Path to this page:
Subject: CVS commit: pkgsrc/comms/asterisk
From: John Nemeth
Date: 2016-02-07 09:18:43
Message id: 20160207081843.90A46FBB7@cvs.NetBSD.org
Log Message:
Update to Asterisk 11.21.1: this is mainly a bug patch update plus
fixes for AST-2016-001, AST-2016-002, and AST-2016-003. Also some
pkglinting.
----- 11.21.1
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security releases
are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2016-001: BEAST vulnerability in HTTP server
The Asterisk HTTP server currently has a default configuration which allows
the BEAST vulnerability to be exploited if the TLS functionality is enabled.
This can allow a man-in-the-middle attack to decrypt data passing through it.
* AST-2016-002: File descriptor exhaustion in chan_sip
Setting the sip.conf timert1 value to a value higher than 1245 can cause an
integer overflow and result in large retransmit timeout times. These large
timeout values hold system file descriptors hostage and can cause the system
to run out of file descriptors.
* AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data.
If no UDPTL packets are lost there is no problem. However, a lost packet
causes Asterisk to use the available error correcting redundancy packets. If
those redundancy packets have zero length then Asterisk uses an uninitialized
buffer pointer and length value which can cause invalid memory accesses later
when the packet is copied.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2016-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-003.pdf
Thank you for your continued support of Asterisk!
----- 11.21.0
The Asterisk Development Team has announced the release of Asterisk 11.21.0.
The release of Asterisk 11.21.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25640 - pbx: Deadlock on features reload and state
change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25364 - [patch]Issue a TCP connection(kernel) and
thread of asterisk is not released (Reported by Hiroaki Komatsu)
* ASTERISK-25569 - app_meetme: Audio quality issues (Reported by
Corey Farrell)
* ASTERISK-25609 - [patch]Asterisk may crash when calling
ast_channel_get_t38_state(c) (Reported by Filip Jenicek)
* ASTERISK-24146 - [patch]No audio on WebRtc caller side when
answer waiting time is more than ~7sec (Reported by Aleksei
Kulakov)
* ASTERISK-25599 - [patch] SLIN Resampling Codec only 80 msec
(Reported by Alexander Traud)
* ASTERISK-25616 - Warning with a Codec Module which supports PLC
with FEC (Reported by Alexander Traud)
* ASTERISK-25610 - Asterisk crash during "sip reload" (Reported by
Dudás József)
* ASTERISK-25498 - Asterisk crashes when negotiating g729 without
that module installed (Reported by Ben Langfeld)
* ASTERISK-25476 - chan_sip loses registrations after a while
(Reported by Michael Keuter)
* ASTERISK-25593 - fastagi: record file closed after sending
result (Reported by Kevin Harwell)
* ASTERISK-25585 - [patch]rasterisk never hits most of main(), but
it's assumed to (Reported by Walter Doekes)
* ASTERISK-25552 - hashtab: Improve NULL tolerance (Reported by
Joshua Colp)
* ASTERISK-25449 - main/sched: Regression introduced by
5c713fdf18f causes erroneous duplicate RTCP messages; other
potential scheduling issues in chan_sip/chan_skinny (Reported by
Matt Jordan)
* ASTERISK-25537 - [patch] format-attribute module: RFC or
internal defaults? (Reported by Alexander Traud)
* ASTERISK-25373 - add documentation for CALLERID(pres) and also
the CONNECTEDLINE and REDIRECTING variants (Reported by Walter
Doekes)
* ASTERISK-25527 - Quirky xmldoc description wrapping (Reported by
Walter Doekes)
* ASTERISK-25434 - Compiler flags not reported in 'core show
settings' despite usage during compilation (Reported by Rusty
Newton)
* ASTERISK-25494 - build: GCC 5.1.x catches some new const, array
bounds and missing paren issues (Reported by George Joseph)
* ASTERISK-7803 - [patch] Update the maximum packetization values
in frame.c (Reported by dea)
* ASTERISK-25461 - Nested dialplan #includes don't work as
expected. (Reported by Richard Mudgett)
* ASTERISK-25455 - Deadlock of PJSIP realtime over
res_config_pgsql (Reported by mdu113)
* ASTERISK-25135 - [patch]RTP Timeout hangup cause code missing
(Reported by Olle Johansson)
* ASTERISK-25400 - Hints broken when "CustomPresence" doesn't
exist in AstDB (Reported by Andrew Nagy)
* ASTERISK-25443 - [patch]IPv6 - Potential issue in via header
parsing (Reported by ffs)
* ASTERISK-25391 - AMI GetConfigJSON returns invalid JSON
(Reported by Bojan NemÄiÄ)
* ASTERISK-25438 - res_rtp_asterisk: ICE role message even when
ICE is not enabled (Reported by Joshua Colp)
Improvements made in this release:
-----------------------------------
* ASTERISK-24718 - [patch]Add inital support of "sanitize" to
configure (Reported by Badalian Vyacheslav)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.21.0
Thank you for your continued support of Asterisk!
Files: