The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.2.40 * 1.4.29.1 * 1.6.0.24 * 1.6.1.16 * 1.6.2.4 These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/ The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 include documention describing a possible dialplan string injection with common usage of the ${EXTEN} (and other expansion variables). The issue and resolution are described in the AST-2010-002 security advisory. If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer. Please note that this is not limited to an specific protocol or the Dial() application. The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug - that is the entire point of string expansion. However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan. With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked. This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers. For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement. Asterisk 1.2.40 also contains a backported dialplan function called FILTER() in order to allow the filtering of strings as described in the best practices document. It should also be noted that the 1.6.x series of Asterisk had release candidates available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2. These will either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another round of RC changes is necessary, those versions numbers will be used with -rc1 appended. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29.1 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.24 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16 http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4 Security advisory AST-2010-002 is available at: http://downloads.asterisk.org/pub/security/AST-2010-002.pdf The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from 1.2 and up. http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt Thank you for your continued support of Asterisk!