| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The current only user of this buildlink file is asterisk-chan-dongle
(which is yet to be committed).
With further users, comms/asterisk may need to find a version specific
directory as newer versions are imported.
|
|
|
|
This will aid subsequent module builds
|
|
|
|
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
|
|
|
|
Asterisk Project Security Advisory - ASTERISK-2016-009
Product Asterisk
Summary
Nature of Advisory Authentication Bypass
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known No
Reported On October 3, 2016
Reported By Walter Doekes
Posted On
Last Updated On December 8, 2016
Advisory Contact Mmichelson AT digium DOT com
CVE Name
Description The chan_sip channel driver has a liberal definition for
whitespace when attempting to strip the content between a
SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character as
if it were whitespace. This means that headers such as
Contact\x01:
will be seen as a valid Contact header.
This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In such
a case, a crafty combination of valid and invalid To
headers can cause a proxy to allow an INVITE request into
Asterisk without authentication since it believes the
request is an in-dialog request. However, because of the
bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.
If you do not use a proxy for authentication, then this
issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy keeps
track of what dialogs are currently valid), then this issue
does not affect you.
If you use chan_pjsip instead of chan_sip, then this issue
l
does not affect you.
Resolution chan_sip has been patched to only treat spaces and
horizontal tabs as whitespace following a header name. This
allows for Asterisk and authenticating proxies to view
requests the same way
Affected Versions
Product Release
Series
Asterisk Open Source 11.x All Releases
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Certified Asterisk 13.8 All Releases
Corrected In
Product Release
Asterisk Open Source 11.25.1, 13.13.1, 14.2.1
Certified Asterisk 11.6-cert16, 13.8-cert4
Patches
SVN URL Revision
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/ASTERISK-2016-009.pdf and
http://downloads.digium.com/pub/security/ASTERISK-2016-009.html
Revision History
Date Editor Revisions Made
November 28, 2016 Mark Michelson Initial writeup
Asterisk Project Security Advisory - ASTERISK-2016-009
Copyright (c) 2016 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
|
|
|
|
The Asterisk Development Team has announced the release of Asterisk 11.25.0.
The release of Asterisk 11.25.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-26503 - app_voicemail: Asterisk crashes when
MailboxExists is used (Reported by Doug Lytle)
* ASTERISK-26480 - [patch] CLI: core set debug: Auto-completes
File not Module (Reported by Alexander Traud)
* ASTERISK-26356 - menuselect: invalid test for GTK2 (Reported by
Tzafrir Cohen)
* ASTERISK-26462 - [patch] app_queue: While using queues with
realtime, setting back to an empty context doesn't stop the exit
key usage (Reported by Leandro Dardini)
* ASTERISK-26457 - [patch] force_rport,auto_comedia: No NAT
detection triggered. (Reported by Alexander Traud)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.25.0
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced the release of Asterisk 11.24.1.
The release of Asterisk 11.24.1 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!
The following is the issue resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-26503 - app_voicemail: Asterisk crashes when
MailboxExists is used (Reported by Doug Lytle)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.24.1
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced the release of Asterisk 11.24.0.
The release of Asterisk 11.24.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-26438 - [patch] chan_sip: auto_force_rport: No NAT = No
Symmetric Response. (Reported by Alexander Traud)
* ASTERISK-18232 - Broken REGISTER sent to IPv4 server when
bindaddr=[::] (Reported by Jacek)
* ASTERISK-26359 - [patch] cdr_mysql: fails to use UTC if so
instructed (Reported by Tzafrir Cohen)
* ASTERISK-19968 - TCP Session-Timers not dropping call (Reported
by Aaron Hamstra)
* ASTERISK-26360 - app_queue: "queue show" output gets "failed to
extend from 240 to 327" msgs. (Reported by Richard Mudgett)
* ASTERISK-26272 - chan_sip: File descriptors leak (UDP sockets)
(Reported by Etienne Lessard)
* ASTERISK-26288 - followme: fails to reset config items to
default values on reload (Reported by Tzafrir Cohen)
