ckleea

Asterisk Project Security Advisory - AST-2012-010

         Product        Asterisk
         Summary        Possible resource leak on uncompleted re-invite
                        transactions
    Nature of Advisory  Denial of Service
      Susceptibility    Remote authenticated sessions
         Severity       Minor
      Exploits Known    No
       Reported On      June 13, 2012
       Reported By      Steve Davies
        Posted On       July 5, 2012
     Last Updated On    July 5, 2012
     Advisory Contact   Terry Wilson <twilson@digium.com>
         CVE Name       TBD

    Description  If Asterisk sends a re-invite and an endpoint responds to
                 the re-invite with a provisional response but never sends a
                 final response, then the SIP dialog structure is never
                 freed and the RTP ports for the call are never released. If
                 an attacker has the ability to place a call, they could
                 create a denial of service by using all available RTP
                 ports.

    Resolution  A re-invite that receives a provisional response without a
                final response is detected and properly cleaned up at
                hangup.

                               Affected Versions
                Product                Release Series
         Asterisk Open Source               1.8.x         All versions
         Asterisk Open Source               10.x          All versions
       Asterisk Business Edition            C.3.x         All versions
          Certified Asterisk            1.8.11-certx      All versions
         Asterisk Digiumphones       10.x.x-digiumphones  All versions

                                  Corrected In
                   Product                              Release
             Asterisk Open Source                   1.8.13.1, 10.5.2
          Asterisk Business Edition                     C.3.7.5
              Certified Asterisk                      1.8.11-cert4
            Asterisk Digiumphones                 10.5.2-digiumphones

                                    Patches
                                 URL                                Revision
   http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff Asterisk
                                                                    1.8
   http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff  Asterisk
                                                                    10

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-19992

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2012-010.pdf and
    http://downloads.digium.com/pub/security/AST-2012-010.html

                                Revision History
          Date                  Editor                 Revisions Made
    06/27/2012         Terry Wilson              Initial Release

               Asterisk Project Security Advisory - AST-2012-010
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

ckleea

Asterisk Project Security Advisory - AST-2012-011

         Product        Asterisk
         Summary        Remote crash vulnerability in voice mail application
    Nature of Advisory  Denial of Service
      Susceptibility    Remote authenticated sessions
         Severity       Moderate
      Exploits Known    No
       Reported On      June 13, 2012
       Reported By      Nicolas Bouliane - Avencall Security Labs
        Posted On       June 27, 2012
     Last Updated On    July 5, 2012
     Advisory Contact   Kinsey Moore <kmoore@digium.com>
         CVE Name       CVE-2012-3812

    Description  If a single voicemail account is manipulated by two parties
                 simultaneously, a condition can occur where memory is freed
                 twice causing a crash.

    Resolution  Management of the memory in question has been reworked so
                that double frees and out of bounds array access do not
                occur. Upgrade to the latest release.

                               Affected Versions
              Product              Release Series
       Asterisk Open Source             1.8.x         1.8.11 and newer
       Asterisk Open Source             10.x          10.3 and newer
        Certified Asterisk          1.8.11-certx      All versions
       Asterisk Digiumphones     10.x.x-digiumphones  All versions

                                  Corrected In
                  Product                              Release
            Asterisk Open Source                   1.8.13.1, 10.5.2
             Certified Asterisk                      1.8.11-cert4
           Asterisk Digiumphones                 10.5.2-digiumphones

                                      Patches
                                 URL                                  Revision
   http://downloads.asterisk.org/pub/security/AST-2012-011-1.8.diff Asterisk
                                                                    1.8,
                                                                    Certified
                                                                    Asterisk
   http://downloads.asterisk.org/pub/security/AST-2012-011-10.diff  Asterisk 10,
                                                                    Asterisk
                                                                    Digiumphones

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-20052

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2012-011.pdf and
    http://downloads.digium.com/pub/security/AST-2012-011.html

                                Revision History
          Date                  Editor                 Revisions Made
    06/27/2012         Kinsey Moore              Initial Release

               Asterisk Project Security Advisory - AST-2012-011
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

ckleea

The Asterisk Development Team has announced the release of Asterisk 1.8.14.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.14.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- format_mp3: Fix a possible crash in mp3_read().
  (Closes issue ASTERISK-19761. Reported by Chris Maciejewsk)

