pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2014Q3] pkgsrc/comms



Module Name:    pkgsrc
Committed By:   tron
Date:           Sat Dec  6 16:57:53 UTC 2014

Modified Files:
        pkgsrc/comms/asterisk [pkgsrc-2014Q3]: Makefile PLIST distinfo
        pkgsrc/comms/asterisk18 [pkgsrc-2014Q3]: Makefile PLIST distinfo
Removed Files:
        pkgsrc/comms/asterisk/patches [pkgsrc-2014Q3]:
            patch-contrib_scripts_autosupport

Log Message:
Pullup ticket #4566 - requested by jnemeth
comms/asterisk:: security update
comms/asterisk18: security update

Revisions pulled up:
- comms/asterisk/Makefile                                       1.113-1.115
- comms/asterisk/PLIST                                          1.9
- comms/asterisk/distinfo                                       1.67-1.69
- comms/asterisk/patches/patch-contrib_scripts_autosupport      deleted
- comms/asterisk18/Makefile                                     1.88-1.90
- comms/asterisk18/PLIST                                        1.25
- comms/asterisk18/distinfo                                     1.56-1.58

---
   Module Name: pkgsrc
   Committed By:        jnemeth
   Date:                Tue Oct 14 03:35:05 UTC 2014

   Modified Files:
        pkgsrc/comms/asterisk18: Makefile PLIST distinfo

   Log Message:
   Update Asterisk to 1.8.31.0.  This is mostly a bugfix release:

   The Asterisk Development Team has announced the release of Asterisk 1.8.31.0.

   The release of Asterisk 1.8.31.0 resolves several issues reported by the
   community and would have not been possible without your participation.
   Thank you!

   The following are the issues resolved in this release:

   Bugs fixed in this release:
   -----------------------------------
    * ASTERISK-24032 - Gentoo compilation emits warning:
         "_FORTIFY_SOURCE" redefined (Reported by Kilburn)
    * ASTERISK-24225 - Dial option z is broken (Reported by
         dimitripietro)
    * ASTERISK-24178 - [patch]fromdomainport used even if not set
         (Reported by Elazar Broad)
    * ASTERISK-24019 - When a Music On Hold stream starts it restarts
         at beginning of file. (Reported by Jason Richards)
    * ASTERISK-24211 - testsuite: Fix the dial_LS_options test
         (Reported by Matt Jordan)
    * ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
         Mohod)

   Improvements made in this release:
   -----------------------------------
    * ASTERISK-24171 - [patch] Provide a manpage for the aelparse
         utility (Reported by Jeremy Lainé)

   For a full list of changes in this release, please see the ChangeLog:

   http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.31.0

   Thank you for your continued support of Asterisk!

---
   Module Name: pkgsrc
   Committed By:        jnemeth
   Date:                Tue Oct 14 03:36:40 UTC 2014

   Modified Files:
        pkgsrc/comms/asterisk: Makefile PLIST distinfo

   Log Message:
   Update Asterisk to 11.13.0.  This is mostly a bugfix release:

   The Asterisk Development Team has announced the release of Asterisk 11.13.0.

   The release of Asterisk 11.13.0 resolves several issues reported by the
   community and would have not been possible without your participation.
   Thank you!

   The following are the issues resolved in this release:

   Bugs fixed in this release:
   -----------------------------------
    * ASTERISK-24032 - Gentoo compilation emits warning:
         "_FORTIFY_SOURCE" redefined (Reported by Kilburn)
    * ASTERISK-24225 - Dial option z is broken (Reported by
         dimitripietro)
    * ASTERISK-24178 - [patch]fromdomainport used even if not set
         (Reported by Elazar Broad)
    * ASTERISK-22252 - res_musiconhold cleanup - REF_DEBUG reload
         warnings and ref leaks (Reported by Walter Doekes)
    * ASTERISK-23997 - chan_sip: port incorrectly incremented for RTCP
         ICE candidates in SDP answer (Reported by Badalian Vyacheslav)
    * ASTERISK-24019 - When a Music On Hold stream starts it restarts
         at beginning of file. (Reported by Jason Richards)
    * ASTERISK-23767 - [patch] Dynamic IAX2 registration stops trying
         if ever not able to resolve (Reported by David Herselman)
    * ASTERISK-24211 - testsuite: Fix the dial_LS_options test
         (Reported by Matt Jordan)
    * ASTERISK-24249 - SIP debugs do not stop (Reported by Avinash
         Mohod)
    * ASTERISK-23577 - res_rtp_asterisk: Crash in
         ast_rtp_on_turn_rtp_state when RTP instance is NULL (Reported by
         Jay Jideliov)
    * ASTERISK-23634 - With TURN Asterisk crashes on multiple (7-10)
         concurrent WebRTC (avpg/encryption/icesupport) calls (Reported
         by Roman Skvirsky)
    * ASTERISK-24301 - Security: Out of call MESSAGE requests
         processed via Message channel driver can crash Asterisk
         (Reported by Matt Jordan)

