The Asterisk Development team has released an update to Asterisk 1.0, Asterisk 1.0.12. This release contains a fix for a security vulnerability recently found in the chan_skinny channel driver (for Cisco SCCP phones). This vulnerability would enable an attacker to remotely execute code as the system user running Asterisk (frequently 'root'). The exploit does not require that the skinny.conf contain any valid phone entries, only that chan_skinny is loaded and operational. All Asterisk 1.0 users are urged to update to this release if they use the chan_skinny channel driver, or to stop loading it if it is not needed ('noload=>chan_skinny.so' in modules.conf will cause this behavior). As always, the release files are available on the Digium FTP servers at ftp://ftp.digium.com, in both tarball and patch file form. All of the release files have been signed with our GPG keys and the signature files are available in the same directories as the release files. Thanks for using and supporting Asterisk!