* ASTERISK-26282 - AEL: macro-call in Dial application, macro
"lacks 's' extension" (Reported by chris de rock)
* ASTERISK-26226 - pbx: Asterisk crash on AMI action
"ShowDialplan" when there's a circular dependency between
contexts (Reported by Etienne Lessard)
* ASTERISK-26299 - app_queue: Queue application sometimes stops
calling members with Local interface (Reported by Etienne
Lessard)
* ASTERISK-26306 - channel: Hang-up crashes, chan_pjsip not
cleaning up properly (Reported by Alexander Traud)
* ASTERISK-26203 - res_fax: Deadlock when using
FAXOPT(gateway)=yes with Local channels (Reported by Etienne
Lessard)
* ASTERISK-24822 - Deadlock: Fax Gateway framehook creates locking
inversion in T.38 query option with features bridging code
(Reported by David Brillert)
* ASTERISK-22732 - Deadlock potential in res_fax and CCSS with
local channels. (Reported by Richard Mudgett)
* ASTERISK-24841 - ConfBridge: Strange sampling rates chosen when
channels have multiple native formats (Reported by Matt Jordan)
* ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of
SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
abelbeck)
* ASTERISK-25706 - pbx: Abort asterisk on features reload
(handle_hint_change) (Reported by Krzysztof Trempala)
* ASTERISK-26233 - pbx: Failure to remove inconsistent extension
names (Reported by Corey Farrell)
* ASTERISK-26267 - ast_register_atexit callbacks should be run on
failed startup. (Reported by Corey Farrell)
* ASTERISK-26265 - Errors ignored from some parts of system
initialization. (Reported by Corey Farrell)
* ASTERISK-25996 - Remove "live_dangerously" requirement on
DB(read) (Reported by Andrew Nagy)
* ASTERISK-26237 - Fax is detected on regular calls. (Reported by
Richard Mudgett)
* ASTERISK-23013 - [patch] Deadlock between 'sip show channels'
command and attended transfer handling (Reported by Ben
Smithurst)
* ASTERISK-26211 - Unit tests: AST_TEST_DEFINE should be used in
conditional code. (Reported by Corey Farrell)
* ASTERISK-26207 - [patch] sRTP: Count a roll-over of the sequence
number even on lost packets. (Reported by Alexander Traud)
* ASTERISK-26038 - 'make install' doesn't seem to install OS/X
init files (Reported by Tzafrir Cohen)
* ASTERISK-26133 - app_queue: Queue members receive multiple calls
(Reported by Richard Miller)
* ASTERISK-26196 - pbx: Time based includes can leak timezone
string (Reported by Corey Farrell)
* ASTERISK-25659 - res_rtp_asterisk: ECDH not negotiated causing
DTLS failure occurred on RTP instance (Reported by Edwin
Vandamme)
* ASTERISK-26046 - [patch] Avoid obsolete warnings on autoconf.
(Reported by Alexander Traud)
* ASTERISK-25289 - Build System does not respect CFLAGS and
CXXFLAGS when building menuselect (Reported by Jeffrey Walton)
* ASTERISK-26119 - [patch] fix: memory leaks, resource leaks, out
of bounds and bugs (Reported by Alexei Gradinari)
* ASTERISK-26179 - chan_sip: Second T.38 request fails (Reported
by Joshua Colp)
* ASTERISK-26157 - Build: Fix errors highlighted by GCC 6.x
(Reported by George Joseph)
Improvements made in this release:
-----------------------------------
* ASTERISK-26220 - Add support for noreturn function attributes.
(Reported by Corey Farrell)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.24.0
Thank you for your continued support of Asterisk!
|
|
|
|
|
|
AST-2016-007. Note that on Oct. 25th, this branch of Asterisk will
switch to security fixes, and one year later it will read end-of-life.
pkgsrc changes:
- don't use gethostbyname_r on NetBSD
- eliminate conflict with new hmac(1) function on NetBSd
----- AST-2016-007
The overlap dialing feature in chan_sip allows chan_sip to report
to a device that the number that has been dialed is incomplete and
more digits are required. If this functionality is used with a
device that has performed username/password authentication RTP
resources are leaked. This occurs because the code fails to release
the old RTP resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will occur and
no RTP sessions are able to be set up.
|
|
|
|
The Asterisk Development Team has announced the release of Asterisk 11.23.0.
The release of Asterisk 11.23.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-26141 - res_fax: fax_v21_session_new leaks reference to
v21_details (Reported by Corey Farrell)
* ASTERISK-26140 - res_rtp_asterisk: gcc 6 caught a
self-comparison (Reported by George Joseph)
* ASTERISK-26138 - chan_unistim: Under FreeBSD, chan_unistim
generates a compile error (Reported by George Joseph)
* ASTERISK-26130 - [patch] WebRTC: Should use latest DTLS version.
