Navigation:
Browse pkgsrc
(this page)| 2012-05-04 18:06:14 by Joerg Sonnenberger | Files touched by this commit (11) |
Log message: Don't override optimizer settings with absurd levels. Fix inline definitions to work with C99 compiler. |
2012-04-30 05:19:40 by John Nemeth | Files touched by this commit (2) |  |
Log message: Update to Asterisk 1.6.2.24. This fixes AST-2012-004 and AST-2012-005. The 1.6.2 series went End of Life on April 21st 2012, so this was the last update. This package will be deleted in the not too distnat future. The Asterisk Development Team has announced security releases for Asterisk 1.6.2 , 1.8, and 10. The available security releases are released as versions 1.6.2.24, 1.8.11.1, and 10.3.1. The release of Asterisk 1.6.2.24, 1.8.11.1, and 10.3.1 resolve the following two issues: * A permission escalation vulnerability in Asterisk Manager Interface. This would potentially allow remote authenticated users the ability to execute commands on the system shell with the privileges of the user running the Asterisk application. * A heap overflow vulnerability in the Skinny Channel driver. The keypad button message event failed to check the length of a fixed length buffer before appending a received digit to the end of that buffer. A remote authenticated user could send sufficient keypad button message events that th e buffer would be overrun. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-004, AST-2012-005, and AST-2012-006, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.24 The security advisories are available at: * http://downloads.asterisk.org/pub/security/AST-2012-004.pdf * http://downloads.asterisk.org/pub/security/AST-2012-005.pdf Thank you for your continued support of Asterisk! |
| 2012-04-27 14:32:08 by OBATA Akio | Files touched by this commit (302) |
Log message: Recursive bump from icu shlib major bumped to 49. |
| 2012-03-25 04:59:53 by John Nemeth | Files touched by this commit (2) | |
Log message: Update to 1.6.2.23: This is a security fix update. It fixes AST-2012-002. NOTE NOTE NOTE This is likely to be the last update to this package. This version of Asterisk will be EOLed on April 21st, 2012. It will probably be removed from pkgsrc not long after that. If you are still using this package, you should consider switching to comms/asterisk18, the Long Term Support version, or comms/asterisk10 in the near future. NOTE NOTE NOTE The Asterisk Development Team has announced security releases for Asterisk 1.4, 1.6.2, 1.8, and 10. The available security releases are released as versions 1.4.44, 1.6.2.23, 1.8.10.1, and 10.2.1. The release of Asterisk 1.4.44 and 1.6.2.23 resolve an issue wherein app_milliwatt can potentially overrun a buffer on the stack, causing Asterisk to crash. This does not have the potential for remote code execution. These issues and their resolution are described in the security advisory. For more information about the details of these vulnerabilities, please read the security advisories AST-2012-002 and AST-2012-003, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.23 The security advisories are available at: * http://downloads.asterisk.org/pub/security/AST-2012-002.pdf Thank you for your continued support of Asterisk! |
| 2012-02-16 17:30:04 by Hans Rosenfeld | Files touched by this commit (5) |
Log message: Fix build on SunOS. |
| 2012-01-17 03:12:52 by John Nemeth | Files touched by this commit (3) |
Log message: PR/35369 -- David Wetzel -- add support for speex codec (enabled by default) |
| 2012-01-14 09:30:15 by John Nemeth | Files touched by this commit (2) |
Log message: Update to Asterisk 1.6.2.22: The release of Asterisk 1.6.2.22 corrects two flaws in sip.conf.sample related to AST-2011-013: * The sample file listed *two* values for the 'nat' option as being the default. Only 'yes' is the default. * The warning about having differing 'nat' settings confusingly referred to both peers and users. For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.22 Thank you for your continued support of Asterisk! |
| 2011-12-12 06:05:34 by John Nemeth | Files touched by this commit (3) | |
Log message:
This update fixes AST-2011-013 and AST-2011-014. It also adapts to changes
in the iLBC codec files.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
Reported By Ben Williams
Posted On
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description It is possible to enumerate SIP usernames when the general
and user/peer NAT settings differ in whether to respond to
the port a request is sent from or the port listed for
responses in the Via header. In 1.4 and 1.6.2, this would
mean if one setting was nat=yes or nat=route and the other
was either nat=no or nat=never. In 1.8 and 10, this would
mean when one was nat=force_rport or nat=yes and the other
was nat=no or nat=comedia.
Resolution Handling NAT for SIP over UDP requires the differing
behavior introduced by these options.
To lessen the frequency of unintended username disclosure,
the default NAT setting was changed to always respond to the
port from which we received the request-the most commonly
used option.
Warnings were added on startup to inform administrators of
the risks of having a SIP peer configured with a different
setting than that of the general setting. The documentation
now strongly suggests that peers are no longer configured
for NAT individually, but through the global setting in the
"general" context.
Affected Versions
Product Release Series
Asterisk Open Source All All versions
Corrected In
As this is more of an issue with SIP over UDP in general, there is no
fix supplied other than documentation on how to avoid the problem. The
default NAT setting has been changed to what we believe the most
commonly used setting for the respective version in Asterisk 1.4.43,
1.6.2.21, and 1.8.7.2.
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-013.pdf and
http://downloads.digium.com/pub/security/AST-2011-013.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-013
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-014
Product Asterisk
Summary Remote crash possibility with SIP and the "automon"
feature enabled
Nature of Advisory Remote crash vulnerability in a feature that is
disabled by default
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known Yes
Reported On November 2, 2011
Reported By Kristijan Vrban
Posted On 2011-11-03
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description When the "automon" feature is enabled in features.conf, it
is possible to send a sequence of SIP requests that cause
Asterisk to dereference a NULL pointer and crash.
Resolution Applying the referenced patches that check that the pointer
is not NULL before accessing it will resolve the issue. The
"automon" feature can be disabled in features.conf as a
workaround.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Corrected In
Product Release
Asterisk Open Source 1.6.2.21, 1.8.7.2
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-014.pdf and
http://downloads.digium.com/pub/security/AST-2011-014.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-014
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
|
| 2011-12-05 05:18:32 by John Nemeth | Files touched by this commit (2) |
Log message: Now that -current has sqlite3 included in base, enable it here. |
| 2011-10-11 05:15:50 by John Nemeth | Files touched by this commit (1) |
Log message: Revert previous. This package was marked OWNER= for a reason! |
New packages: