Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.1 and 1.6.2.4 Now Available.

The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.2.40
* 1.4.29.1
* 1.6.0.24
* 1.6.1.16
* 1.6.2.4
These releases are available for immediate download at [url=http://downloads.asterisk.org/pub/telephony/asterisk/]http://downloads.asterisk.org/pub/telephony/asterisk/[/url]
The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 [b]include documention describing a possible dialplan string injection[/b] with common usage of the ${EXTEN} (and other expansion variables). [b]The issue and resolution are described[/b] in the AST-2010-002 security advisory.
If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer.
Please note that this is not limited to an specific protocol or the Dial() application.
The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug – that is the entire point of string expansion.
However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan.
With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked.
This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers.
For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement.
Asterisk 1.2.40 also contains a backported dialplan function called FILTER() in order to allow the filtering of strings as described in the best practices document.
It should also be noted that the 1.6.x series of Asterisk had release candidates available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2. These will either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another round of RC changes is necessary, those versions numbers will be used with -rc1 appended.
For a full list of changes in the current releases, please see the ChangeLog:
[url=http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40]http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40[/url]
[url=http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29.1]http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29.1[/url]
[url=http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.24]http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.24[/url]
[url=http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16]http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16[/url]
[url=http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4]http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4[/url]
Security advisory AST-2010-002 is available at:
[url=http://downloads.asterisk.org/pub/security/AST-2010-002.pdf]http://downloads.asterisk.org/pub/security/AST-2010-002.pdf[/url]
The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from
1.2 and up.
[url=http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt]http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt[/url]
Thank you for your continued support of Asterisk!

http://voiptoday.org/index.php?option=com_content&view=article&id=324&catid=35&Itemid=136

主题测试文章,只做测试使用。发布者:zhangyang,转转请注明出处:https://www.voip88.com/asterisk-1-2-40-1-4-29-1-1-6-0-24-1-6-1-1-and-1-6-2-4-now-available/

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022年 8月 26日 下午3:24
下一篇 2022年 8月 26日 下午3:24

相关推荐

  • freeiris-安静 报到

    还好有板凳坐.安逸

    文档 2022年 8月 26日
    1800
  • 简单的web-click-to-call

    [i=s] 本帖最后由 leeelton 于 2009-6-14 00:06 编辑 [/i] 从[url=http://downloads.voipjots.com/scripts/click-to-call.zip]http://downloads.voipjots.com/scripts/click-to-call.zip[/url]我们可以下载一个简单…

    文档 2022年 8月 26日
    900
  • phpagi问题请教

    版本:phpagi-2.14, asterisk1.6.2.6 myphpagi.php文件内容如下: #!/usr/bin/php -q asteris控制台显示: — Executing [2134@from-vos:1] AGI(“SIP/2133-00000002”, “myphpagi.php&#82…

    文档 2022年 8月 26日
    1100
  • AMI的Events 事件分析

    关键参数:sip_custom.conf 增加:callevents=yes;事件详解: 事件名称 事件说明#Newchannel———中间态,创建通道,是初始化状态#Newcallerid——–中间态,通道上建立一个呼叫ID,有时会无法建立呼叫ID,如呼叫一个无效号码时,不创建#Dia…

    文档 2022年 8月 26日
    1200
  • Asterisk 1.8新功能

    [list][*]asterisk-1.8 将增加新的功能,看看哪个你喜欢?[*]The much awaited SRTP support in chan_sip will be added.[*]The chan_mgcp module has added PacketCable NCS 1.0 support forDocsis/Eurodocsis …

    文档 2022年 8月 26日
    1100

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

联系我们

400-800-8888

在线咨询: QQ交谈

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息

关注微信
自6.2开始主题新增页头通知功能,购买用户可免费升级到最新版体验