pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/comms/asterisk18



Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Wed Jul  2 03:20:43 UTC 2014

Modified Files:
        pkgsrc/comms/asterisk18: Makefile PLIST distinfo
        pkgsrc/comms/asterisk18/patches: patch-ak

Log Message:
Update to Asterisk 1.8.28.2: this fixes multiple vulnerabilities and
numerous general bugs.  The vulnerabilities fixed are:  AST-2014-001,
AST-2014-002, and AST-2014-007.

-----

The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The
available security releases are released as versions 1.8.15-cert7,
11.6-cert4, 1.8.28.2, 11.10.2, and 12.3.2.

These releases resolve security vulnerabilities that were previously
fixed in 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1.
Unfortunately, the fix for AST-2014-007 inadvertently introduced
a regression in Asterisk's TCP and TLS handling that prevented
Asterisk from sending data over these transports. This regression
and the security vulnerabilities have been fixed in the versions
specified in this release announcement.

The security patches for AST-2014-007 have been updated with the
fix for the regression, and are available at
http://downloads.asterisk.org/pub/security

Please note that the release of these versions resolves the following security
vulnerabilities:

* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
                Connections

For more information about the details of these vulnerabilities,
please read security advisories AST-2014-005, AST-2014-006,
AST-2014-007, and AST-2014-008, which were released with the previous
versions that addressed these vulnerabilities.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.2

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-007.pdf

Thank you for your continued support of Asterisk!

-----

The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The
available security releases are released as versions 1.8.15-cert6,
11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following issue:

* AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP
                Connections

  Establishing a TCP or TLS connection to the configured HTTP or
  HTTPS port respectively in http.conf and then not sending or
  completing a HTTP request will tie up a HTTP session. By doing
  this repeatedly until the maximum number of open HTTP sessions
  is reached, legitimate requests are blocked.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities,
please read security advisories AST-2014-005, AST-2014-006,
AST-2014-007, and AST-2014-008, which were released at the same
time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-007.pdf

Thank you for your continued support of Asterisk!

-----

The Asterisk Development Team has announced the release of Asterisk 1.8.28.0.

The release of Asterisk 1.8.28.0 resolves several issues reported
by the community and would have not been possible without your
participation.  Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
 * ASTERISK-23547 - [patch] app_queue removing callers from queue
      when reloading (Reported by Italo Rossi)
 * ASTERISK-22846 - testsuite: masquerade super test fails on all
      branches (still) (Reported by Matt Jordan)
 * ASTERISK-23546 - CB_ADD_LEN does not do what you'd think
      (Reported by Walter Doekes)
 * ASTERISK-23620 - Code path in app_stack fails to unlock list
      (Reported by Bradley Watkins)
 * ASTERISK-18331 - app_sms failure (Reported by David Woodhouse)
 * ASTERISK-19465 - P-Asserted-Identity Privacy (Reported by
      Krzysztof Chmielewski)
 * ASTERISK-23707 - Realtime Contacts: Apparent mismatch between
      PGSQL database state and Asterisk state (Reported by Mark
      Michelson)
 * ASTERISK-23665 - Wrong mime type for codec H263-1998 (h263+)
      (Reported by Guillaume Maudoux)
 * ASTERISK-22977 - chan_sip+CEL: missing ANSWER and PICKUP event
      for INVITE/w/replaces pickup (Reported by Walter Doekes)
 * ASTERISK-23709 - Regression in Dahdi/Analog/waitfordialtone
      (Reported by Steve Davies)
 * ASTERISK-23650 - Intermittent segfault in string functions
      (Reported by Roel van Meer)

Improvements made in this release:
-----------------------------------
 * ASTERISK-23754 - [patch] Use var/lib directory for log file
      configured in asterisk.conf (Reported by Igor Goncharovsky)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.28.0

Thank you for your continued support of Asterisk!

-----

The Asterisk Development Team has announced the release of Asterisk 1.8.27.0.