(Reported by Alexander Traud)
* ASTERISK-26126 - [patch] leverage 'bindaddr' for TLS in
http.conf (Reported by Alexander Traud)
* ASTERISK-26069 - Asterisk truncates To: header, dropping the
closing '>' (Reported by Vasil Kolev)
* ASTERISK-26097 - [patch] CLI: show maximum file descriptors
(Reported by Alexander Traud)
* ASTERISK-24436 - Missing header in res/res_srtp.c when compiling
against libsrtp-1.5.0 (Reported by Patrick Laimbock)
* ASTERISK-26091 - [patch] ar cru creates warning, instead use ar
cr (Reported by Alexander Traud)
* ASTERISK-26038 - 'make install' doesn't seem to install OS/X
init files (Reported by Tzafrir Cohen)
* ASTERISK-26034 - T.38 passthrough problem behind firewall due to
early nosignal packet (Reported by George Joseph)
* ASTERISK-26030 - call cut because of double Session-Expires
header in re-invite after proxy authentication is required
(Reported by George Joseph)
* ASTERISK-26008 - app_followme does not delete recorded name
prompt (Reported by Tzafrir Cohen)
* ASTERISK-24463 - Voicemail email address corrupt or not sent
when message is in the process of being recorded during reload
(Reported by John Campbell)
* ASTERISK-25917 - [patch]app_voicemail: passwordlocation=spooldir
only works if you manually add secret.conf yourself (Reported by
Jonathan R. Rose)
* ASTERISK-25954 - Manager QueueSummary and QueueStatus Actions
are case sensitive to QueueName (Reported by Javier Acosta)
* ASTERISK-16115 - [patch] problem with ringinuse=no, queue
members receive sometimes two calls (Reported by nik600)
* ASTERISK-25934 - chan_sip should not require sipregs or
updateable sippeers table unless rt (Reported by Jaco Kroon)
* ASTERISK-25888 - Frequent segfaults in function can_ring_entry()
of app_queue.c (Reported by Sébastien Couture)
* ASTERISK-25874 - app_voicemail: Stack buffer overflow in
test_voicemail_notify_endl (Reported by Badalian Vyacheslav)
* ASTERISK-25912 - chan_local passes AST_CONTROL_PVT_CAUSE_CODE
without adding them to the local hangupcauses via
ast_channel_hangupcause_hash_set (Reported by Jaco Kroon)
* ASTERISK-25407 - Asterisk fails to log to multiple syslog
destinations (Reported by Elazar Broad)
* ASTERISK-25510 - [patch]Log to syslog failing (Reported by
Michael Newton)
Improvements made in this release:
-----------------------------------
* ASTERISK-25444 - [patch]Music On Hold Warning misleading
(Reported by Conrad de Wet)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.23.0
Thank you for your continued support of Asterisk!
|
|
|
|
|
|
original manifest.xml file and the output from "svccfg export".
|
|
----- 11.22.0
The Asterisk Development Team has announced the release of Asterisk 11.22.0.
The release of Asterisk 11.22.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25857 - func_aes: incorrect use of strlen() leads to
data corruption (Reported by Gianluca Merlo)
* ASTERISK-25321 - [patch]DeadLock ChanSpy with call over Local
channel (Reported by Filip Frank)
* ASTERISK-25800 - [patch] Calculate talktime when is first call
answered (Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25272 - [patch]The ICONV dialplan function sometimes
returns garbage (Reported by Etienne Lessard)
* ASTERISK-20987 - non-admin users, who join muted conference are
not being muted (Reported by hristo)
* ASTERISK-24972 - Transport Layer Security (TLS) Protocol BEAST
Vulnerability - Investigate vulnerability of HTTP server
(Reported by Alex A. Welzl)
* ASTERISK-25603 - [patch]udptl: Uninitialized lengths and bufs in
udptl_rx_packet cause ast_frdup crash (Reported by Walter
Doekes)
* ASTERISK-25742 - Secondary IFP Packets can result in accessing
uninitialized pointers and a crash (Reported by Torrey Searle)
* ASTERISK-25397 - [patch]chan_sip: File descriptor leak with
non-default timert1 (Reported by Alexander Traud)
* ASTERISK-25730 - build: make uninstall after make distclean
tries to remove root (Reported by George Joseph)
* ASTERISK-25722 - ASAN & testsute: stack-buffer-overflow in
sip_sipredirect (Reported by Badalian Vyacheslav)
* ASTERISK-25714 - ASAN:heap-buffer-overflow in logger.c (Reported
by Badalian Vyacheslav)
* ASTERISK-24801 - ASAN: ast_el_read_char stack-buffer-overflow
(Reported by Badalian Vyacheslav)
* ASTERISK-25701 - core: Endless loop in "core show
taskprocessors" (Reported by ibercom)
* ASTERISK-25700 - main/config: Clean config maps on shutdown.
(Reported by Corey Farrell)
* ASTERISK-25690 - Hanging up when executing connected line sub
does not cause hangup (Reported by Joshua Colp)
* ASTERISK-25687 - res_musiconhold: Concurrent invocations of 'moh
reload' cause a crash (Reported by Sean Bright)
* ASTERISK-25394 - pbx: Incorrect device and presence state when
changing hint details (Reported by Joshua Colp)
* ASTERISK-25640 - pbx: Deadlock on features reload and state
change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25681 - devicestate: Engine thread is not shut down
(Reported by Corey Farrell)
* ASTERISK-25680 - manager: manager_channelvars is not cleaned at
shutdown (Reported by Corey Farrell)
* ASTERISK-25679 - res_calendar leaks scheduler. (Reported by
Corey Farrell)
* ASTERISK-25677 - pbx_dundi: leaks during failed load. (Reported
by Corey Farrell)
* ASTERISK-25673 - res_crypto leaks CLI entries (Reported by Corey
Farrell)
* ASTERISK-25647 - bug of cel_radius.c: wrong point of
ADD_VENDOR_CODE (Reported by Aaron An)
* ASTERISK-25614 - DTLS negotiation delays (Reported by Dade
Brandon)
* ASTERISK-25442 - using realtime (mysql) queue members are never
updated in wait_our_turn function (app_queue.c) (Reported by
Carlos Oliva)
* ASTERISK-25624 - AMI Event OriginateResponse bug (Reported by
sungtae kim)
Improvements made in this release:
-----------------------------------
* ASTERISK-24813 - asterisk.c: #if statement in listener()
confuses code folding editors (Reported by Corey Farrell)
* ASTERISK-25767 - [patch] Add check to configure for sanitizes
(Reported by Badalian Vyacheslav)
* ASTERISK-25068 - Move commonly used FreePBX extra sounds to the
core set (Reported by Rusty Newton)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.22.0
Thank you for your continued support of Asterisk!
----- 11.21.2
The Asterisk Development Team has announced the release of Asterisk 11.21.2.
The release of Asterisk 11.21.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!
The following is the issue resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25770 - Check for OpenSSL defines before trying to use
them. (Reported by Kevin Harwell)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.21.2
Thank you for your continued support of Asterisk!
|
|
|
|
|
|
|
|
fixes for AST-2016-001, AST-2016-002, and AST-2016-003. Also some
pkglinting.
----- 11.21.1
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and 13.1 and Asterisk 11 and 13. The available security releases
are released as versions 11.6-cert12, 11.21.1, 13.1-cert3, and 13.7.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2016-001: BEAST vulnerability in HTTP server
The Asterisk HTTP server currently has a default configuration which allows
the BEAST vulnerability to be exploited if the TLS functionality is enabled.
This can allow a man-in-the-middle attack to decrypt data passing through it.
* AST-2016-002: File descriptor exhaustion in chan_sip
Setting the sip.conf timert1 value to a value higher than 1245 can cause an
integer overflow and result in large retransmit timeout times. These large
timeout values hold system file descriptors hostage and can cause the system
to run out of file descriptors.
* AST-2016-003: Remote crash vulnerability receiving UDPTL FAX data.
If no UDPTL packets are lost there is no problem. However, a lost packet
causes Asterisk to use the available error correcting redundancy packets. If
those redundancy packets have zero length then Asterisk uses an uninitialized
buffer pointer and length value which can cause invalid memory accesses later
when the packet is copied.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.21.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2016-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2016-003.pdf
Thank you for your continued support of Asterisk!
----- 11.21.0
The Asterisk Development Team has announced the release of Asterisk 11.21.0.
The release of Asterisk 11.21.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25640 - pbx: Deadlock on features reload and state
change hint. (Reported by Krzysztof Trempala)
* ASTERISK-25364 - [patch]Issue a TCP connection(kernel) and
thread of asterisk is not released (Reported by Hiroaki Komatsu)
* ASTERISK-25569 - app_meetme: Audio quality issues (Reported by
Corey Farrell)
* ASTERISK-25609 - [patch]Asterisk may crash when calling
ast_channel_get_t38_state(c) (Reported by Filip Jenicek)
* ASTERISK-24146 - [patch]No audio on WebRtc caller side when
answer waiting time is more than ~7sec (Reported by Aleksei
Kulakov)
* ASTERISK-25599 - [patch] SLIN Resampling Codec only 80 msec
(Reported by Alexander Traud)
* ASTERISK-25616 - Warning with a Codec Module which supports PLC
with FEC (Reported by Alexander Traud)
* ASTERISK-25610 - Asterisk crash during "sip reload" (Reported by
Dudás József)
* ASTERISK-25498 - Asterisk crashes when negotiating g729 without
that module installed (Reported by Ben Langfeld)
* ASTERISK-25476 - chan_sip loses registrations after a while
(Reported by Michael Keuter)
* ASTERISK-25593 - fastagi: record file closed after sending
result (Reported by Kevin Harwell)
* ASTERISK-25585 - [patch]rasterisk never hits most of main(), but
it's assumed to (Reported by Walter Doekes)
* ASTERISK-25552 - hashtab: Improve NULL tolerance (Reported by
Joshua Colp)
* ASTERISK-25449 - main/sched: Regression introduced by
5c713fdf18f causes erroneous duplicate RTCP messages; other
potential scheduling issues in chan_sip/chan_skinny (Reported by
Matt Jordan)
* ASTERISK-25537 - [patch] format-attribute module: RFC or
internal defaults? (Reported by Alexander Traud)
* ASTERISK-25373 - add documentation for CALLERID(pres) and also
the CONNECTEDLINE and REDIRECTING variants (Reported by Walter
Doekes)
* ASTERISK-25527 - Quirky xmldoc description wrapping (Reported by
Walter Doekes)
* ASTERISK-25434 - Compiler flags not reported in 'core show
settings' despite usage during compilation (Reported by Rusty
Newton)
* ASTERISK-25494 - build: GCC 5.1.x catches some new const, array
bounds and missing paren issues (Reported by George Joseph)
* ASTERISK-7803 - [patch] Update the maximum packetization values
in frame.c (Reported by dea)
* ASTERISK-25461 - Nested dialplan #includes don't work as
expected. (Reported by Richard Mudgett)
* ASTERISK-25455 - Deadlock of PJSIP realtime over
res_config_pgsql (Reported by mdu113)
* ASTERISK-25135 - [patch]RTP Timeout hangup cause code missing
(Reported by Olle Johansson)
* ASTERISK-25400 - Hints broken when "CustomPresence" doesn't
exist in AstDB (Reported by Andrew Nagy)
* ASTERISK-25443 - [patch]IPv6 - Potential issue in via header
parsing (Reported by ffs)
* ASTERISK-25391 - AMI GetConfigJSON returns invalid JSON
(Reported by Bojan Nemčić)
* ASTERISK-25438 - res_rtp_asterisk: ICE role message even when
ICE is not enabled (Reported by Joshua Colp)
Improvements made in this release:
-----------------------------------
* ASTERISK-24718 - [patch]Add inital support of "sanitize" to
configure (Reported by Badalian Vyacheslav)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.21.0
Thank you for your continued support of Asterisk!
|
|
|
|
Existing SHA1 digests verified, all found to be the same on the
machine holding the existing distfiles (morden). Existing SHA1
digests retained for now as an audit trail.
|
|
|
|
|
|
|
|
pkgsrc changes:
- from joerg@
- srtp support
- new asterisk-config option to control installing of sample config files
- manifest.xml for Solaris' SMF
- various bugfixes, some reworked by myself
- backport kqueue timer update from Asterisk 13
-----
The Asterisk Development Team has announced the release of Asterisk 11.20.0.
The release of Asterisk 11.20.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25449 - main/sched: Regression introduced by
5c713fdf18f causes erroneous duplicate RTCP messages; other
potential scheduling issues in chan_sip/chan_skinny (Reported by
Matt Jordan)
* ASTERISK-25438 - res_rtp_asterisk: ICE role message even when
ICE is not enabled (Reported by Joshua Colp)
* ASTERISK-25427 - Callerid change does not always emit
NewCallerid AMI event (Reported by Ivan Poddubny)
* ASTERISK-25407 - Asterisk fails to log to multiple syslog
destinations (Reported by Elazar Broad)
* ASTERISK-25410 - app_record: RECORDED_FILE variable not being
populated (Reported by Kevin Harwell)
* ASTERISK-25394 - pbx: Incorrect device and presence state when
changing hint details (Reported by Joshua Colp)
* ASTERISK-25396 - chan_sip: Extremely long callerid name causes
invalid SIP (Reported by Walter Doekes)
* ASTERISK-25353 - [patch] Transcoding while different in Frame
size = Frames lost (Reported by Alexander Traud)
* ASTERISK-25227 - No audio at in-band announcements in ooh323
channel (Reported by Alexandr Dranchuk)
* ASTERISK-25346 - chan_sip: Overwriting answered elsewhere hangup
cause on call pickup (Reported by Joshua Colp)
* ASTERISK-25215 - Differences in queue.log between Set
QUEUE_MEMBER and using PauseQueueMember (Reported by Lorne
Gaetz)
* ASTERISK-25320 - chan_sip.c: sip_report_security_event searches
for wrong or non existent peer on invite (Reported by Kevin
Harwell)
* ASTERISK-25315 - DAHDI channels send shortened duration DTMF
tones. (Reported by Richard Mudgett)
* ASTERISK-25312 - res_http_websocket: Terminate connection on
fatal cases (Reported by Joshua Colp)
* ASTERISK-25265 - [patch]DTLS Failure when calling WebRTC-peer on
Firefox 39 - add ECDH support and fallback to prime256v1
(Reported by Stefan Engström)
Improvements made in this release:
-----------------------------------
* ASTERISK-25310 - [patch]on FreeBSD also pthread_attr_init()
defaults to PTHREAD_EXPLICIT_SCHED (Reported by Guido Falsi)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.20.0
Thank you for your continued support of Asterisk!
