June 16, 2014, FreePBX has released updates that fix several vulnerabilities in Asterisk®. Users of the FreePBX Distro can use the provided update scripts or SysAdmin Pro module to update their existing systems.
The updates released today are for the latest supported versions of Asterisk found in the following FreePBX following Distro Tracks 5.211.65 (STABLE) and 6.12.65. (ALPHA) . You should update to at least version 5.211.65-14 or 6.12.65-12 in your respected Distro version.
Users can follow the instructions found on our wiki to keep their systems up to date. Updates can be ran via CLI, or directly from the PBX Administration GUI for users of our SysAdmin Pro Commercial Module.
DIGIUM® today has announced a security release of ASTERISK® 1.8.x, 11.x,and 12.x
The security advisories are available at:
- FIXES CVE-2014-4045 Remote Crash in PJSIP Channel Driver
Publish/Subscribe Framework (Affected version Asterisk 12.x)
http://downloads.asterisk.org/pub/security/AST-2014-005.pdf (link is
external) - FIXES CVE-2014-4046 Asterisk Manager User Unauthorized Shell
Access (Affected version Asterisk 11.x, 12.x)
http://downloads.asterisk.org/pub/security/AST-2014-006.pdf (link is
external) - FIXES CVE-2014-4047 Exhaustion of Allowed Concurrent HTTP
Connections (Affected version Asterisk 1.8.x, 11.x, 12.x)
http://downloads.asterisk.org/pub/security/AST-2014-007.pdf (link is
external)
ASTERISK® and DIGIUM® are registered trademark of Digium, Inc.
FreePBX® is a registered trademark of Schmooze Com Inc.