   Improvements made in this release:
   -----------------------------------
    * ASTERISK-24171 - [patch] Provide a manpage for the aelparse
         utility (Reported by Jeremy Lainé)

   For a full list of changes in this release, please see the ChangeLog:

   http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.13.0

   Thank you for your continued support of Asterisk!

---
   Module Name: pkgsrc
   Committed By:        jnemeth
   Date:                Wed Nov 19 08:30:57 UTC 2014

   Modified Files:
        pkgsrc/comms/asterisk18: Makefile distinfo

   Log Message:
   Update to Asterisk 1.8.32.0: this is mostly a bug fix release.

   The Asterisk Development Team has announced the release of Asterisk 1.8.32.0.

   The release of Asterisk 1.8.32.0 resolves several issues reported by the
   community and would have not been possible without your participation.
   Thank you!

   The following are the issues resolved in this release:

   Bugs fixed in this release:
   -----------------------------------
    * ASTERISK-24348 - Built-in editline tab complete segfault with
         MALLOC_DEBUG (Reported by Walter Doekes)
    * ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
         INVITE retransmissions of rejected calls (Reported by Torrey
         Searle)
    * ASTERISK-23768 - [patch] Asterisk man page contains a (new)
         unquoted minus sign (Reported by Jeremy Lainé)
    * ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
         (Reported by Jeremy Lainé)
    * ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
         realtime peers (Reported by ibercom)
    * ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
         ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
    * ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
         high on linux systems with lots of RAM (Reported by Michael
         Myles)
    * ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
         results in a SIP channel leak (Reported by NITESH BANSAL)
    * ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
         Re-INVITE results in a SIP channel leak (Reported by Torrey
         Searle)
    * ASTERISK-24406 - Some caller ID strings are parsed differently
         since 11.13.0 (Reported by Etienne Lessard)
    * ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
         (Reported by Tzafrir Cohen)
    * ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
         Tzafrir Cohen)
    * ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
         (Reported by Paolo Compagnini)
    * ASTERISK-18923 - res_fax_spandsp usage counter is wrong
         (Reported by Grigoriy Puzankin)
    * ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
         (Reported by Dmitry Melekhov)
    * ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
         when sending qualify requests (Reported by Damian Ivereigh)
    * ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
         SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
         abelbeck)
    * ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
         against libsrtp-1.5.0 (Reported by Patrick Laimbock)
    * ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
         (Reported by Olle Johansson)
    * ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
         Nick Adams)
    * ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
         (Reported by Corey Farrell)
    * ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
         leaks (Reported by Corey Farrell)
    * ASTERISK-24307 - Unintentional memory retention in stringfields
         (Reported by Etienne Lessard)

   For a full list of changes in this release, please see the ChangeLog:

   http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.32.0

   Thank you for your continued support of Asterisk!

---
   Module Name: pkgsrc
   Committed By:        jnemeth
   Date:                Wed Nov 19 08:32:48 UTC 2014

   Modified Files:
        pkgsrc/comms/asterisk: Makefile distinfo
   Removed Files:
        pkgsrc/comms/asterisk/patches: patch-contrib_scripts_autosupport

   Log Message:
   Update to Asterisk 11.14.0: this is mostly a bugfix release.

   The Asterisk Development Team has announced the release of Asterisk 11.14.0.

   The release of Asterisk 11.14.0 resolves several issues reported by the
   community and would have not been possible without your participation.
   Thank you!

   The following are the issues resolved in this release:

   Bugs fixed in this release:
   -----------------------------------
    * ASTERISK-24348 - Built-in editline tab complete segfault with
         MALLOC_DEBUG (Reported by Walter Doekes)
    * ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to
         INVITE retransmissions of rejected calls (Reported by Torrey
         Searle)
    * ASTERISK-23768 - [patch] Asterisk man page contains a (new)
         unquoted minus sign (Reported by Jeremy Lainé)
    * ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits
         (Reported by Jeremy Lainé)
    * ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir
         Cohen)
    * ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with
         realtime peers (Reported by ibercom)
    * ASTERISK-24384 - chan_motif: format capabilities leak on module
         load error (Reported by Corey Farrell)
    * ASTERISK-24385 - chan_sip: process_sdp leaks on an error path
         (Reported by Corey Farrell)
    * ASTERISK-24378 - Release AMI connections on shutdown (Reported
         by Corey Farrell)
    * ASTERISK-24354 - AMI sendMessage closes AMI connection on error
         (Reported by Peter Katzmann)
    * ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with
         ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
    * ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are
         incorrectly attempted (Reported by Joshua Colp)
    * ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too
         high on linux systems with lots of RAM (Reported by Michael
         Myles)
    * ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates
         received for component (Reported by Kevin Harwell)
    * ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE
         results in a SIP channel leak (Reported by NITESH BANSAL)
    * ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP
         Re-INVITE results in a SIP channel leak (Reported by Torrey
         Searle)
    * ASTERISK-24406 - Some caller ID strings are parsed differently
         since 11.13.0 (Reported by Etienne Lessard)
    * ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30
         (Reported by Tzafrir Cohen)
    * ASTERISK-13797 - [patch] relax badshell tilde test (Reported by
         Tzafrir Cohen)
    * ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE
         (Reported by Paolo Compagnini)
    * ASTERISK-18923 - res_fax_spandsp usage counter is wrong
         (Reported by Grigoriy Puzankin)
    * ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by
         Corey Farrell)
    * ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout
         (Reported by Dmitry Melekhov)
    * ASTERISK-23846 - Unistim multilines. Loss of voice after second
         call drops (on a second line). (Reported by Rustam Khankishyiev)
    * ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy
         when sending qualify requests (Reported by Damian Ivereigh)
    * ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
         SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
         abelbeck)
    * ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
         against libsrtp-1.5.0 (Reported by Patrick Laimbock)
    * ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing
         leak (Reported by Corey Farrell)
    * ASTERISK-24430 - missing letter "p" in word response in
         OriginateResponse event documentation (Reported by Dafi Ni)
    * ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by
         Corey Farrell)
    * ASTERISK-21721 - SIP Failed to parse multiple Supported: headers
         (Reported by Olle Johansson)
    * ASTERISK-24304 - asterisk crashing randomly because of unistim
         channel (Reported by dhanapathy sathya)
    * ASTERISK-24190 - IMAP voicemail causes segfault (Reported by
         Nick Adams)
    * ASTERISK-24466 - app_queue: fix a couple leaks to struct
         call_queue (Reported by Corey Farrell)
    * ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled
         (Reported by Corey Farrell)
    * ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream
         leaks (Reported by Corey Farrell)
    * ASTERISK-24307 - Unintentional memory retention in stringfields
         (Reported by Etienne Lessard)

   For a full list of changes in this release, please see the ChangeLog:

   http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0

   Thank you for your continued support of Asterisk!

---
   Module Name: pkgsrc
   Committed By:        jnemeth
   Date:                Wed Dec  3 01:00:23 UTC 2014

   Modified Files:
        pkgsrc/comms/asterisk18: Makefile distinfo

   Log Message:
   Update to Asterisk 1.8.32.1: this is a security fix release.

   The Asterisk Development Team has announced security releases for Certified
   Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
   security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
   11.14.1, 12.7.1, and 13.0.1.

