Asterisk Releases Resolve Security Vulnerability Issues

New security releases have been announced by Asterisk (News - Alert). The new Asterisk security releases in versions 1.4.41.1, 1.6.2.18.1, and 1.8.4.3, are now available for immediate download. A number of different issues needed to be addressed with the new releases.

The first – AST-2011-008 – is resolved in 1.6.2.18.1 and 1.8.4.3. This issue occurred when a remote user would send a SIP packet containing a null and Asterisk would assume that the available data extended past the null to the end of the packet. Instead, the buffer is actually truncated when copied, causing SIP header parsing to modify data past the end of the buffer. As a result, unrelated memory structures were altered.

The second issue – AST-2011-009 – was resolved with 1.8.4.3. This issue occurred when a user would send a SIP packet containing a Contact header with a missing left angle bracket (<). Such a move would cause Asterisk to access a null pointer.

The third issue – AST-2011-010 – was resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3. The problem that occurred here was a memory address that was transmitted inadvertently over the network with the IAX2 through an option control frame. As a result, the remote party would try to access it. 

More information and details are available on these vulnerabilities, accessed by reading the security advisories AST-2011-008, AST-2011-009, and AST-2011-010. For additional releases, you can access the ChangeLog.

The latest releases attempt to resolve these security issues, ensuring those with the open Asterisk platform in place can enjoy secure and reliable communications.

 

 
Susan J. Campbell is a contributing editor for TMCnet and has also written for eastbiz.com. To read more of Susan’s articles, please visit her columnist page.

Edited by Rich Steeves