The Asterisk Development Team has announced security releases for Asterisk branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple stack and heap based arrays can be made to overflow by specially crafted packets. Systems configured for T.38 pass through or termination are vulnerable. The issue and resolution are described in the AST-2011-002 security advisory. For more information about the details of this vulnerability, please read the security advisory AST-2011-002, which was released at the same time as this announcement. For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.4.39.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.1.22 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.4 Security advisory AST-2011-002 is available at: http://downloads.asterisk.org/pub/security/AST-2011-002.pdf Thank you for your continued support of Asterisk!
|