./comms/asterisk14, The Asterisk Software PBX

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 14.7.8nb7, Package name: asterisk-14.7.8nb7, Maintainer: jnemeth

Asterisk is a complete PBX in software. It provides all of the
features you would expect from a PBX and more. Asterisk does voice
over IP in three protocols, and can interoperate with almost all
standards-based telephony equipment using relatively inexpensive

Asterisk provides Voicemail services with Directory, Call Conferencing,
Interactive Voice Response, Call Queuing. It has support for
three-way calling, caller ID services, ADSI, SIP and H.323 (as both
client and gateway).

This is a standard version. It is scheduled to go to security
fixes only on October 24th, 2017, and EOL on October 24th, 2018.
See here for more information about Asterisk versions:

NOTE: This version does not work with the zaptel drivers. It
requires the newer DAHDI drivers which are still being ported.
So, there is no hardware support available at this moment.

Required to run:
[textproc/libxml2] [www/curl] [databases/openldap-client] [audio/speex] [lang/perl5] [shells/bash] [security/openssl] [devel/libuuid] [textproc/iksemel] [textproc/jansson] [audio/speexdsp] [comms/srtp]

Required to build:

Package options: asterisk-config, jabber, ldap, speex

Master sites: (Expand)

Version history: (Expand)

CVS history: (Expand)

   2021-01-03 10:05:26 by John Nemeth | Files touched by this commit (2)
Log message:
Disable -march=native default.
   2020-11-05 10:09:30 by Ryo ONODERA | Files touched by this commit (1814)
Log message:
*: Recursive revbump from textproc/icu-68.1
   2020-08-31 20:13:29 by Thomas Klausner | Files touched by this commit (3631) | Package updated
Log message:
*: bump PKGREVISION for perl-5.32.
   2020-08-17 22:20:41 by Leonardo Taccari | Files touched by this commit (2202)
Log message:
*: revbump after fontconfig bl3 changes (libuuid removal)
   2020-06-02 10:25:05 by Adam Ciarcinski | Files touched by this commit (1689)
Log message:
Revbump for icu
   2020-05-22 12:56:49 by Adam Ciarcinski | Files touched by this commit (624)
Log message:
revbump after updating security/nettle
   2020-05-06 16:05:09 by Adam Ciarcinski | Files touched by this commit (591) | Package updated
Log message:
revbump after boost update
   2020-05-05 19:59:10 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
asterisk14: updated to 14.7.8

asterisk 14.7.8:

* AST-2018-009: Fix crash processing websocket HTTP Upgrade requests

  The HTTP request processing in res_http_websocket allocates additional
  space on the stack for various headers received during an Upgrade request.
  An attacker could send a specially crafted request that causes this code
  to overflow the stack, resulting in a crash.

  * No longer allocate memory from the stack in a loop to parse the header
  values.  NOTE: There is a slight API change when using the passed in
  strings as is.  We now require the passed in strings to no longer have
  leading or trailing whitespace.  This isn't a problem as the only callers
  have already done this before passing the strings to the affected

asterisk 14.7.7:

* AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

  When endpoint specific ACL rules block a SIP request they respond with a
  403 forbidden.  However, if an endpoint is not identified then a 401
  unauthorized response is sent.  This vulnerability just discloses which
  requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
  access to the disclosed endpoints.

  * Made endpoint specific ACL rules now respond with a 401 unauthorized
  which is the same as if an endpoint were not identified.  The fix is
  accomplished by replacing the found endpoint with the artificial endpoint
  which always fails authentication.

asterisk 14.7.6:

* AST-2018-003: Crash with an invalid SDP fmtp attribute

  pjproject's fmtp retrieval function failed to catch invalid fmtp attributes.
  Because of this Asterisk would crash if given an SDP with an invalid fmtp

  When retrieving the format this patch now makes sure the fmtp attribute is
  available. If not available it now returns an error status.

* AST-2018-002: Crash with an invalid SDP media format description

  pjproject's media format parsing algorithm failed to catch invalid values.
  Because of this Asterisk would crash if given an SDP with a invalid media
  format description.

  When parsing the media format description this patch now properly parses the
  value and returns an error status if it can't successfully parse/convert the

* AST-2018-005: res_pjsip_transport_management:  Move to core

  Since res_pjsip_transport_management provides several attack
  mitigation features, its functionality moved to res_pjsip and
  this module has been removed.  This way the features will always
  be available if res_pjsip is loaded.

* AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)

     authenticate() creates a tdata and uses it to send a challenge or
     failure response.  When pjsip_endpt_send_response2() succeeds, it
     automatically decrements the tdata ref count but when it fails, it
     doesn't.  Since we weren't checking for a return status, we weren't
     decrementing the count ourselves on error and were therefore leaking

     session_reinvite_on_rx_request wasn't decrementing the ref count
     if an error happened while sending a 491 response.
     pre_session_setup wasn't decrementing the ref count if
     while sending an error after a pjsip_inv_verify_request failure.

     ast_sip_send_response wasn't decrementing the ref count on error.

* AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request

  It was discovered that there are some corner cases where a pjsip tsx
  might have no last_tx so calling ast_sip_failover_request with
  a NULL last_tx as its tdata would cause a crash.

* AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

  When receiving a SUBSCRIBE request the Accept headers from it are
  stored locally. This operation has a fixed limit of 32 Accept headers
  but this limit was not enforced. As a result it was possible for
  memory outside of the allocated space to get written to resulting
  in a crash.

  This change enforces the limit so only 32 Accept headers are