-- Denis Galvão AsteriskBrasil.org Ajude a comunidade AsteriskBrasil.org, compre uma camiseta! http://www.voipmania.com.br
Begin forwarded message: > From: Asterisk Development Team <asteriskt...@digium.com> > Date: 18 de fevereiro de 2010 21h51min58s GMT-02:00 > To: asteriskt...@digium.com > Subject: [asterisk-dev] Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, > 1.6.1.16, and 1.6.2.4 Now Available > Reply-To: Asterisk Developers Mailing List <asterisk-...@lists.digium.com > > > > The Asterisk Development Team has announced security releases for > the following > versions of Asterisk: > > * 1.2.40 > * 1.4.29.1 > * 1.6.0.24 > * 1.6.1.16 > * 1.6.2.4 > > These releases are available for immediate download at > http://downloads.asterisk.org/pub/telephony/asterisk/ > > The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and > 1.6.2.4 > include documention describing a possible dialplan string injection > with common > usage of the ${EXTEN} (and other expansion variables). The issue and > resolution > are described in the AST-2010-002 security advisory. > > If you have a channel technology which can accept characters other > than numbers > and letters (such as SIP) it may be possible to craft an INVITE > which sends data > such as 300&Zap/g1/4165551212 which would create an additional > outgoing channel > leg that was not originally intended by the dialplan programmer. > > Please note that this is not limited to an specific protocol or the > Dial() > application. > > The expansion of variables into programmatically-interpreted strings > is a common > behavior in many script or script-like languages, Asterisk included. > The ability > for a variable to directly replace components of a command is a > feature, not a > bug - that is the entire point of string expansion. > > However, it is often the case due to expediency or design > misunderstanding that > a developer will not examine and filter string data from external > sources before > passing it into potentially harmful areas of their dialplan. > > With the flexibility of the design of Asterisk come these risks if > the dialplan > designer is not suitably cautious as to how foreign data is allowed > to enter the > system unchecked. > > This security release is intended to raise awareness of how it is > possible to > insert malicious strings into dialplans, and to advise developers to > read the > best practices documents so that they may easily avoid these dangers. > > For more information about the details of this vulnerability, please > read the > security advisory AST-2010-002, which was released at the same time > as this > announcement. > > Asterisk 1.2.40 also contains a backported dialplan function called > FILTER() in > order to allow the filtering of strings as described in the best > practices > document. > > It should also be noted that the 1.6.x series of Asterisk had > release candidates > available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2. > These will > either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another > round of > RC changes is necessary, those versions numbers will be used with - > rc1 appended. > > For a full list of changes in the current releases, please see the > ChangeLog: > > http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40 > http://downloads.asterisk.org/pub/telephony/asterisk/ > ChangeLog-1.4.29.1 > http://downloads.asterisk.org/pub/telephony/asterisk/ > ChangeLog-1.6.0.24 > http://downloads.asterisk.org/pub/telephony/asterisk/ > ChangeLog-1.6.1.16 > http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4 > > Security advisory AST-2010-002 is available at: > > http://downloads.asterisk.org/pub/security/AST-2010-002.pdf > > The README-SERIOUSLY.bestpractices.txt document is available in the > top-level > directory of your Asterisk sources, or available in all Asterisk > branches from > 1.2 and up. > > http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt > > Thank you for your continued support of Asterisk! > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-dev mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-dev _______________________________________________ KHOMP: qualidade em placas de E1, GSM, FXS e FXO para Asterisk. - Hardware com alta disponibilidade de recursos e qualidade KHOMP - Suporte técnico local qualificado e gratuito Conheça a linha completa de produtos KHOMP em www.khomp.com.br _______________________________________________ Lista de discussões AsteriskBrasil.org AsteriskBrasil@listas.asteriskbrasil.org http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil