TUTORIAL Original Asterisk Upgrade Script

[atsak]

wardmundy - any chance of an 11.13.0 at some point?

 

[wardmundy]

wardmundy - any chance of an 11.13.0 at some point?

Here's a new all-purpose Asterisk 11 (only!) upgrade script that should work with every new Asterisk 11 release for a good long while...

cd /root
wget http://pbxinaflash.com/upgrade-asterisk11-piaf.tar.gz
tar zxvf upgrade-asterisk11-piaf.tar.gz
rm upgrade-asterisk11-piaf.tar.gz
./upgrade-asterisk-piaf

 

[womble1]

what are the advantages to this update ?

 

[atsak]

what are the advantages to this update ?

Fixes security holes, and may fix bugs (check the changelog to see if you were affected).

 

[lrosenman]

Also note, Ward's script needs expect(1) installed. On my RPI B+ (incrediblepbx distro) it was not installed by default.

apt-get install expect (RPI)
yum install expect (CentOS/SL)

will install it.

 

[Mitchell]

Any chance of an upgrade to Asterisk 12 w/PIAF coming soon?

 

[Stan-O]

Any chance of an upgrade to Asterisk 12 w/PIAF coming soon?

Or the just-released Asterisk 13 for that matter?

BTW, kudos on the script, just upgraded from 11.6 to 11.13.1 without any issues!

 

[wardmundy]

Stan-O: Probably not going to happen. Just too many differences to make it feasible. But... Incredible PBX 12 will be available for pioneers perhaps as early as this weekend featuring Asterisk 12 and FreePBX 12.

 

[Stan-O]

wardmundy -- thanks for your prompt reply. Will there be a way to upgrade asterisk 11 to asterisk 12 in my current installation?

 

[wardmundy]

Upgrading from Asterisk 11 to Asterisk 12 would be akin to translating the Bible from English to Chinese. Sure, there's a way to do it. But probably not in our lifetime. Best Advice: brush up on your cut-and-paste skills and take Incredible PBX 12 for a spin.

 

[wardmundy]

 

[lrosenman]

Asterisk 11.14.1 out -- security --


This release has been made to address one or more security vulnerabilities
that have been identified. A security advisory document has been published
for each vulnerability that includes additional information. Users of
versions of Asterisk that are affected are strongly encouraged to review
the advisories and determine what action they should take to protect their
systems from these issues.

Security Advisories: AST-2014-012, AST-2014-014, AST-2014-017,
AST-2014-018

The data in this summary reflects changes that have been made since the
previous release, asterisk-11.14.0.

 

[lrosenman]

Note: there are new releases in all the trains for those and other security issues (some specific to 12 & 13).

 

[howardsl2]

A couple of suggestions for improving the "upgrade-asterisk-piaf " script by wardmundy:

1. Line 20, " rm -r asterisk* ", I suggest that it be changed to " rm -r asterisk asterisk-11* ".
Line 24, " cd /usr/src/asterisk* ", change to " cd /usr/src/asterisk-11* ".

Reason: In a fresh PIAF-Green install, The following folders are present under "/usr/src". The original command will remove them all including the asterisk-flite folder, which should be kept:

drwxr-xr-x 29 root root  4096 Dec  4 18:52 asterisk
drwxr-xr-x  2 1000  1000 4096 Dec  4 18:59 asterisk-flite
drwxr-xr-x  6 1000  1000 4096 Dec  4 18:59 asterisk-perl-0.10
... ...

2. Line 22, " tar zxvf asterisk* ", change to " tar zxvf asterisk-11-current.tar.gz ".

Reason: The original command will cause the errors below and fail to decompress the archive, due to those folders present as shown above.

tar (child): asterisk: Cannot read: Is a directory
tar (child): At beginning of tape, quitting now
tar (child): Error is not recoverable: exiting now
 
gzip: stdin: unexpected end of file
tar: Child returned status 2
tar: Error is not recoverable: exiting now

3. Line 37, " cd Asterisk-Flite* ", this command does not work when the folder is in lower case, as can be seen from (1) above. Can we first check which folder is present (Asterisk-Flite* or asterisk-flite*) before changing directory?

 

[wardmundy]

hwdsl2: Good suggestions. All updated except item #3. I'll work on that soon. Should work fine as is except on some of the tiny hardware platforms.

 

[hecatae]

looks like 11.15 is out, hecatae goes and fires up a server

script hangs if you choose n to menuselect option, you have to ctrl+c out of it, script completes if you y to menuselect and tab to save & exit

 

[wardmundy]

hecatae: Forced it to menuselect until we can sort it out. Thanks.

 

[lrosenman]

11.16.0 is out from the Asterisk folks.

 

[hecatae]

11.16.0 is out from the Asterisk folks.

do you know what improvements there are since 11.15.1?

security advisories still states 11.15.1 is current for asterisk 11 > http://www.asterisk.org/downloads/security-advisories

ok, interesting stuff in the changelog:

2015-02-06  Asterisk Development Team <[email protected]>
 
    * Asterisk 11.16.0 Released.
 
2015-01-30  Asterisk Development Team <[email protected]>
 
    * Asterisk 11.16.0-rc1 Released.
 
2015-01-30 16:55 +0000 [r431423-431472]  Mark Michelson
 
    * main/pbx.c: Backport memory leak fix in pbx.c from branch 13
      revision 431468
 
    * channels/chan_sip.c: Use SIPS URIs in Contact headers when
      appropriate. RFC 3261 sections 8.1.1.8 and 12.1.1 dictate
      specific scenarios when we are required to use SIPS URIs in
      Contact headers. Asterisk's non-compliance with this could
      actually cause calls to get dropped when communicating with
      clients that are strict about checking the Contact header. Both
      of the SIP stacks in Asterisk suffered from this issue. This
      changeset corrects the behavior in chan_sip. ASTERISK-24646
      #close Reported by Stephan Eisvogel Review:
      https://reviewboard.asterisk.org/r/4346
 
2015-01-29 12:08 +0000 [r431384]  Joshua Colp
 
    * res/res_rtp_asterisk.c: res_rtp_asterisk: Fix DTLS when used with
      OpenSSL 1.0.1k A recent security fix for OpenSSL broke DTLS
      negotiation for many applications. This was caused by read ahead
      not being enabled when it should be. While a commit has gone into
      OpenSSL to force read ahead on for DTLS it may take some time for
      a release to be made and the change to be present in
      distributions (if at all). As enabling read ahead is a simple one
      line change this commit does that and fixes the issue.
      ASTERISK-24711 #close Reported by: Jared Biel

/me reads about memory leak

 

[hecatae]

11.17.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1

2015-04-08 Asterisk Development Team <[email protected]>

* Asterisk 11.17.1 Released.

* Mitigate MitM attack potential from certificate with NULL byte in CN.

When registering to a SIP server with TLS, Asterisk will accept CA
signed certificates with a common name that was signed for a domain
otherthan the one requested if it contains a null character in the
common name portion of the cert. This patch fixes that by checking
that the common name length matches the the length of the content we
actually read from the commonname segment. Some certificate
authorities automatically sign CA requests when the requesting CN
isn't already taken, so an attacker could potentially register a CN
with something like www.google.com\x00www.secretlyevil.net and have
their certificate signed and Asterisk would accept that certificate
as though it had been for www.google.com.

ASTERISK-24847 #close
Reported by: Maciej Szmigiero
patches:
asterisk-null-in-cn.patch uploaded by mhej (license 6085)

AST-2015-003

2015-04-01 Asterisk Development Team <[email protected]>