2021-02-28 23:55:55 by John Nemeth | Files touched by this commit (57) | |
Log message:
asterisk14: Delete this package as discussed on pkgsrc-users on Dec. 26th.
|
2021-01-03 10:05:26 by John Nemeth | Files touched by this commit (2) |
Log message:
Disable -march=native default.
|
2020-11-05 10:09:30 by Ryo ONODERA | Files touched by this commit (1814) |
Log message:
*: Recursive revbump from textproc/icu-68.1
|
2020-08-31 20:13:29 by Thomas Klausner | Files touched by this commit (3631) |
Log message:
*: bump PKGREVISION for perl-5.32.
|
2020-08-17 22:20:41 by Leonardo Taccari | Files touched by this commit (2202) |
Log message:
*: revbump after fontconfig bl3 changes (libuuid removal)
|
2020-06-02 10:25:05 by Adam Ciarcinski | Files touched by this commit (1689) |
Log message:
Revbump for icu
|
2020-05-22 12:56:49 by Adam Ciarcinski | Files touched by this commit (624) |
Log message:
revbump after updating security/nettle
|
2020-05-06 16:05:09 by Adam Ciarcinski | Files touched by this commit (591) | |
Log message:
revbump after boost update
|
2020-05-05 19:59:10 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
asterisk14: updated to 14.7.8
asterisk 14.7.8:
* AST-2018-009: Fix crash processing websocket HTTP Upgrade requests
The HTTP request processing in res_http_websocket allocates additional
space on the stack for various headers received during an Upgrade request.
An attacker could send a specially crafted request that causes this code
to overflow the stack, resulting in a crash.
* No longer allocate memory from the stack in a loop to parse the header
values. NOTE: There is a slight API change when using the passed in
strings as is. We now require the passed in strings to no longer have
leading or trailing whitespace. This isn't a problem as the only callers
have already done this before passing the strings to the affected
function.
asterisk 14.7.7:
* AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden. However, if an endpoint is not identified then a 401
unauthorized response is sent. This vulnerability just discloses which
requests hit a defined endpoint. The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.
* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified. The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.
asterisk 14.7.6:
* AST-2018-003: Crash with an invalid SDP fmtp attribute
pjproject's fmtp retrieval function failed to catch invalid fmtp attributes.
Because of this Asterisk would crash if given an SDP with an invalid fmtp
attribute.
When retrieving the format this patch now makes sure the fmtp attribute is
available. If not available it now returns an error status.
* AST-2018-002: Crash with an invalid SDP media format description
pjproject's media format parsing algorithm failed to catch invalid values.
Because of this Asterisk would crash if given an SDP with a invalid media
format description.
When parsing the media format description this patch now properly parses the
value and returns an error status if it can't successfully parse/convert the
value.
* AST-2018-005: res_pjsip_transport_management: Move to core
Since res_pjsip_transport_management provides several attack
mitigation features, its functionality moved to res_pjsip and
this module has been removed. This way the features will always
be available if res_pjsip is loaded.
* AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)
pjsip_distributor:
authenticate() creates a tdata and uses it to send a challenge or
failure response. When pjsip_endpt_send_response2() succeeds, it
automatically decrements the tdata ref count but when it fails, it
doesn't. Since we weren't checking for a return status, we weren't
decrementing the count ourselves on error and were therefore leaking
tdatas.
res_pjsip_session:
session_reinvite_on_rx_request wasn't decrementing the ref count
if an error happened while sending a 491 response.
pre_session_setup wasn't decrementing the ref count if
while sending an error after a pjsip_inv_verify_request failure.
res_pjsip:
ast_sip_send_response wasn't decrementing the ref count on error.
* AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request
It was discovered that there are some corner cases where a pjsip tsx
might have no last_tx so calling ast_sip_failover_request with
a NULL last_tx as its tdata would cause a crash.
* AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.
When receiving a SUBSCRIBE request the Accept headers from it are
stored locally. This operation has a fixed limit of 32 Accept headers
but this limit was not enforced. As a result it was possible for
memory outside of the allocated space to get written to resulting
in a crash.
This change enforces the limit so only 32 Accept headers are
processed.
|
2020-04-12 10:29:21 by Adam Ciarcinski | Files touched by this commit (956) | |
Log message:
Recursive revision bump after textproc/icu update
|