|
|
|
|
might incur ncurses dependencies on some platforms, and ncurses just bumped
its shlib.
Some packages were bumped twice now, sorry for that.
|
|
|
|
minor features
pkgsrc changes:
- new version of core sounds
- add options for SNMP and PostgreSQL from Mike Bowie in PR/49661
and by popular demand
- add back support for menuselect personalization as that's how I was
doing menuselect non-interactively
- XXX need to look at a better way of doing this
- disable PJSIP for now as it doesn't work well on NetBSD from Mike Bowie
Since I added an option for PostgreSQL I also looked at adding an
option for directly using MySQL. Turns out that all the MySQL
modules are in the addons directory and are marked as being
deprecated. So I didn't bother. While investigating this, I also
noted that all the pgsql modules are marked as "extended" support.
This basically means that it is supported by the community, but
there is no one person listed as being responsible who would take
the lead for maintaining them. This basically means that they are
unsupported / low priority. See
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Module+Support+States .
Also with the pgsql modules, there is no way to do a database query
from the dialplan. Thus it is recommended to use the unixodbc
option as the modules are supported and offer the most functionality.
-----
The Asterisk Development Team has announced the release of Asterisk 11.19.0.
The release of Asterisk 11.19.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25250 - chan_sip - Despite the channel being answered,
caller on a call established via Local channel continues to hear
ringback (Reported by Etienne Lessard)
* ASTERISK-25247 - choppy audio when spying on a g722 channel,
chan_sip or chan_pjsip (Reported by hristo)
* ASTERISK-24853 - Documentation claims chan_sip outbound
registrations support WS or WSS as valid transports (not true)
(Reported by PSDK)
* ASTERISK-25257 - [patch]channels/sig_pri.h -> sig_pri_span ->
force_restart_unavailable_chans in wrong scope (Reported by
Patric Marschall)
* ASTERISK-25103 - Roundup - investigate Asterisk DTLS crashes
(Reported by Rusty Newton)
* ASTERISK-22805 - res_rtp_asterisk: Crash when calling
BIO_ctrl_pending in dtls_srtp_check_pending when dialed by JSSIP
(Reported by Dmitry Burilov)
* ASTERISK-24550 - res_rtp_asterisk: Crash in
ast_rtp_on_ice_complete during DTLS handshake (Reported by
Osaulenko Alexander)
* ASTERISK-24651 - [patch] Fix race condition in DTLS (Reported by
Badalian Vyacheslav)
* ASTERISK-24832 - [patch]DTLS-crashes within openssl (Reported
by Stefan Engström)
* ASTERISK-25127 - DTLS crashes following "Unable to cancel
schedule ID" in dtls_srtp_check_pending (Reported by Dade
Brandon)
* ASTERISK-25213 - [patch]Possibility of deadlock in chan_sip
INVITE early Replace code (Reported by Walter Doekes)
* ASTERISK-25220 - [patch]Closing of fd -1 in chan_mgcp.c
(Reported by Walter Doekes)
* ASTERISK-25219 - [patch]Source and destination overlap in memcpy
in rtp_engine.c (Reported by Walter Doekes)
* ASTERISK-25212 - [patch]Segfault when using DEBUG_FD_LEAKS
(Reported by Walter Doekes)
* ASTERISK-19277 - [patch]endlessly repeating error: "poll failed:
Bad file descriptor" (Reported by Barry Chern)
* ASTERISK-25202 - Hints extension state broken between 13.3.2 and
13.4 (Reported by cervajs)
* ASTERISK-25154 - [patch]fromtag may need to be updated after
successful call dialog match (Reported by Damian Ivereigh)
* ASTERISK-25139 - Malicious transfer sequence locks up Asterisk
(Reported by Gregory Massel)
* ASTERISK-25094 - PBX core: Investigate thread safety issues
(Reported by Corey Farrell)
* ASTERISK-22559 - gcc 4.6 and higher supports weakref attribute
but asterisk doesn't detect it. (Reported by ibercom)
* ASTERISK-24717 - ASAN: global-buffer-overflow codec_{ilbc | gsm
| adpcm | ipc10} (Reported by Badalian Vyacheslav)
* ASTERISK-25100 - asterisk coredump if host has an IPv6 address
that end with ::80 (Reported by Mark Petersen)
Improvements made in this release:
-----------------------------------
* ASTERISK-25040 - pbx: Improve performance of reloads by making
hint destruction more performant (Reported by Matt Jordan)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.19.0
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced the release of Asterisk 11.18.0.