* --- Fix local channel chains optimizing themselves out of a call.
  (Closes issue ASTERISK-16711. Reported by Alec Davis)

* --- Update a peer's LastMsgsSent when the peer is notified of
      waiting messages
  (Closes issue ASTERISK-17866. Reported by Steve Davies)

* --- Prevent sip_pvt refleak when an ast_channel outlasts its
      corresponding sip_pvt.
  (Closes issue ASTERISK-19425. Reported by David Cunningham)

* --- Send more accurate identification information in dialog-info SIP
      NOTIFYs.
  (Closes issue ASTERISK-16735. Reported by Maciej Krajewski)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... /ChangeLog-1.8.14.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 10.6.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.6.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- format_mp3: Fix a possible crash in mp3_read().
  (Closes issue ASTERISK-19761. Reported by Chris Maciejewsk)

* --- Fix local channel chains optimizing themselves out of a call.
  (Closes issue ASTERISK-16711. Reported by Alec Davis)

* --- Re-add LastMsgsSent value for SIP peers
  (Closes issue ASTERISK-17866. Reported by Steve Davies)

* --- Prevent sip_pvt refleak when an ast_channel outlasts its
      corresponding sip_pvt.
  (Closes issue ASTERISK-19425. Reported by David Cunningham)

* --- Send more accurate identification information in dialog-info SIP
      NOTIFYs.
  (Closes issue ASTERISK-16735. Reported by Maciej Krajewski)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... sk/ChangeLog-10.6.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 1.8.14.1.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.14.1 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

* --- Remove a superfluous and dangerous freeing of an SSL_CTX.
  (Closes issue ASTERISK-20074. Reported by Trevor Helmsley)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... /ChangeLog-1.8.14.1

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 10.6.1.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.6.1 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

* --- Remove a superfluous and dangerous freeing of an SSL_CTX.
  (Closes issue ASTERISK-20074. Reported by Trevor Helmsley)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... sk/ChangeLog-10.6.1

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 1.8.15.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.15.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- Fix deadlock potential with ast_set_hangupsource() calls.
  (Closes issue ASTERISK-19801. Reported by Alec Davis)

* --- Fix request routing issue when outboundproxy is used.
  (Closes issue ASTERISK-20008. Reported by Marcus Hunger)

* --- Make the address family filter specific to the transport.
  (Closes issue ASTERISK-16618. Reported by Leif Madsen)

* --- Fix NULL pointer segfault in ast_sockaddr_parse()
  (Closes issue ASTERISK-20006. Reported by Michael L. Young)

* --- Do not perform install on existing directories
  (Closes issue ASTERISK-19492. Reported by Karl Fife)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... /ChangeLog-1.8.15.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 10.7.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.7.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- Fix deadlock potential with ast_set_hangupsource() calls.
  (Closes issue ASTERISK-19801. Reported by Alec Davis)

* --- Fix request routing issue when outboundproxy is used.
  (Closes issue ASTERISK-20008. Reported by Marcus Hunger)

* --- Set the Caller ID "tag" on peers even if remote party
      information is present.
  (Closes issue ASTERISK-19859. Reported by Thomas Arimont)

* --- Fix NULL pointer segfault in ast_sockaddr_parse()
  (Closes issue ASTERISK-20006. Reported by Michael L. Young)

* --- Do not perform install on existing directories
  (Closes issue ASTERISK-19492. Reported by Karl Fife)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... sk/ChangeLog-10.7.0

Thank you for your continued support of Asterisk!

角色

谢谢CK，不知道每次有新的version，你都compile，然后安装于你的系统里呢？

ckleea

The Asterisk Development Team is pleased to announce the first beta release of
Asterisk 11.0.0.  This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

All interested users of Asterisk are encouraged to participate in the
Asterisk 11 testing process.  Please report any issues found to the issue
tracker, https://issues.asterisk.org/jira.  It is also very useful to see
successful test reports.  Please post those to the asterisk-dev mailing list.
All Asterisk users are invited to participate in the #asterisk-testing channel
on IRC to work together in testing the many parts of Asterisk.  

