Subject: CVS commit: [pkgsrc-2013Q1] pkgsrc/comms
From: Matthias Scheler
Date: 2013-04-12 00:12:56
Message id: 20130411221256.84418175DD@cvs.netbsd.org

Log Message:
Pullup ticket #4116 - requested by jnemeth
comms/asterisk: security update
comms/asterisk10: security update
comms/asterisk18: security update

Revisions pulled up:
- comms/asterisk/Makefile                                       1.84
- comms/asterisk/distinfo                                       1.54
- comms/asterisk10/Makefile                                     1.43
- comms/asterisk10/distinfo                                     1.26
- comms/asterisk18/Makefile                                     1.61
- comms/asterisk18/distinfo                                     1.44

---
   Module Name:    pkgsrc
   Committed By:   jnemeth
   Date:           Wed Apr 10 05:24:39 UTC 2013

   Modified Files:
           pkgsrc/comms/asterisk18: Makefile distinfo

   Log Message:
   Update to Asterisk 1.2.20.2: this is a security update which fixes
   AST-2013-001, AST-2013-002, and AST-2013-003.

   The Asterisk Development Team has announced security releases for Certified
   Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security releases
   are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2, 10.12.2-digiumphones,
   and 11.2.2.

   The release of these versions resolve the following issues:

   * A denial of service exists in Asterisk's HTTP server. AST-2012-014, fixed
     in January of this year, contained a fix for Asterisk's HTTP server for a
     remotely-triggered crash. While the fix prevented the crash from being
     triggered, a denial of service vector still exists with that solution if an
     attacker sends one or more HTTP POST requests with very large Content-Length
     values.

     This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11

   * A potential username disclosure exists in the SIP channel driver. When
     authenticating a SIP request with alwaysauthreject enabled, allowguest
     disabled, and autocreatepeer disabled, Asterisk discloses whether a user
     exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways.

     This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11

   These issues and their resolutions are described in the security advisories.

   For more information about the details of these vulnerabilities, please read
   security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which were
   released at the same time as this announcement.

   For a full list of changes in the current releases, please see the ChangeLogs:

   http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.20.2

   The security advisories are available at:

    * http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
    * http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
    * http://downloads.asterisk.org/pub/security/AST-2013-003.pdf

   Thank you for your continued support of Asterisk!

---
   Module Name:    pkgsrc
   Committed By:   jnemeth
   Date:           Wed Apr 10 05:27:08 UTC 2013

   Modified Files:
           pkgsrc/comms/asterisk10: Makefile distinfo

   Log Message:
   Update to Asterisk 10.12.2:  this is a security update which fixes
   AST-2013-001, AST-2013-002, and AST-2013-003.

   The Asterisk Development Team has announced security releases for Certified
   Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security releases
   are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2, 10.12.2-digiumphones,
   and 11.2.2.

   The release of these versions resolve the following issues:

   * A denial of service exists in Asterisk's HTTP server. AST-2012-014, fixed
     in January of this year, contained a fix for Asterisk's HTTP server for a
     remotely-triggered crash. While the fix prevented the crash from being
     triggered, a denial of service vector still exists with that solution if an
     attacker sends one or more HTTP POST requests with very large Content-Length
     values.

     This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11

   * A potential username disclosure exists in the SIP channel driver. When
     authenticating a SIP request with alwaysauthreject enabled, allowguest
     disabled, and autocreatepeer disabled, Asterisk discloses whether a user
     exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways.

     This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11

   These issues and their resolutions are described in the security advisories.

   For more information about the details of these vulnerabilities, please read
   security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which were
   released at the same time as this announcement.

   For a full list of changes in the current releases, please see the ChangeLogs:

   http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.2

   The security advisories are available at:

    * http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
    * http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
    * http://downloads.asterisk.org/pub/security/AST-2013-003.pdf

   Thank you for your continued support of Asterisk!

---
   Module Name:    pkgsrc
   Committed By:   jnemeth
   Date:           Wed Apr 10 05:28:56 UTC 2013

   Modified Files:
           pkgsrc/comms/asterisk: Makefile distinfo

   Log Message:
   Update to Asterisk 11.2.2:  this is a security update which fixes
   AST-2013-001, AST-2013-002, and AST-213-003.

   The Asterisk Development Team has announced security releases for Certified
   Asterisk 1.8.15 and Asterisk 1.8, 10, and 11. The available security releases
   are released as versions 1.8.15-cert2, 1.8.20.2, 10.12.2, 10.12.2-digiumphones,
   and 11.2.2.

   The release of these versions resolve the following issues:

   * A possible buffer overflow during H.264 format negotiation. The format
     attribute resource for H.264 video performs an unsafe read against a media
     attribute when parsing the SDP.

     This vulnerability only affected Asterisk 11.

   * A denial of service exists in Asterisk's HTTP server. AST-2012-014, fixed
     in January of this year, contained a fix for Asterisk's HTTP server for a
     remotely-triggered crash. While the fix prevented the crash from being
     triggered, a denial of service vector still exists with that solution if an
     attacker sends one or more HTTP POST requests with very large Content-Length
     values.

     This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11

   * A potential username disclosure exists in the SIP channel driver. When
     authenticating a SIP request with alwaysauthreject enabled, allowguest
     disabled, and autocreatepeer disabled, Asterisk discloses whether a user
     exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways.

     This vulnerability affects Certified Asterisk 1.8.15, Asterisk 1.8, 10, and 11

   These issues and their resolutions are described in the security advisories.

   For more information about the details of these vulnerabilities, please read
   security advisories AST-2013-001, AST-2013-002, and AST-2013-003, which were
   released at the same time as this announcement.

   For a full list of changes in the current releares, please see the ChangeLogs:

   http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.2.2

   The security advisories are available at:

    * http://downloads.asterisk.org/pub/security/AST-2013-001.pdf
    * http://downloads.asterisk.org/pub/security/AST-2013-002.pdf
    * http://downloads.asterisk.org/pub/security/AST-2013-003.pdf

   Thank you for your continued support of Asterisk!

Files:
RevisionActionfile
1.83.2.1modifypkgsrc/comms/asterisk/Makefile
1.53.2.1modifypkgsrc/comms/asterisk/distinfo
1.42.2.1modifypkgsrc/comms/asterisk10/Makefile
1.25.2.1modifypkgsrc/comms/asterisk10/distinfo
1.60.2.1modifypkgsrc/comms/asterisk18/Makefile
1.43.2.1modifypkgsrc/comms/asterisk18/distinfo