 A security vulnerability in Asterisk 1.6 really needs your machines to be updated to avoid:
Asterisk Project Security Advisory - AST-2009-007
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | ACL not respected on SIP INVITE |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Unauthorized calls allowed on prohibited networks |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthorized session |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | October 18, 2009 |
|--------------------+---------------------------------------------------|
| Reported By | Thomas Athineou |
|--------------------+---------------------------------------------------|
| Posted On | October 26, 2009 |
|--------------------+---------------------------------------------------|
| Last Updated On | October 26, 2009 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Jeff Peeler |
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | A missing ACL check for handling SIP INVITEs allows a |
| | device to make calls on networks intended to be |
| | prohibited as defined by the "deny" and "permit" lines |
| | in sip.conf. The ACL check for handling SIP |
| | registrations was not affected. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | C.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| AsteriskNOW | 1.5 | Unaffected |
|-------------------------------+----------------+-----------------------|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Open Source Asterisk 1.6.1 | 1.6.1.8 |
+------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
| Patches |
|----------------------------------------------------------------------------|
| SVN URL |Version|
|--------------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/security/AST-2009-007-1.6.1.diff.txt| 1.6.1 |
+----------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-007.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-007.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------------------+------------------+----------------------------|
| October 26, 2009 | Jeff Peeler | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2009-007
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Current Rating: 7/10 (1 votes) Similar Articles (Based on Title)New App In bugs.digium.com (not in CVS) - September 20, 2004
This app was put together so as to be able to deal with answering machines
when making outbound calls. The idea is that you probably don't want to
start playing your soundfile until the call has been fully answered by a
human, and there has been a given amount of silence.
Link: Not Your Father's PBX? - October 8, 2004
Integrating VoIP into the enterprise could mean the end of telecom business-as-usual.
astGUIclient users should not upgrade to Asterisk 1.0.5 - February 2, 2005
mattf has posted details to the Asterisk-Users list warning people about an incompatibility between the CallerID implementation in Asterisk version 1.0.5 and his astGUIclient software.
Voxilla: New FCC Chief Not So VoIP-Friendly - March 19, 2005
USA's new FCC Chief thinks that US VoIP providers should contribute to the Universal Service Fund (USF). This is crazy. This would mean that if I use a US-based VoIP service to call people in New Zealand (from New Zealand) I will effectively be paying for US PSTN services to be supplied to "sparsely populated rural areas, and to provide telephone service discounts to low-income consumers".
Version 2.0 is not out - April 3, 2005
In case you didn't notice, yesterday's post was an April fool's day joke.
Asterisk.com not owned by Digium - October 6, 2006
It seems nobody thought to register Asterisk.com
H.264 Not Patented - January 30, 2007
Matthew Rubenstein has posted details of a legal ruling making the video codec H.264 legal. This will have big implications for Asterisk integration.
New feature in app_queue: Give members a penalty time for not answering - February 1, 2010
Hakon Nessjoen has posted detail of a patch he has written to add a new option to queues.conf.
Testers Needed Issue 16965 DBGet response does not end with a Complete event - March 19, 2010
Ryan Bullock is looking for people to test a patch he has written to fix the DBGet Action.
New Video Sip Phone Released - September 15, 2004
XTEN has released a new video sip phone similar to X-Lite/Pro
NewsForge: Open source helps power SIP phone popularity (talks about Asterisk) - October 1, 2004
An article forwarded by Toby Mills which talks about Digium and Open Source
Original Content (C) 2004-2010
Matt Riddell
Icons by: FastIcon.com
|
Back to life
July 21, 2010 Average Vote: 10
Hey all - I am back online after some pretty big projects which have taken all my time. Will be updating the Asterisk news over the next few days.
Nerd Vittles: Building a Bluetooth Proximity Detection System with Asterisk
December 12, 2005 Average Vote: 10
The Nerd Vittles site has an article on proximity detection using Asterisk and a TomTom GPS
Automated Testing Update
July 30, 2010 Average Vote: 10
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
VoIP-Info: FFasterisk Video file converter
August 25, 2006 Average Vote: 10
The wiki has a link to a new piece of software for converting video to the format required for Asterisk.
Code Review: SRTP support for Asterisk
March 12, 2009 Average Vote: 10
Terry Wilson has moved his SRTP branch onto the Digium review board.
HumBug - Pre BETA Launch Registration
July 27, 2010 Average Vote: 10
Nir Simionovich has posted details of the beta of the new call analytics service.
Interview with BKW_
December 7, 2004 Average Vote: 10
We've finally completed our interview with BKW. Hope you like! :-)
SlashDot: GSM and Asterisk Integration
August 21, 2005 Average Vote: 10
There is a post up on SlashDot which talks about using cellphones with Asterisk.
Interview with Mark Spencer
November 26, 2004 Average Vote: 9.9
We have managed to get an interview with Mark Spencer AKA Markster. Mark Spencer is the creator of Asterisk and by far the most active developer.
Asterisk and Kamailio realtime integration tutorial
May 24, 2010 Average Vote: 9.9
Daniel-Constantin Mierla has posted a link to a tutorial on integrating Asterisk and Kamailio using realtime.
Asterisk IPv6 update
February 1, 2010 Average Vote: 9.8
Olle has posted an update on IPV6 in Asterisk and a link to a blog post of his.
Proposal for T.38 transparent gateway design in Asterisk
April 29, 2010 Average Vote: 9.8
Kevin Fleming has posted a proposed design for a transparent T.38 gateway for Asterisk:
Asterisk Monitoring with iPhone and iPod touch
February 12, 2010 Average Vote: 9.7
For the past couple of weeks I have been working on an app that allows you to monitor and restart Asterisk servers.
Monitoring Asterisk with Munin
January 7, 2010 Average Vote: 9.7
I had a few requests for these munin plugins after some discussion on one of the Asterisk lists and thought people might like them.
New Zealand Asterisk Voices
March 2, 2006 Average Vote: 9.7
Chris Hodgetts has posted details of recordings of Asterisk Sounds with a New Zealand accent.
Automated Testing Update
July 30, 2010
Russell Bryant has posted details of a new mailing list for automated testing of Asterisk and some information on the progress that has been made. There is no way to say how important I think this work is. It really makes a huge difference to Asterisk and the ability to use it in an enterprise environment. Really great work.
Asterisk 1.8.0-beta2 Now Available
July 28, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta2.
HumBug - Pre BETA Launch Registration
July 27, 2010
Nir Simionovich has posted details of the beta of the new call analytics service.
Branch Merging Changes
July 26, 2010
Russell Bryant has posted details of some changes to the way developers need to commit code to Asterisk because of the newly released 1.8 branch.
Asterisk 1.8.0-beta1 is Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.8.0-beta1. This release marks the beginning of the testing process for the eventual release of Asterisk 1.8.0.
Asterisk 1.6.2.10 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.6.2.10.
Asterisk 1.4.34 Now Available
July 26, 2010
The Asterisk Development Team has announced the release of Asterisk 1.4.34.
AppleRaisin - AstDB over realtime
July 23, 2010
Olle has posted a note about his awesome AppleRaisin branch which provides the ability to store AstDB in realtime. This would make for a much simpler failover and clustering situation.
QueueMetrics 1.6.1 released
July 22, 2010
Lenz has posted a note to inform us that QueueMetrics version 1.6.1 has been released. This release offers a large number of bug fixes, misc improvements and new developements including hotdesking.
Asterisk 1.8 Branch Creation
July 22, 2010
Russell Bryant has posted a note to inform us of the creation of the 1.8 branch of Asterisk. |
