compromised and then being used as "vishing" (voice

phishing) platforms. They were non-specific on the threat other than to advocate upgrading to "newer versions" of Asterisk. This announcement was done on Friday late afternoon, just as everyone was leaving for the weekend, which left us leaving frantic messages with various IC3 voicemail system deadends and emails to generic-sounding accounts.

The delay in any authoritative information from IC3 quickly created a guessing game in the blogger and press community as to what was

exactly the vulnerability and what were the details of this threat.

The speculation here at Digium was that this was just a re-statement of an older bug from earlier this year, or it could have been entirely unrelated to Asterisk and just been a case of mis-diagnosis of poor password control.

It turns out that we were correct on our first guess: this is not a new problem, and furthermore is a difficult vulnerability to exploit even on those systems that are unpatched - it would require fairly purposeful configuration to expose the system to a "vishing" abuse method, so it is probably the case that this was a very isolated event. We spoke with IC3 agents earlier today, and they have updated the alert to contain the correct warning (AST-2008-003) which was their original intent.

There is a more complete description of the incident on the Digium blog site:

http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

Other links:

AST-2008-003 - http://www.asterisk.org/node/48466

Revised IC3 announcement - http://www.ic3.gov/media/2008/081205-2.aspx

WHAT YOU CAN DO:

Unfortunately, the news of security risks spreads faster than the news of a non-issue - secure systems aren't "stories" so I expect it will be an uphill effort to update all the sites which copied or re- blogged the IC3 story initially. We would very much like to enlist the community to have you try to post where you can the link to the Digium blog above - it would help keep misperceptions from becoming part of the permanent data landscape as things get slowly archived into Google-able snippets. Post in the "Comments" sections of any blogs you see linking to this story, or put your own $.02 in as you see fit. We'd like to keep good relations with the IC3 and FBI, and we understand how this kind of mistake can happen (even though we're uncomfortable with the results) so please set your flamethrowers on "warm" instead of "scorch" if you choose to weigh in on the topic yourself.

If anyone has questions regarding this issue, please feel free to contact me via email or phone to discuss.

JT

---

John Todd

jtodd@digium.com +1-256-428-6083

Asterisk Open Source Community Director

Happy Birthday Asterisk, You’re turning 9 on Friday!

Hi,

December 5th, 1999 was the initial release of Asterisk by Mark Spencer. We'll be celebrating this by gathering as usual at 12 Noon Eastern (9AM Pacific, 10 MST, 11 Central, 5PM UK and Western EU) for the VoIP Users Conference.

You can get all the dial in information at http://VoipUsersConference.org including info on a SipAddHeader() kludge to avoid DTMF problems.

IRC is Freenode.net #voip-users-conference join this even if you can't call in.

Call via SIP: talkshoe@vuc.onsip.com (thanks to OnSip.com) Call via PSTN (724) 444-7444 DTMF 22622# 1#

or try this: 7463#22622#1@proxy.ideasip.com (thanks to IdeaSIP.com)

or to just look up talkshoe server IP: ts.x2z.eu (thanks top me for the DNS record)

We start about 15 minutes to the hour with an informal chat.

Join us anytime, but especially, grab a virtual beer and join us Friday the 5th.

/r

Asterisk 1.6.0.3-rc1 released

The Asterisk.org development team has released Asterisk version 1.6.0.3-rc1.
This release is available for immediate download from http://downloads.digium.com/.

This release candidate follows on the recent (broken) release of 1.6.0.2 with multiple fixes. This release also marks the first time that we are creating release candidates for bugfix releases in the 1.6 branch. For a full list of the changes in this release, please see the ChangeLog:

http://svn.digium.com/view/asterisk/tags/1.6.0.3-rc1/ChangeLog?view=markup

Thank you for your continued support of Asterisk!

« Previous Page — Next Page »