Asterisk 11 is the next major release series of Asterisk.  It will be a Long
Term Support (LTS) release, similar to Asterisk 1.8.  For more information about
support time lines for Asterisk releases, see the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions

For important information regarding upgrading to Asterisk 11, please see the
Asterisk wiki:

https://wiki.asterisk.org/wiki/d ... ding+to+Asterisk+11

A short list of new features includes:

* A new channel driver named chan_motif has been added which provides support
 for Google Talk and Jingle in a single channel driver.  This new channel
 driver includes support for both audio and video, RFC2833 DTMF, all codecs
 supported by Asterisk, hold, unhold, and ringing notification. It is also
 compliant with the current Jingle specification, current Google Jingle
 specification, and the original Google Talk protocol.

* Support for the WebSocket transport for chan_sip.

* SIP peers can now be configured to support negotiation of ICE candidates.

* The app_page application now no longer depends on DAHDI or app_meetme. It
 has been re-architected to use app_confbridge internally.

* Hangup handlers can be attached to channels using the CHANNEL() function.
 Hangup handlers will run when the channel is hung up similar to the h
 extension; however, unlike an h extension, a hangup handler is associated with
 the actual channel and will execute anytime that channel is hung up,
 regardless of where it is in the dialplan.

* Added pre-dial handlers for the Dial and Follow-Me applications.  Pre-dial
 allows you to execute a dialplan subroutine on a channel before a call is
 placed but after the application performing a dial action is invoked. This
 means that the handlers are executed after the creation of the caller/callee
 channels, but before any actions have been taken to actually dial the callee
 channels.

* Log messages can now be easily associated with a certain call by looking at
 a new unique identifier, "Call Id".  Call ids are attached to log messages for
 just about any case where it can be determined that the message is related
 to a particular call.

* Introduced Named ACLs as a new way to define Access Control Lists (ACLs) in
 Asterisk. Unlike traditional ACLs defined in specific module configuration
 files, Named ACLs can be shared across multiple modules.

* The Hangup Cause family of functions and dialplan applications allow for
 inspection of the hangup cause codes for each channel involved in a call.
 This allows a dialplan writer to determine, for each channel, who hung up and
 for what reason(s).

* Two new functions have been added: FEATURE() and FEATUREMAP(). FEATURE()
 lets you set some of the configuration options from the general section
 of features.conf on a per-channel basis. FEATUREMAP() lets you customize
 the key sequence used to activate built-in features, such as blindxfer,
 and automon.

* Support for named pickupgroups/callgroups, allowing any number of pickupgroups
 and callgroups to be defined for several channel drivers.

* IPv6 Support for AMI, AGI, ExternalIVR, and the SIP Security Event Framework.

More information about the new features can be found on the Asterisk wiki:

https://wiki.asterisk.org/wiki/d ... sk+11+Documentation

A full list of all new features can also be found in the CHANGES file.

http://svnview.digium.com/svn/asterisk/branches/11/CHANGES

For a full list of changes in the current release, please see the ChangeLog.

http://downloads.asterisk.org/pu ... ngeLog-11.0.0-beta1

Thank you for your continued support of Asterisk!








--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

ckleea

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
released as versions 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.8.11-cert7, 1.8.15.1, 10.7.1, and 10.7.1-digiumphones
resolve the following two issues:

* A permission escalation vulnerability in Asterisk Manager Interface.  This
  would potentially allow remote authenticated users the ability to execute
  commands on the system shell with the privileges of the user running the
  Asterisk application.  Please note that the README-SERIOUSLY.bestpractices.txt
  file delivered with Asterisk has been updated due to this and other related
  vulnerabilities fixed in previous versions of Asterisk.

