Navigation:
Browse pkgsrc
(this page)| 2012-01-14 09:30:15 by John Nemeth | Files touched by this commit (2) |
Log message: Update to Asterisk 1.6.2.22: The release of Asterisk 1.6.2.22 corrects two flaws in sip.conf.sample related to AST-2011-013: * The sample file listed *two* values for the 'nat' option as being the default. Only 'yes' is the default. * The warning about having differing 'nat' settings confusingly referred to both peers and users. For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.22 Thank you for your continued support of Asterisk! |
2011-12-12 06:05:34 by John Nemeth | Files touched by this commit (3) |  |
Log message:
This update fixes AST-2011-013 and AST-2011-014. It also adapts to changes
in the iLBC codec files.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
Reported By Ben Williams
Posted On
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description It is possible to enumerate SIP usernames when the general
and user/peer NAT settings differ in whether to respond to
the port a request is sent from or the port listed for
responses in the Via header. In 1.4 and 1.6.2, this would
mean if one setting was nat=yes or nat=route and the other
was either nat=no or nat=never. In 1.8 and 10, this would
mean when one was nat=force_rport or nat=yes and the other
was nat=no or nat=comedia.
Resolution Handling NAT for SIP over UDP requires the differing
behavior introduced by these options.
To lessen the frequency of unintended username disclosure,
the default NAT setting was changed to always respond to the
port from which we received the request-the most commonly
used option.
Warnings were added on startup to inform administrators of
the risks of having a SIP peer configured with a different
setting than that of the general setting. The documentation
now strongly suggests that peers are no longer configured
for NAT individually, but through the global setting in the
"general" context.
Affected Versions
Product Release Series
Asterisk Open Source All All versions
Corrected In
As this is more of an issue with SIP over UDP in general, there is no
fix supplied other than documentation on how to avoid the problem. The
default NAT setting has been changed to what we believe the most
commonly used setting for the respective version in Asterisk 1.4.43,
1.6.2.21, and 1.8.7.2.
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-013.pdf and
http://downloads.digium.com/pub/security/AST-2011-013.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-013
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-014
Product Asterisk
Summary Remote crash possibility with SIP and the "automon"
feature enabled
Nature of Advisory Remote crash vulnerability in a feature that is
disabled by default
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known Yes
Reported On November 2, 2011
Reported By Kristijan Vrban
Posted On 2011-11-03
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description When the "automon" feature is enabled in features.conf, it
is possible to send a sequence of SIP requests that cause
Asterisk to dereference a NULL pointer and crash.
Resolution Applying the referenced patches that check that the pointer
is not NULL before accessing it will resolve the issue. The
"automon" feature can be disabled in features.conf as a
workaround.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Corrected In
Product Release
Asterisk Open Source 1.6.2.21, 1.8.7.2
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-014.pdf and
http://downloads.digium.com/pub/security/AST-2011-014.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-014
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
|
| 2011-12-05 05:18:32 by John Nemeth | Files touched by this commit (2) |
Log message: Now that -current has sqlite3 included in base, enable it here. |
| 2011-10-11 05:15:50 by John Nemeth | Files touched by this commit (1) |
Log message: Revert previous. This package was marked OWNER= for a reason! |
| 2011-08-07 04:40:32 by John Nemeth | Files touched by this commit (3) | |
Log message: Bump PKGREVISION for perl update. |
| 2011-07-05 10:34:48 by John Nemeth | Files touched by this commit (3) |
Log message: Update to 1.6.2.19 (fixes several security issues): Please note that Asterisk 1.6.2.19 is the final maintenance release from the 1.6.2 branch. Support for security related issues will continue until April 21, 2012. For more information about support of the various Asterisk branches, see https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions The release of Asterisk 1.6.2.19 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following is a sample of the issues resolved in this release: * Don't broadcast FullyBooted to every AMI connection The FullyBooted event should not be sent to every AMI connection every time someone connects via AMI. It should only be sent to the user who just connected. (Closes issue #18168. Reported, patched by FeyFre) * Fix