   The release of these versions resolves the following security vulnerabilities:

   * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
     address families

     Many modules in Asterisk that service incoming IP traffic have ACL options
     ("permit" and "deny") that can be used to whitelist or blacklist address
     ranges. A bug has been discovered where the address family of incoming
     packets is only compared to the IP address family of the first entry in the
     list of access control rules. If the source IP address for an incoming
     packet is not of the same address as the first ACL entry, that packet
     bypasses all ACL rules.

   * AST-2014-018: Permission Escalation through DB dialplan function

     The DB dialplan function when executed from an external protocol, such as AMI,
     could result in a privilege escalation. Users with a lower class authorization
     in AMI can access the internal Asterisk database without the required SYSTEM
     class authorization.

   For more information about the details of these vulnerabilities, please read
   security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
   AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
   time as this announcement.

   For a full list of changes in the current releases, please see the ChangeLogs:

   http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1

   The security advisories are available at:

    * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
    * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf

   Thank you for your continued support of Asterisk!

---
   Module Name: pkgsrc
   Committed By:        jnemeth
   Date:                Wed Dec  3 01:57:37 UTC 2014

   Modified Files:
        pkgsrc/comms/asterisk: Makefile distinfo

   Log Message:
   Update to Asterisk 11.14.1:  this is a security fix release.

   The Asterisk Development Team has announced security releases for Certified
   Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
   security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
   11.14.1, 12.7.1, and 13.0.1.

   The release of these versions resolves the following security vulnerabilities:

   * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
     address families

     Many modules in Asterisk that service incoming IP traffic have ACL options
     ("permit" and "deny") that can be used to whitelist or blacklist address
     ranges. A bug has been discovered where the address family of incoming
     packets is only compared to the IP address family of the first entry in the
     list of access control rules. If the source IP address for an incoming
     packet is not of the same address as the first ACL entry, that packet
     bypasses all ACL rules.

   * AST-2014-018: Permission Escalation through DB dialplan function

     The DB dialplan function when executed from an external protocol, such as AMI,
     could result in a privilege escalation. Users with a lower class authorization
     in AMI can access the internal Asterisk database without the required SYSTEM
     class authorization.

   In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
   security vulnerability:

   * AST-2014-014: High call load with ConfBridge can result in resource exhaustion

     The ConfBridge application uses an internal bridging API to implement
     conference bridges. This internal API uses a state model for channels within
     the conference bridge and transitions between states as different things
     occur. Unload load it is possible for some state transitions to be delayed
     causing the channel to transition from being hung up to waiting for media. As
     the channel has been hung up remotely no further media will arrive and the
     channel will stay within ConfBridge indefinitely.

   In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
   the following security vulnerability:

   * AST-2014-017: Permission Escalation via ConfBridge dialplan function and
                   AMI ConfbridgeStartRecord Action

     The CONFBRIDGE dialplan function when executed from an external protocol (such
     as AMI) can result in a privilege escalation as certain options within that
     function can affect the underlying system. Additionally, the AMI
     ConfbridgeStartRecord action has options that would allow modification of the
     underlying system, and does not require SYSTEM class authorization in AMI.

   For a full list of changes in the current releases, please see the ChangeLogs:

   http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1

   The security advisories are available at:

    * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
    * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
    * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
    * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf

   Thank you for your continued support of Asterisk!


To generate a diff of this commit:
cvs rdiff -u -r1.111 -r1.111.2.1 pkgsrc/comms/asterisk/Makefile
cvs rdiff -u -r1.8 -r1.8.2.1 pkgsrc/comms/asterisk/PLIST
cvs rdiff -u -r1.66 -r1.66.2.1 pkgsrc/comms/asterisk/distinfo
cvs rdiff -u -r1.1 -r0 \
    pkgsrc/comms/asterisk/patches/patch-contrib_scripts_autosupport
cvs rdiff -u -r1.86 -r1.86.2.1 pkgsrc/comms/asterisk18/Makefile
cvs rdiff -u -r1.24 -r1.24.2.1 pkgsrc/comms/asterisk18/PLIST
cvs rdiff -u -r1.55 -r1.55.2.1 pkgsrc/comms/asterisk18/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index