The Asterisk Development Team has announced the release of Asterisk 1.2.37, 1.4.27.1, 1.6.0.19, and 1.6.1.11. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/ These releases have been created in response to a SIP remote crash vulnerability. Additionally, Asterisk versions 1.4.27.1, 1.6.0.19, and 1.6.1.11 also contain an SDP regression fix as described in issue #16268. Asterisk 1.6.0.19, and 1.6.1.11 contain an additional SDP regression fix as described by issue #16238. Information about the SDP issues can be found at https://issues.asterisk.org/view.php?id=16268 and https://issues.asterisk.org/view.php?id=16238 For more information about the details of this vulnerability, please read the security advisory AST-2009-010, which was released at the same time as this announcement. The security advisory is available at http://downloads.asterisk.org/pub/security/AST-2009-010.pdf For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.37 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.27.1 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.19 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.11 Thank you for your continued support of Asterisk! Asterisk Project Security Advisory - AST-2009-010 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | RTP Remote Crash Vulnerability | |----------------------+-------------------------------------------------| | Nature of Advisory | Denial of Service | |----------------------+-------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | November 13, 2009 | |----------------------+-------------------------------------------------| | Reported By | issues.asterisk.org user amorsen | |----------------------+-------------------------------------------------| | Posted On | November 30, 2009 | |----------------------+-------------------------------------------------| | Last Updated On | November 30, 2009 | |----------------------+-------------------------------------------------| | Advisory Contact | David Vossel < dvossel AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | CVE-2009-4055 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | An attacker sending a valid RTP comfort noise payload | | | containing a data length of 24 bytes or greater can | | | remotely crash Asterisk. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to one of the versions of Asterisk listed in the | | | "Corrected In" section, or apply a patch specified in the | | | "Patches" section. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |----------------------------------+----------------+--------------------| | Asterisk Open Source | 1.2.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Open Source | 1.4.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Open Source | 1.6.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Business Edition | B.x.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Business Edition | C.x.x | All versions | |----------------------------------+----------------+--------------------| | s800i (Asterisk Appliance) | 1.3.x | All versions | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.2.37 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.4.27.1 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.6.0.19 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.6.1.11 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | B.2.5.13 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.2.4.6 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.3.2.3 | |---------------------------------------------+--------------------------| | S800i (Asterisk Appliance) | 1.3.0.6 | +------------------------------------------------------------------------+ +-----------------------------------------------------------------------------+ | Patches | |-----------------------------------------------------------------------------| | Link |Branch| |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt |1.2 | |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt |1.4 | |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt|1.6.0 | |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt|1.6.1 | +-----------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | https://issues.asterisk.org/view.php?id=16242 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-010.pdf and | | http://downloads.digium.com/pub/security/AST-2009-010.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |------------------+---------------------+-------------------------------| | 2009-09-03 | David Vossel | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2009-010 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
+*asterisk-1.6.1.11 (01 Dec 2009) + + 01 Dec 2009; <chainsaw@gentoo.org> -asterisk-1.6.1.9.ebuild, + -asterisk-1.6.1.10.ebuild, +asterisk-1.6.1.11.ebuild: + Version bump as requested by Rajiv Aaron Manglani <rajiv@gentoo.org> in + security bug #295270. Fixes a remote crash caused by a comfort noise + payload over 24 bytes in length. Also contains an SDP regression fix, + upstream bug reports #16368 & #16238. Vulnerable 1.6 branch ebuilds + killed.
+*asterisk-1.2.37 (01 Dec 2009) + + 01 Dec 2009; <chainsaw@gentoo.org> asterisk-1.2.35.ebuild, + +asterisk-1.2.37.ebuild: + Version bump as requested by Rajiv Aaron Manglani <rajiv@gentoo.org> in + security bug #295270. Fixes a remote crash caused by a comfort noise + payload over 24 bytes in length. Reduce 1.2.35 keywords to PPC, unable to + delete at this time.
Arches, please test & mark stable net-misc/asterisk-1.2.37 Target keywords: alpha amd64 ~hppa ppc sparc x86 PowerPC, please delete 1.2.35 once you have keyworded 1.2.37, skipping 1.2.36. You can then un-CC yourself from security bug #284892. Arch teams, for testing please use the default configuration supplied and confirm that the init script will start & stop the daemon.
x86 stable
amd64 stable
CVE-2009-4055 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4055): rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11; Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote attackers to cause a denial of service (daemon crash) via an RTP comfort noise payload with a long data length.
alpha/sparc stable
Marked ppc stable, removed 1.2.35 as directed.
voip: Please remove vulnerable ebuilds (1.2.36 at least). Rerating for DoS.
+ 31 May 2010; <chainsaw@gentoo.org> -asterisk-1.2.36.ebuild: + Remove vulnerable version as per Alex "a3li" Legler in security bug + #295270.
GLSA 201006-20