The release of Asterisk 11.18.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-25112 - Logger: Configuration settings are not reset to
default during reload. (Reported by Corey Farrell)
* ASTERISK-24887 - [patch]tags in a=crypto lines do not accept 2
or more digits (Reported by Makoto Dei)
* ASTERISK-24944 - main/audiohook.c change prevents G722 call
recording (Reported by Ronald Raikes)
* ASTERISK-25083 - Message.c: Message channel becomes saturated
with frames leading to spammy log messages (Reported by Jonathan
Rose)
* ASTERISK-25041 - [patch]Broken column type checking in
res_config_mysql addon (Reported by Alexandre Fournier)
* ASTERISK-21893 - Segfault after call hangup, in
ast_channel_hangupcause_set, at channel_internal_api.c (Reported
by Alexandr Gordeev)
* ASTERISK-25074 - Regression: Recent clang-related change broke
cross compiling of Asterisk (Reported by Sebastian Kemper)
* ASTERISK-25042 - asterisk.conf options override command-line
options. (Reported by Corey Farrell)
* ASTERISK-24442 - Outgoing call files don't work properly when
set in the future (Reported by tootai)
* ASTERISK-25034 - chan_dahdi: Some telco switches occasionally
ignore ISDN RESTART requests. (Reported by Richard Mudgett)
* ASTERISK-25038 - Queue log "EXITWITHTIMEOUT" does not always
contain waiting time (Reported by Etienne Lessard)
* ASTERISK-22708 - res_odbc.conf negative_connection_cache option
not respected, failover between DSNs doesn't work (Reported by
JoshE)
* ASTERISK-25028 - Build System: Unneeded defines in
asterisk/buildopts.h (Reported by Corey Farrell)
* ASTERISK-19608 - Asterisk-1.8.x starts rejecting calls with
cause code 44 after some time. (Reported by Denis Alberto
Martinez)
* ASTERISK-24976 - cdr_odbc not include new columns added on 1.8
(Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-25022 - Memory leak setting up DTLS/SRTP calls
(Reported by Steve Davies)
* ASTERISK-22790 - check_modem_rate() may return incorrect rate
for V.27 (Reported by not here)
* ASTERISK-23231 - Since 405693 If we have res_fax.conf file set
to minrate=2400, then res_fax refuse to load (Reported by David
Brillert)
* ASTERISK-24955 - res_fax: v.27ter support baud rate of 2400,
which is disallowed in res_fax's check_modem_rate (Reported by
Matt Jordan)
* ASTERISK-24916 - Increasing memory usage when multiple reinvite
during call (Reported by Christophe Osuna)
* ASTERISK-19538 - Asterisk segfaults on sippeers realtime
redundancy (Reported by Alex)
* ASTERISK-24749 - ConfBridge: Wrong language on playing
conf-hasjoin and conf-hasleft when played to bridge (Reported by
Philippe Bolduc)
* ASTERISK-24991 - Check for ao2_alloc failure in
__ast_channel_internal_alloc (Reported by Corey Farrell)
* ASTERISK-24895 - After hangup on the side of the ISDN network no
HangupRequest event comes for the dahdi channel. (Reported by
Andrew Zherdin)
* ASTERISK-24774 - Segfault in ast_context_destroy with
extensions.ael and extensions.conf (Reported by Corey Farrell)
* ASTERISK-24975 - Enabling 'DEBUG_THREADLOCALS' Causes the Build
to Fail (Reported by Ashley Sanders)
* ASTERISK-24959 - [patch]CLI command cdr show pgsql status
(Reported by Rodrigo Ramirez Norambuena)
* ASTERISK-24954 - Git migration: Asterisk version numbers are
incompatible with the Test Suite (Reported by Matt Jordan)
* ASTERISK-21777 - Asterisk tries to transcode video instead of
audio (Reported by Nick Ruggles)
* ASTERISK-24380 - core: Native formats are set to h264 with
certain audio/video codec configuration, resulting in path
translation WARNINGs (Reported by Matt Jordan)
* ASTERISK-22352 - [patch] IAX2 custom qualify timer is not taken
into account (Reported by Frederic Van Espen)
* ASTERISK-24894 - [patch] iax2_poke_noanswer expiration timer too
short (Reported by Y Ateya)
* ASTERISK-23319 - Segmentation fault in queue_exec at app_queue.c
(Reported by Vadim)
* ASTERISK-24847 - [security] [patch] tcptls: certificate CN NULL
byte prefix bug (Reported by Matt Jordan)
* ASTERISK-21211 - chan_iax2 - unprotected access of
iaxs[peer->callno] potentially results in segfault (Reported by
