=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN144
_____________________________________________________________________

DATE                      : 22/03/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Asterisk.

======================================================================
http://www.asterisk.org/node/48339
http://www.asterisk.org/node/48338
______________________________________________________________________

Asterisk 1.2.17 released
Submitted by asteriskteam on 21 March 2007 - 6:33pm.

The Asterisk and Zaptel development teams have released Asterisk version 1.2.17.

Along with minor bug fixes, this release incorporates a fix for the SIP DoS 
vulnerability recently discovered by INRIA Lorraine 
(http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html).

All users of Asterisk 1.2 with the SIP channel driver loaded and connected to an 
untrusted network are urged to update to this release to avoid the possibility 
of experiencing this problem.

Thanks for your support of Asterisk and Zaptel!

----------------------------------------------------------------------

Asterisk 1.4.2 released
Submitted by asteriskteam on 21 March 2007 - 6:32pm.

The Asterisk and Zaptel development teams have released Asterisk 1.4.2.

In addition to minor bug fixes, this release includes:

- improved SLA support, sample configurations and documentation

- fixes for incoming DTMF handling in the IAX2 channel driver

There are also two security-related changes in this version:

- a fix for a SIP channel driver remote DoS vulnerability 
(http://bugs.digium.com/view.php?id=9313)

- a fix for a SIP channel driver remote DoS vulnerability discovered by INRIA 
Lorraine
(http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html)

All users of Asterisk 1.4 with the SIP channel driver loaded and connected to an 
untrusted network are urged to update to this release to avoid the possibility 
of experiencing these problems.

Thanks for your support of Asterisk and Zaptel!



======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================