The release of Asterisk 1.8.27.0 resolves several issues reported
by the community and would have not been possible without your
participation.  Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
 * ASTERISK-22790 - check_modem_rate() may return incorrect rate
      for V.27 (Reported by Paolo Compagnini)
 * ASTERISK-23061 - [Patch] 'textsupport' setting not mentioned in
      sip.conf.sample (Reported by Eugene)
 * ASTERISK-23028 - [patch] Asterisk man pages contains unquoted
      minus signs (Reported by Jeremy Lainé)
 * ASTERISK-23046 - Custom CDR fields set during a GoSUB called
      from app_queue are not inserted (Reported by Denis Pantsyrev)
 * ASTERISK-23027 - [patch] Spelling typo "transfered" instead of
      "transferred" (Reported by Jeremy Lainé)
 * ASTERISK-23008 - Local channels loose CALLERID name when DAHDI
      channel connects (Reported by Michael Cargile)
 * ASTERISK-23100 - [patch] In chan_mgcp the ident in transmitted
      request and request queue may differ - fix for locking (Reported
      by adomjan)
 * ASTERISK-22988 - [patch]T38 , SIP 488 after Rejecting image
      media offer due to invalid or unsupported syntax (Reported by
      adomjan)
 * ASTERISK-22861 - [patch]Specifying a null time as parameter to
      GotoIfTime or ExecIfTime causes segmentation fault (Reported by
      Sebastian Murray-Roberts)
 * ASTERISK-17837 - extconfig.conf - Maximum Include level (1)
      exceeded (Reported by pz)
 * ASTERISK-22662 - Documentation fix? - queues.conf says
      persistentmembers defaults to yes, it appears to lie (Reported
      by Rusty Newton)
 * ASTERISK-23134 - [patch] res_rtp_asterisk port selection cannot
      handle selinux port restrictions (Reported by Corey Farrell)
 * ASTERISK-23220 - STACK_PEEK function with no arguments causes
      crash/core dump (Reported by James Sharp)
 * ASTERISK-19773 - Asterisk crash on issuing Asterisk-CLI 'reload'
      command multiple times on cli_aliases (Reported by Joel Vandal)
 * ASTERISK-22757 - segfault in res_clialiases.so on reload when
      mapping "module reload" command (Reported by Gareth Blades)
 * ASTERISK-17727 - [patch] TLS doesn't get all certificate chain
      (Reported by LN)
 * ASTERISK-23178 - devicestate.h: device state setting functions
      are documented with the wrong return values (Reported by
      Jonathan Rose)
 * ASTERISK-23297 - Asterisk 12, pbx_config.so segfaults if
      res_parking.so is not loaded, or if res_parking.conf has no
      configuration (Reported by CJ Oster)
 * ASTERISK-23069 - Custom CDR variable not recorded when set in
      macro called from app_queue (Reported by Bryan Anderson)
 * ASTERISK-19499 - ConfBridge MOH is not working for transferee
      after attended transfer (Reported by Timo Teräs)
 * ASTERISK-23261 - [patch]Output mixup in
      ${CHANNEL(rtpqos,audio,all)} (Reported by rsw686)
 * ASTERISK-23260 - [patch]ForkCDR v option does not keep CDR
      variables for subsequent records (Reported by zvision)
 * ASTERISK-23141 - Asterisk crashes on Dial(), in
      pbx_find_extension at pbx.c (Reported by Maxim)
 * ASTERISK-23231 - Since 405693 If we have res_fax.conf file set
      to minrate=2400, then res_fax refuse to load (Reported by David
      Brillert)
 * ASTERISK-23135 - Crash - segfault in ast_channel_hangupcause_set
      - probably introduced in 11.7.0 (Reported by OK)
 * ASTERISK-23323 - [patch]chan_sip: missing p->owner checks in
      handle_response_invite (Reported by Walter Doekes)
 * ASTERISK-23382 - [patch]Build System: make -qp can corrupt
      menuselect-tree and related files (Reported by Corey Farrell)
 * ASTERISK-23406 - [patch]Fix typo in "sip show peer" (Reported by
      ibercom)
 * ASTERISK-23310 - bridged channel crashes in bridge_p2p_rtp_write
      (Reported by Jeremy Lainé)
 * ASTERISK-23104 - Specifying the SetVar AMI without a Channel
      cause Asterisk to crash (Reported by Joel Vandal)
 * ASTERISK-23383 - Wrong sense test on stat return code causes
      unchanged config check to break with include files. (Reported by
      David Woolley)
 * ASTERISK-17523 - Qualify for static realtime peers does not work
      (Reported by Maciej Krajewski)
 * ASTERISK-21406 - [patch] chan_sip deadlock on monlock between
      unload_module and do_monitor (Reported by Corey Farrell)
 * ASTERISK-23373 - [patch]Security: Open FD exhaustion with
      chan_sip Session-Timers (Reported by Corey Farrell)
 * ASTERISK-23340 - Security Vulnerability: stack allocation of
      cookie headers in loop allows for unauthenticated remote denial
      of service attack (Reported by Matt Jordan)
 * ASTERISK-23488 - Logic error in callerid checksum processing
      (Reported by Russ Meyerriecks)
 * ASTERISK-20841 - fromdomain not honored on outbound INVITE
      request (Reported by Kelly Goedert)
 * ASTERISK-22079 - Segfault: INTERNAL_OBJ (user_data=0x6374652f)
      at astobj2.c:120 (Reported by Jamuel Starkey)
 * ASTERISK-23509 - [patch]SayNumber for Polish language tries to
      play empty files for numbers divisible by 100 (Reported by
      zvision)
 * ASTERISK-23391 - Audit dialplan function usage of channel
      variable (Reported by Corey Farrell)
 * ASTERISK-23548 - POST to ARI sometimes returns no body on
      success (Reported by Scott Griepentrog)

Improvements made in this release:
-----------------------------------
 * ASTERISK-22980 - [patch]Allow building cdr_radius and cel_radius
      against libfreeradius-client (Reported by Jeremy Lainé)
 * ASTERISK-22661 - Unable to exit ChanSpy if spied channel does
      not have a call in progress (Reported by Chris Hillman)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.27.0

Thank you for your continued support of Asterisk!

