The Asterisk.org development team has released Asterisk version 1.4.17. This release contains a fix for a SIP security issue, as well as a number of other bug fixes. The security issue is documented in the published security advisory, AST-2008-001. The vulnerability allows an attacker to cause a crash in the SIP channel driver with a properly crafted transfer. This issue requires an authenticated session that allows transfers to be exploited. If unauthenticated calls with transfer capability are allowed, then this issue could be exploited with an unauthenticated session. Also, this issue only affects Asterisk 1.4. Asterisk 1.2 is not affected. Systems that do not use chan_sip are also not affected. The security advisory is available at http://downloads.digium.com/pub/security/AST-2008-001.pdf. The release is available for immediate download from http://downloads.digium.com/pub/telephony/asterisk/. Thank you for your support!
|