thread blocking issue in the sip TCP/TLS implementation. (Closes issue #18497. Reported by vois. Tested by vois, rossbeer, kowalma, Freddi_Fonet. Patched by dvossel) * Don't delay DTMF in core bridge while listening for DTMF features. (Closes issue #15642, #16625. Reported by jasonshugart, sharvanek. Tested by globalnetinc, jde. Patched by oej, twilson) * Fix chan_local crashs in local_fixup() Thanks OEJ for tracking down the issue and submitting the patch. (Closes issue #19053. Reported, patched by oej) * Don't offer video to directmedia callee unless caller offered it as well (Closes issue #19195. Reported, patched by one47) Additionally security announcements AST-2011-008, AST-2011-010, and AST-2011-011 have been resolved in this release. For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.19 |
| 2011-06-06 08:25:06 by John Nemeth | Files touched by this commit (5) |
Log message:
Upgrade to 1.6.2.18. This fixes several security issues including:
AST-2011-002, AST-2011-003, AST-2011-004, AST-2011-005, and AST-2011-006.
===========================================================================
1.6.2.18:
The Asterisk Development Team has announced the release of Asterisk 1.6.2.18.
The release of Asterisk 1.6.2.18 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Only offer codecs both sides support for directmedia.
* Resolution of several DTMF based attended transfer issues.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve deadlocks related to device states in chan_sip
* Fix channel redirect out of MeetMe() and other issues with channel softhangup
* Fix voicemail sequencing for file based storage.
* Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18
===========================================================================
1.6.2.17.3
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:
* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)
The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.3
Security advisory AST-2011-005 and AST-2011-006 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdf
http://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.6.2.17.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).
The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.2
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
http://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.17.1:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.23, 1.6.2.17.1, and 1.8.3.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.1
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdf
http://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.16.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems configured for
T.38 pass through or termination are vulnerable. The issue and resolution are
described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2
Security advisory AST-2011-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
|
| 2011-04-22 15:45:23 by OBATA Akio | Files touched by this commit (2234) |
Log message: recursive bump from gettext-lib shlib bump. |
| 2011-01-21 06:13:12 by John Nemeth | Files touched by this commit (2) |
Log message:
Update to 1.6.2.16.1
This is to fix AST-2011-001: Stack buffer overflow in SIP channel driver
Asterisk Project Security Advisory - AST-2011-001
Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
For full details, see:
http://downloads.digium.com/pub/security/AST-2011-001.html
|
| 2011-01-16 07:30:57 by John Nemeth | Files touched by this commit (3) |
Log message: Update to 1.6.2.16: The release of Asterisk 1.6.2.16 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following is a sample of the issues resolved in this release: * Fix cache of device state changes for multiple servers. (Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested by russellb) * Resolve issue where channel redirect function (CLI or AMI) hangs up the call instead of redirecting the call. (Closes issue #18171. Reported by: SantaFox) (Closes issue #18185. Reported by: kwemheuer) (Closes issue #18211. Reported by: zahir_koradia) (Closes issue #18230. Reported by: vmarrone) (Closes issue #18299. Reported by: mbrevda) (Closes issue #18322. Reported by: nerbos) * Linux and *BSD disagree on the elements within the ucred structure. Detect which one is in use on the system. (Closes issue #18384. Reported, patched, tested by bjm, tilghman) * app_followme: Don't create a Local channel if the target extension does not exist. (Closes issue #18126. Reported, patched by junky) * Revert code that changed SSRC for DTMF. (Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686. Tested by cmbaker82) * Resolve issue where REGISTER request with a Call-ID matching an existing transaction is received it was possible that the REGISTER request would overwrite the initreq of the private structure. (Closes issue #18051. Reported by eeman. Patched, tested by twilson) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16 |
New packages: