CVS commit: pkgsrc/comms/asterisk

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/comms/asterisk
From: John Nemeth <jnemeth%netbsd.org@localhost>
Date: Fri, 18 Dec 2009 14:39:26 +0000

Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Fri Dec 18 14:39:26 UTC 2009

Modified Files:
        pkgsrc/comms/asterisk: Makefile distinfo

Log Message:
     Update to 1.2.37.  This update is to fix two security issues.
1.2.36 fixed AST-2009-008, and 1.2.37 fixed AST-2009-010.  The
problem in AST-2009-008 is:

-----

It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of "403 Authentication user name does not
match account name". If the peer does not exist the response will
be "404 Not Found" if alwaysauthreject is disabled and "401
Unauthorized" if alwaysauthreject is enabled.

-----

And, the problem in AST-2009-010 is:

-----

An attacker sending a valid RTP comfort noise payload containing
a data length of 24 bytes or greater can remotely crash Asterisk.

-----


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.69 pkgsrc/comms/asterisk/Makefile
cvs rdiff -u -r1.44 -r1.45 pkgsrc/comms/asterisk/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/lang/intercal
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/lang/intercal
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index