Fedora 22: asterisk Security Update 2015-5948
Summary
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
Update Information:
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,
11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases/
The release of these versions resolves the following security vulnerability:
* AST-2015-003: TLS Certificate Common name NULL byte exploit
When Asterisk registers to a SIP TLS device and and verifies the server,
Asterisk will accept signed certificates that match a common name other than
the one Asterisk is expecting if the signed certificate has a common name
containing a null byte after the portion of the common name that Asterisk
expected. This potentially allows for a man in the middle attack.
For more information about the details of this vulnerability, please read
security advisory AST-2015-003, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert5
http://downloads.asterisk.org/pub/telephony/asterisk/releases//ChangeLog-1.8.32.3
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert11
http://downloads.asterisk.org/pub/telephony/asterisk/releases//ChangeLog-11.17.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases//ChangeLog-12.8.2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.1-cert2
http://downloads.asterisk.org/pub/telephony/asterisk/releases//ChangeLog-13.3.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
Change Log
* Thu Apr 9 2015 Jeffrey C. Ollie
References
[ 1 ] Bug #1210225 - CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit https://bugzilla.redhat.com/show_bug.cgi?id=1210225
Update Instructions
This update can be installed with the "yum" update program. Use su -c 'yum update asterisk' at the command line. For more information, refer to "Managing Software with yum", available at .