* When an IAX2 call is made using the credentials of a peer defined in a
  dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that
  peer are not applied to the call attempt. This allows for a remote attacker
  who is aware of a peer's credentials to bypass the ACL rules set for that
  peer.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2012-012 and AST-2012-013, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pu ... ngeLog-1.8.11-cert7
http://downloads.asterisk.org/pu ... /ChangeLog-1.8.15.1
http://downloads.asterisk.org/pu ... es/ChangeLog-10.7.1
http://downloads.asterisk.org/pu ... 10.7.1-digiumphones

The security advisories are available at:

* http://downloads.asterisk.org/pub/security/AST-2012-012.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-013.pdf

Thank you for your continued support of Asterisk!

ckleea

Asterisk Project Security Advisory - AST-2012-012

          Product         Asterisk
          Summary         Asterisk Manager User Unauthorized Shell Access
     Nature of Advisory   Permission Escalation
       Susceptibility     Remote Authenticated Sessions
          Severity        Minor
       Exploits Known     No
        Reported On       July 13, 2012
        Reported By       Zubair Ashraf of IBM X-Force Research
         Posted On        August 30, 2012
      Last Updated On     August 30, 2012
      Advisory Contact    Matt Jordan < mjordan AT digium DOT com >
          CVE Name        CVE-2012-2186

    Description  The AMI Originate action can allow a remote user to specify
                 information that can be used to execute shell commands on
                 the system hosting Asterisk. This can result in an unwanted
                 escalation of permissions, as the Originate action, which
                 requires the "originate" class authorization, can be used
                 to perform actions that would typically require the
                 "system" class authorization. Previous attempts to prevent
                 this permission escalation (AST-2011-006, AST-2012-004)
                 have sought to do so by inspecting the names of
                 applications and functions passed in with the Originate
                 action and, if those applications/functions matched a
                 predefined set of values, rejecting the command if the user
                 lacked the "system" class authorization. As reported by IBM
                 X-Force Research, the "ExternalIVR" application is not
                 listed in the predefined set of values. The solution for
                 this particular vulnerability is to include the
                 "ExternalIVR" application in the set of defined
                 applications/functions that require "system" class
                 authorization.

                 Unfortunately, the approach of inspecting fields in the
                 Originate action against known applications/functions has a
                 significant flaw. The predefined set of values can be
                 bypassed by creative use of the Originate action or by
                 certain dialplan configurations, which is beyond the
                 ability of Asterisk to analyze at run-time. Attempting to
                 work around these scenarios would result in severely
                 restricting the applications or functions and prevent their
                 usage for legitimate means. As such, any additional
                 security vulnerabilities, where an application/function
                 that would normally require the "system" class
                 authorization can be executed by users with the "originate"
                 class authorization, will not be addressed. Instead, the
                 README-SERIOUSLY.bestpractices.txt file has been updated to
                 reflect that the AMI Originate action can result in
                 commands requiring the "system" class authorization to be
                 executed. Proper system configuration can limit the impact
                 of such scenarios.

                 The next release of each version of Asterisk will contain,
                 in addition to the fix for the "ExternalIVR" application,
                 an updated README-SERIOUSLY.bestpractices.txt file.

    Resolution  Asterisk now checks for the "ExternalIVR" application when
                processing the Originate action.

                Additionally, the README-SERIOUSLY.bestpractices.txt file
                has been updated. It is highly recommended that, if AMI is
                utilized with accounts that have the "originate" class
                authorization, Asterisk is run under a defined user that
                does not have root permissions. Accounts with the
                "originate" class authorization should be treated in a
                similar manner to those with the "system" class
                authorization.

                               Affected Versions
               Product                 Release Series
        Asterisk Open Source                1.8.x           All versions
        Asterisk Open Source                10.x            All versions
         Certified Asterisk                1.8.11           All versions
        Asterisk Digiumphones        10.x.x-digiumphones    All versions
      Asterisk Business Edition             C.3.x           All versions

                                  Corrected In
                   Product                              Release
             Asterisk Open Source                   1.8.15.1, 10.7.1
              Certified Asterisk                      1.8.11-cert6
            Asterisk Digiumphones                 10.7.1-digiumphones
          Asterisk Business Edition                     C.3.7.6

                                    Patches
                               SVN URL                              Revision
   http://downloads.asterisk.org/pub/security/AST-2012-012-1.8.diff Asterisk
                                                                       1.8
    http:downloads.asterisk.org/pub/security/AST-2012-012-10.diff   Asterisk
                                                                       10

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-20132

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2012-012.pdf and
    http://downloads.digium.com/pub/security/AST-2012-012.html

