Posted: Thu Oct 19, 2006 3:30 am Post subject: [asterisk-announce] Asterisk 1.2.13 released - Security Vuln
The Asterisk Development team has released an update to Asterisk 1.2,
Asterisk 1.2.13.
This release contains a fix for a security vulnerability recently found
in the chan_skinny channel driver (for Cisco SCCP phones). This
vulnerability would enable an attacker to remotely execute code as the
system user running Asterisk (frequently 'root'). The exploit does not
require that the skinny.conf contain any valid phone entries, only that
chan_skinny is loaded and operational.
This release also contains a number of bug fixes, and some improvements
to the chan_sip channel driver (for SIP devices) to mitigate the impacts
of a certain class of denial-of-service attacks that have recently been
published.
All Asterisk 1.2 users are urged to update to this release if they use
the chan_skinny channel driver, or to stop loading it if it is not
needed ('noload=>chan_skinny.so' in modules.conf will cause this behavior).
The team has also released Zaptel 1.2.10, Asterisk-Addons 1.2.5 and
libpri 1.2.5; these releases contain only bug fixes and minor improvements.
As always, the release files are available on the Digium FTP servers at
ftp://ftp.digium.com, in both tarball and patch file form. All of the
release files have been signed with our GPG keys and the signature files
are available in the same directories as the release files.
Thanks for using and supporting Asterisk!
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum