A few small fixes including a DoS in chan_iax2, memory leak
with config reload, seqnum wraparound problems in
chan_iax2,
and s/They're going to be pissed.// - very little change
from 1.2.22 really (<200 lines diff -u0).
ftp://ftp.digium.com/pub/asa/ASA-2007-018.html
Resource Exhaustion vulnerability in IAX2 channel driver
"The IAX2 channel driver in Asterisk is vulnerable to
a Denial of
Service attack when configured to allow unauthenticated
calls. An
attacker can send a flood of NEW packets for valid
extensions to the
server to initiate calls as the unauthenticated user. This
will cause
resources on the Asterisk system to get allocated that
will never go
away. Furthermore, the IAX2 channel driver will be stuck
trying to
reschedule retransmissions for each of these fake calls
forever. This
can very quickly bring down a system and the only way to
recover is to
restart Asterisk.
..
The default configuration[*] that is distributed with
Asterisk includes
a guest account that allows unauthenticated calls. If this
account and any
other account without a password is disabled for IAX2,
then the system
is not vulnerable to this problem.
..
For systems that continue to allow unauthenticated IAX2
calls, they must
be updated to one of the versions listed as including the
fix below."
[*] the sample configuration files in the OpenBSD package
only
enable SIP channels, so this will only affect you if you've
changed
configure to allow unauthenticated IAX2.
Sorry, just tested this one on amd64 so far.
Updated 1.4 tar.gz later.
Index: Makefile
============================================================
=======
RCS file: /cvs/ports/telephony/asterisk/Makefile,v
retrieving revision 1.21
diff -u -p -r1.21 Makefile
--- Makefile 19 Jul 2007 01:31:27 -0000 1.21
+++ Makefile 25 Jul 2007 09:46:42 -0000
 -1,7
+1,7
# $OpenBSD: Makefile,v 1.21 2007/07/19 01:31:27 ian Exp $
COMMENT= open source multi-protocol PBX and telephony
toolkit
-DISTNAME= asterisk-1.2.22
+DISTNAME= asterisk-1.2.23
CATEGORIES= telephony
MASTER_SITES= http://f
tp.digium.com/pub/asterisk/releases/
Index: distinfo
============================================================
=======
RCS file: /cvs/ports/telephony/asterisk/distinfo,v
retrieving revision 1.16
diff -u -p -r1.16 distinfo
--- distinfo 19 Jul 2007 01:31:27 -0000 1.16
+++ distinfo 25 Jul 2007 09:46:42 -0000
-1,5
+1,5
-MD5 (asterisk-1.2.22.tar.gz) = Hg8lqZFMH8jJM5oaQUEZvg==
-RMD160 (asterisk-1.2.22.tar.gz) =
HrHak+y2FMStQHdcIvqTeE7dZeg=
-SHA1 (asterisk-1.2.22.tar.gz) =
A/hY2AX4JbGfUbmgnKmMoS9xPIM=
-SHA256 (asterisk-1.2.22.tar.gz) =
r3Tj1ArOJPbI0sqrU/9C+0cFbPR0QmXvE3I4lgIcFxY=
-SIZE (asterisk-1.2.22.tar.gz) = 10642597
+MD5 (asterisk-1.2.23.tar.gz) = 4eE6SWpFNC3siNz3YWLm8A==
+RMD160 (asterisk-1.2.23.tar.gz) =
uGgP7vP95hluuej6urtuxwTI+BU=
+SHA1 (asterisk-1.2.23.tar.gz) =
o771UaFpFExIeFR6T+Qem7/C1ig=
+SHA256 (asterisk-1.2.23.tar.gz) =
lj+ExNct4t+cPXN0ZG8iiEn5DnFWqZ3zmP4KUBYOdWE=
+SIZE (asterisk-1.2.23.tar.gz) = 10660237
|