CVS commit: pkgsrc/comms/asterisk16

[John Nemeth <jnemeth%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Fri Nov 20 04:30:08 UTC 2009

Modified Files:
        pkgsrc/comms/asterisk16: Makefile PLIST distinfo

Log Message:
    Fix three security advisories by updating to Asterisk 1.6.1.9
and update PLIST for new Music On Hold files.

1.6.1.8 fixes AST-2009-007.

-----

A missing ACL check for handling SIP INVITEs allows a device to
make calls on networks intended to be prohibited as defined by the
"deny" and "permit" lines in sip.conf. The ACL check for handling
SIP registrations was not affected.

-----

1.6.1.9 fixes AST-2009-008 and AST-2009-009.

-----

It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of 403 Authentication user name does not
match account name. If the peer does not exist the response will
be 404 Not Found if alwaysauthreject is disabled and 401 Unauthorized
if alwaysauthreject is enabled.

-----

Asterisk includes a demonstration AJAX based manager interface,
ajamdemo.html which uses the prototype.js framework. An issue was
uncovered in this framework which could allow someone to execute
a cross-site AJAX request exploit.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/comms/asterisk16/Makefile \
    pkgsrc/comms/asterisk16/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/comms/asterisk16/PLIST

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.