CVS commit: pkgsrc/comms/asterisk18

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/comms/asterisk18
From: "John Nemeth" <jnemeth%netbsd.org@localhost>
Date: Wed, 3 Dec 2014 01:00:23 +0000

Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Wed Dec  3 01:00:23 UTC 2014

Modified Files:
        pkgsrc/comms/asterisk18: Makefile distinfo

Log Message:
Update to Asterisk 1.8.32.1: this is a security fix release.

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
11.14.1, 12.7.1, and 13.0.1.

The release of these versions resolves the following security vulnerabilities:

* AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
  address families

  Many modules in Asterisk that service incoming IP traffic have ACL options
  ("permit" and "deny") that can be used to whitelist or blacklist address
  ranges. A bug has been discovered where the address family of incoming
  packets is only compared to the IP address family of the first entry in the
  list of access control rules. If the source IP address for an incoming
  packet is not of the same address as the first ACL entry, that packet
  bypasses all ACL rules.

* AST-2014-018: Permission Escalation through DB dialplan function

  The DB dialplan function when executed from an external protocol, such as AMI,
  could result in a privilege escalation. Users with a lower class authorization
  in AMI can access the internal Asterisk database without the required SYSTEM
  class authorization.

For more information about the details of these vulnerabilities, please read
security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf

Thank you for your continued support of Asterisk!


To generate a diff of this commit:
cvs rdiff -u -r1.89 -r1.90 pkgsrc/comms/asterisk18/Makefile
cvs rdiff -u -r1.57 -r1.58 pkgsrc/comms/asterisk18/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/textproc/antiword
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/textproc/antiword
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index