New EJabberd Maintenance release 2.0.3

Today there was a note on the jabber list that EJabberd has released a new version with a few fixes. If you're running XMPP services with your Asterisk server, and don't trust using third parties (like Google Talk) your own Jabber/XMPP server can yield some pretty great benefits (control, call notifications, queue notifications, callerid lookups, you name it).

Full release info can be found here:

http://www.process-one.net/en/ejabberd/article/ejabberd_2.0.3/

Recent changes in this release include:

• Do not ask certificate for client (c2s)
• Check digest-uri in SASL digest authentication
• Use send timeout to avoid locking on gen_tcp:send
• Fix ejabberd reconnection to database
• HTTP-Bind: handle wrong order of packets
• MUC: Improved traffic regulation management
• PubSub: Several bugfixes and improvements for best coverage of XEP-0060 v1.12
• Shared Roster Groups: push immediately membership changes
• Rotate also sasl.log on "reopen-log" command
• Binary Windows installer: better detect "Error running Post Install Script"

Digium Improves Communication with New Mailing List

Today Digium announced on the mailing lists that it has improved the announcement process for Asterisk and it's other products. Up until today there has been not much communication with the community about upgrades to policies, the site, or other relevant Digium type news. Well, now there is.

Here's the original annoucement:

Recently it was brought to our attention that while we announce new releases of Asterisk and Asterisk-Addons on the asterisk-announce mailing list (and others), and we publish security advisories on the asterisk-announce and asterisk-security mailing lists (and others), there are frequently changes that are made in our policies, procedures, and products that do not get announced on any widely-read mailing list.

To help with this situation, we've created a new mailing list called 'digium-announce', located on the lists.digium.com list server. This will be a low-volume, read-only (no discussion) list that will be used for various announcements, including:

1. Changes to Digium's services for the Asterisk community, like the bugs.digium.com issue tracker, the downloads.digium.com download server and others
2. Changes to and new releases of Digium's commercial software products used by the Asterisk community like the G.729 codec, the HPEC echo canceler and others
3. Improvements to the asterisk.org web site

Please feel free to subscribe to this mailing list by visiting

http://lists.digium.com/mailman/listinfo/digium-announce

Thanks for using Asterisk!

--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kpfleming@digium.com Check us out at www.digium.com & www.asterisk.org

Digium call for help in response to IC3/FBI Asterisk Security Issue announced last Friday

In a story earlier today we posted about the FBI announcement regarding pwning asterisk systems. Digium has posted a response to this on the Asterisk Mailing Lists asking the community for help in response to the FBI's warning and other various news outlets misrepresenting the issue or not fully informing their audience. Here's the message posted by Digium;

On Friday, the IC3 (FBI/NW3C/BJA) put out a security advisory on their website that contained a fairly vaguely worded warning about Asterisk systems being compromised and then being used as "vishing" (voice

phishing) platforms. They were non-specific on the threat other than to advocate upgrading to "newer versions" of Asterisk. This announcement was done on Friday late afternoon, just as everyone was leaving for the weekend, which left us leaving frantic messages with various IC3 voicemail system deadends and emails to generic-sounding accounts.

The delay in any authoritative information from IC3 quickly created a guessing game in the blogger and press community as to what was

exactly the vulnerability and what were the details of this threat.

The speculation here at Digium was that this was just a re-statement of an older bug from earlier this year, or it could have been entirely unrelated to Asterisk and just been a case of mis-diagnosis of poor password control.

It turns out that we were correct on our first guess: this is not a new problem, and furthermore is a difficult vulnerability to exploit even on those systems that are unpatched - it would require fairly purposeful configuration to expose the system to a "vishing" abuse method, so it is probably the case that this was a very isolated event. We spoke with IC3 agents earlier today, and they have updated the alert to contain the correct warning (AST-2008-003) which was their original intent.

There is a more complete description of the incident on the Digium blog site:

http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

Other links:

AST-2008-003 - http://www.asterisk.org/node/48466

Revised IC3 announcement - http://www.ic3.gov/media/2008/081205-2.aspx

WHAT YOU CAN DO:

Unfortunately, the news of security risks spreads faster than the news of a non-issue - secure systems aren't "stories" so I expect it will be an uphill effort to update all the sites which copied or re- blogged the IC3 story initially. We would very much like to enlist the community to have you try to post where you can the link to the Digium blog above - it would help keep misperceptions from becoming part of the permanent data landscape as things get slowly archived into Google-able snippets. Post in the "Comments" sections of any blogs you see linking to this story, or put your own $.02 in as you see fit. We'd like to keep good relations with the IC3 and FBI, and we understand how this kind of mistake can happen (even though we're uncomfortable with the results) so please set your flamethrowers on "warm" instead of "scorch" if you choose to weigh in on the topic yourself.

If anyone has questions regarding this issue, please feel free to contact me via email or phone to discuss.

JT

---

John Todd

jtodd@digium.com +1-256-428-6083

Asterisk Open Source Community Director

XMPP Turns 10! – Celebrate with people from around the world using these handy lists.

Looks like a list has been setup to celebrate the 10th year that XMPP/Jabber has been around. This was posted to the Jabber mailing list today. Go ahead, celebrate your geekiness!

we set up a special mailing list for discussions about the parties all around the world for Jabber's 10th Birthday.

You can or subscribe to the list here: http://mail.jabber.org/mailman/listinfo/birthday
Or read and post via the Jabberforum: http://www.jabberforum.org/forumdisplay.php?f=180

XMPP Organization set to offer Free (yes, free!) SSL Certificates for XMPP services

This is really cool,

BTW, I think I forgot to mention that we're working to simplify the process of obtaining a free digital certificate from the XMPP Intermediate Certificate Authority (e.g., the process is now "self-service"). As part of that work, the URL is now:

http://xmpp.org/ca/

Let me know if you have any questions about the XMPP ICA.

Peter

--
Peter Saint-Andre
https://stpeter.im/

Cisco Systems set to buy Jabber Inc instant messaging company

Cisco Systems Inc said on Friday it plans to buy privately held Jabber Inc, which specializes in instant messaging software, to bolster its own line of Internet-based communications products.

The two companies did not disclose financial terms.

Denver-based Jabber provides open instant messaging technology that supports different devices and applications, and allows users on separate networks, such as Google Talk or Yahoo Messenger, to connect with each other.

"With the acquisition of Jabber, we will be able to extend the reach of our current instant messaging service and expand the capabilities of our collaboration platform," Doug Dennerline, senior vice president of Cisco's Collaboration Software Group, said in a statement.

Cisco said it expects the deal to close by the end of January.

Source: Reuters

New release of Ejabberd 2.0.2

We've installed it, have you? Working great too. Gotta love built in proxy65 and pep.

Hello,

Following the release of ejabberd 2.0.2-beta1 a few weeks earlier, the final 2.0.2 has been released.

Release notes and links to binary installers and source code can be found on this page:
http://www.process-one.net/en/ejabberd/article/ejabberd_202/

Jérôme Sautret.

Next Page »