                                Revision History
          Date                  Editor                 Revisions Made
    08/27/2012         Matt Jordan               Initial version

               Asterisk Project Security Advisory - AST-2012-012
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

ckleea

Asterisk Project Security Advisory - AST-2012-013

         Product        Asterisk
         Summary        ACL rules ignored when placing outbound calls by
                        certain IAX2 users
    Nature of Advisory  Unauthorized use of system
      Susceptibility    Remote Authenticated Sessions
         Severity       Moderate
      Exploits Known    None
       Reported On      07/27/2012
       Reported By      Alan Frisch
        Posted On       08/30/2012
     Last Updated On    August 30, 2012
     Advisory Contact   Matt Jordan < mjordan AT digium DOT com >
         CVE Name       CVE-2012-4737

    Description  When an IAX2 call is made using the credentials of a peer
                 defined in a dynamic Asterisk Realtime Architecture (ARA)
                 backend, the ACL rules for that peer are not applied to the
                 call attempt. This allows for a remote attacker who is
                 aware of a peer's credentials to bypass the ACL rules set
                 for that peer.

    Resolution  The ACL rules for peers defined in an ARA backend are now
                honored. Users of chan_iax2 should upgrade to the corrected
                versions; apply a provided patch; or define their IAX2 peers
                outside of an ARA backend in a static configuration file.

                               Affected Versions
                Product                Release Series
         Asterisk Open Source               1.8.x         All versions
         Asterisk Open Source               10.x          All versions
          Certified Asterisk               1.8.11         All versions
         Asterisk Digiumphones       10.x.x-digiumphones  All versions
       Asterisk Business Edition            C.3.x         All versions

                                  Corrected In
                   Product                              Release
             Asterisk Open Source                   1.8.15.1, 10.7.1
              Certified Asterisk                      1.8.11-cert7
            Asterisk Digiumphones                 10.7.1-digiumphones
          Asterisk Business Edition                     C.3.7.6

                                    Patches
                               SVN URL                              Revision
   http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff Asterisk
                                                                    1.8
   http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff  Asterisk
                                                                    10

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-20186

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2012-013.pdf and
    http://downloads.digium.com/pub/security/AST-2012-013.html

                                Revision History
          Date                 Editor                  Revisions Made
    08/27/2012         Matt Jordan              Initial Revision

               Asterisk Project Security Advisory - AST-2012-013
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

ckleea

The Asterisk Development Team has announced the release of Asterisk 1.8.16.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.16.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- AST-2012-012: Resolve AMI User Unauthorized Shell Access through
      ExternalIVR
  (Closes issue ASTERISK-20132. Reported by Zubair Ashraf of IBM X-Force Research)

* --- AST-2012-013: Resolve ACL rules being ignored during calls by
      some IAX2 peers
  (Closes issue ASTERISK-20186. Reported by Alan Frisch)

* --- Handle extremely out of order RFC 2833 DTMF
  (Closes issue ASTERISK-18404. Reported by Stephane Chazelas)

* --- Resolve severe memory leak in CEL logging modules.
  (Closes issue AST-916. Reported by Thomas Arimont)

* --- Only re-create an SRTP session when needed; respond with correct
      crypto policy
  (Issue ASTERISK-20194. Reported by Nicolo Mazzon)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... /ChangeLog-1.8.16.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 10.8.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.8.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- AST-2012-012: Resolve AMI User Unauthorized Shell Access through
      ExternalIVR
  (Closes issue ASTERISK-20132. Reported by Zubair Ashraf of IBM X-Force Research)

* --- AST-2012-013: Resolve ACL rules being ignored during calls by
      some IAX2 peers
  (Closes issue ASTERISK-20186. Reported by Alan Frisch)

* --- Handle extremely out of order RFC 2833 DTMF
  (Closes issue ASTERISK-18404. Reported by Stephane Chazelas)

* --- Resolve severe memory leak in CEL logging modules.
  (Closes issue AST-916. Reported by Thomas Arimont)

* --- Only re-create an SRTP session when needed
  (Issue ASTERISK-20194. Reported by Nicolo Mazzon)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... sk/ChangeLog-10.8.0

Thank you for your continued support of Asterisk!