If your PBX is Asterisk based, you need to subscribe to the asterisk-announce mailing list. This is where Asterisk developers post information regarding new releases and security updates for all versions of Asterisk. If you were on this mailing list, you would know that two recent security alerts (see below) had forced Asterisk developers to issue new minor releases for all major Asterisk branches. Not only would you be aware of the alerts, you would also understand why the version numbering has changed slightly to accommodate these releases.
For those that aren't subscribed, be aware of the following two security vulnerabilities:
- AST-2009-008 SIP responses expose valid usernames
- AST-2009-009 Cross-site AJAX request vulnerability
The second vulnerability is really only a problem if you are running the demo manager interface,