A few small fixes including a DoS in chan_iax2, memory leak with config reload, seqnum wraparound problems in chan_iax2, and s/They're going to be pissed.// - very little change from 1.2.22 really (<200 lines diff -u0).
ftp://ftp.digium.com/pub/asa/ASA-2007-018.html Resource Exhaustion vulnerability in IAX2 channel driver "The IAX2 channel driver in Asterisk is vulnerable to a Denial of Service attack when configured to allow unauthenticated calls. An attacker can send a flood of NEW packets for valid extensions to the server to initiate calls as the unauthenticated user. This will cause resources on the Asterisk system to get allocated that will never go away. Furthermore, the IAX2 channel driver will be stuck trying to reschedule retransmissions for each of these fake calls forever. This can very quickly bring down a system and the only way to recover is to restart Asterisk. .. The default configuration[*] that is distributed with Asterisk includes a guest account that allows unauthenticated calls. If this account and any other account without a password is disabled for IAX2, then the system is not vulnerable to this problem. .. For systems that continue to allow unauthenticated IAX2 calls, they must be updated to one of the versions listed as including the fix below." [*] the sample configuration files in the OpenBSD package only enable SIP channels, so this will only affect you if you've changed configure to allow unauthenticated IAX2. Sorry, just tested this one on amd64 so far. Updated 1.4 tar.gz later. Index: Makefile =================================================================== RCS file: /cvs/ports/telephony/asterisk/Makefile,v retrieving revision 1.21 diff -u -p -r1.21 Makefile --- Makefile 19 Jul 2007 01:31:27 -0000 1.21 +++ Makefile 25 Jul 2007 09:46:42 -0000 @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.21 2007/07/19 01:31:27 ian Exp $ COMMENT= open source multi-protocol PBX and telephony toolkit -DISTNAME= asterisk-1.2.22 +DISTNAME= asterisk-1.2.23 CATEGORIES= telephony MASTER_SITES= http://ftp.digium.com/pub/asterisk/releases/ Index: distinfo =================================================================== RCS file: /cvs/ports/telephony/asterisk/distinfo,v retrieving revision 1.16 diff -u -p -r1.16 distinfo --- distinfo 19 Jul 2007 01:31:27 -0000 1.16 +++ distinfo 25 Jul 2007 09:46:42 -0000 @@ -1,5 +1,5 @@ -MD5 (asterisk-1.2.22.tar.gz) = Hg8lqZFMH8jJM5oaQUEZvg== -RMD160 (asterisk-1.2.22.tar.gz) = HrHak+y2FMStQHdcIvqTeE7dZeg= -SHA1 (asterisk-1.2.22.tar.gz) = A/hY2AX4JbGfUbmgnKmMoS9xPIM= -SHA256 (asterisk-1.2.22.tar.gz) = r3Tj1ArOJPbI0sqrU/9C+0cFbPR0QmXvE3I4lgIcFxY= -SIZE (asterisk-1.2.22.tar.gz) = 10642597 +MD5 (asterisk-1.2.23.tar.gz) = 4eE6SWpFNC3siNz3YWLm8A== +RMD160 (asterisk-1.2.23.tar.gz) = uGgP7vP95hluuej6urtuxwTI+BU= +SHA1 (asterisk-1.2.23.tar.gz) = o771UaFpFExIeFR6T+Qem7/C1ig= +SHA256 (asterisk-1.2.23.tar.gz) = lj+ExNct4t+cPXN0ZG8iiEn5DnFWqZ3zmP4KUBYOdWE= +SIZE (asterisk-1.2.23.tar.gz) = 10660237