-----

The Asterisk Development Team has announced security releases for
Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The
available security releases are released as versions 1.8.15-cert5,
11.6-cert2, 1.8.26.1, 11.8.1, and 12.1.1.

The release of these versions resolve the following issues:

* AST-2014-001: Stack overflow in HTTP processing of Cookie headers.

  Sending a HTTP request that is handled by Asterisk with a large number of
  Cookie headers could overflow the stack.

  Another vulnerability along similar lines is any HTTP request with a
  ridiculous number of headers in the request could exhaust system memory.

* AST-2014-002: chan_sip: Exit early on bad session timers request

  This change allows chan_sip to avoid creation of the channel and
  consumption of associated file descriptors altogether if the inbound
  request is going to be rejected anyway.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities,
please read security advisories AST-2014-001, AST-2014-002,
AST-2014-003, and AST-2014-004, which were released at the same
time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.26.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-002.pdf

Thank you for your continued support of Asterisk!

-----

The Asterisk Development Team has announced the release of Asterisk 1.8.26.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.26.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

Bugs fixed in this release:
-----------------------------------
 * ASTERISK-22544 - Italian prompt vm-options has advertisement in
      it (Reported by Rusty Newton)
 * ASTERISK-12117 - chan_sip creates a new local tag (from-tag) for
      every register message (Reported by Pawel Pierscionek)
 * ASTERISK-20862 - Asterisk min and max member penalties not
      honored when set with 0 (Reported by Schmooze Com)
 * ASTERISK-22746 - [patch]Crash in chan_dahdi during caller id
      read (Reported by Michael Walton)
 * ASTERISK-22788 - [patch] main/translate.c: access to variable f
      after free in ast_translate() (Reported by Corey Farrell)
 * ASTERISK-21242 - Segfault when T.38 re-invite retransmission
      receives 200 OK (Reported by Ashley Winters)
 * ASTERISK-22590 - BufferOverflow in unpacksms16() when receiving
      16 bit multipart SMS with app_sms (Reported by Jan Juergens)
 * ASTERISK-22905 - Prevent Asterisk functions that are 'dangerous'
      from being executed from external interfaces (Reported by Matt
      Jordan)
 * ASTERISK-23021 - Typos in code : "avaliable" instead of
      "available" (Reported by Jeremy Lainé)
 * ASTERISK-22970 - [patch]Documentation fix for QUOTE() (Reported
      by Gareth Palmer)
 * ASTERISK-22856 - [patch]SayUnixTime in polish reads minutes
      instead of seconds (Reported by Robert Mordec)
 * ASTERISK-22854 - [patch] - Deadlock between cel_pgsql unload and
      core_event_dispatcher taskprocessor thread (Reported by Etienne
      Lessard)
 * ASTERISK-22910 - [patch] - REPLACE() calls strcpy on overlapping
      memory when <replace-char> is empty (Reported by Gareth Palmer)
 * ASTERISK-22871 - cel_pgsql module not loading after "reload" or
      "reload cel_pgsql.so" command (Reported by Matteo)
 * ASTERISK-23084 - [patch]rasterisk needlessly prints the
      AST-2013-007 warning (Reported by Tzafrir Cohen)
 * ASTERISK-17138 - [patch] Asterisk not re-registering after it
      receives "Forbidden - wrong password on authentication"
      (Reported by Rudi)
 * ASTERISK-23011 - [patch]configure.ac and pbx_lua don't support
      lua 5.2 (Reported by George Joseph)
 * ASTERISK-22834 - Parking by blind transfer when lot full orphans
      channels (Reported by rsw686)
 * ASTERISK-23047 - Orphaned (stuck) channel occurs during a failed
      SIP transfer to parking space (Reported by Tommy Thompson)
 * ASTERISK-22946 - Local From tag regression with sipgate.de
      (Reported by Stephan Eisvogel)
 * ASTERISK-23010 - No BYE message sent when sip INVITE is received
      (Reported by Ryan Tilton)

Improvements made in this release:
-----------------------------------
 * ASTERISK-22659 - Make a new core and extra sounds release
      (Reported by Rusty Newton)
 * ASTERISK-22918 - dahdi show channels slices PRI channel dnid on
      output (Reported by outtolunc)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.26.0

Thank you for your continued support of Asterisk!


To generate a diff of this commit:
cvs rdiff -u -r1.83 -r1.84 pkgsrc/comms/asterisk18/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/comms/asterisk18/PLIST
cvs rdiff -u -r1.52 -r1.53 pkgsrc/comms/asterisk18/distinfo
cvs rdiff -u -r1.2 -r1.3 pkgsrc/comms/asterisk18/patches/patch-ak

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index