Jaco Kroon)
* ASTERISK-18032 - [patch] - IPv6 and IPv4 NAT not working
(Reported by Christoph Timm)
* ASTERISK-24942 - Voicemail API: message is deleted when
destination mailbox is at maxmsg (Reported by Scott Griepentrog)
* ASTERISK-24932 - Asterisk 13.x does not build with GCC 5.0
(Reported by Jeffrey C. Ollie)
* ASTERISK-21854 - Long Asterisk-version strings display
improperly in the 'Connected to ...' line upon remote console
connection (Reported by klaus3000)
* ASTERISK-24155 - [patch]Non-portable and non-reliable recursion
detection in ast_malloc (Reported by Timo Teräs)
* ASTERISK-24142 - CCSS: crash during shutdown due to device
lookup in destroyed container (Reported by David Brillert)
* ASTERISK-24683 - Crash in PBX ast_hashtab_lookup_internal during
core restart now (Reported by Peter Katzmann)
* ASTERISK-24805 - [patch] - ASAN: Race condition
(heap-use-after-free) on asterisk closing (Reported by Badalian
Vyacheslav)
* ASTERISK-24881 - ast_register_atexit should only be used when
absolutely needed (Reported by Corey Farrell)
* ASTERISK-24864 - app_confbridge: file playback blocks dtmf
(Reported by Kevin Harwell)
* ASTERISK-14233 - [patch] Buddies are always auto-registered when
processing the roster (Reported by Simon Arlott)
* ASTERISK-24780 - [patch] - Buddies are always auto-registered
when processing the roster (Reported by Simon Arlott)
Improvements made in this release:
-----------------------------------
* ASTERISK-24744 - Swedish Core Voice prompts (Reported by Tove
Hjelm)
* ASTERISK-25043 - [patch] Avoiding ERR_remove_state in OpenSSL
(Reported by Alexander Traud)
* ASTERISK-24917 - [patch] clang compilation warnings (Reported by
Diederik de Groot)
* ASTERISK-25040 - pbx: Improve performance of reloads by making
hint destruction more performant (Reported by Matt Jordan)
* ASTERISK-24965 - cel_pgsql - log_error string references CDR
instead of CEL (Reported by Rodrigo Ramirez Norambuena)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.18.0
Thank you for your continued support of Asterisk!
|
|
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.
|
|
pkgsrc changes:
- adapt to upstream support for clang
- more comprehensive sweep for 64-bit time_t related stuff
- XXX pjsip has its own time related stuff that is 32-bit only
-----
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,
11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.
The release of these versions resolves the following security vulnerability:
* AST-2015-003: TLS Certificate Common name NULL byte exploit
When Asterisk registers to a SIP TLS device and and verifies the server,
Asterisk will accept signed certificates that match a common name other than
the one Asterisk is expecting if the signed certificate has a common name
containing a null byte after the portion of the common name that Asterisk
expected. This potentially allows for a man in the middle attack.
For more information about the details of this vulnerability, please read
security advisory AST-2015-003, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced the release of Asterisk 11.17.0.
The release of Asterisk 11.17.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
New Features made in this release:
-----------------------------------
* ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
(Reported by Dwayne Hubbard)
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
res_odbc (Reported by ibercom)
* ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
with replaces (Reported by Eelco Brolman)
* ASTERISK-24479 - Enable REF_DEBUG for module references
(Reported by Corey Farrell)
* ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
fully disconnect underlying socket, leading to events being
dropped with no additional information (Reported by Matt Jordan)
* ASTERISK-24772 - ODBC error in realtime sippeers when device
unregisters under MariaDB (Reported by Richard Miller)
* ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
(Reported by Corey Farrell)
* ASTERISK-24799 - [patch] make fails with undefined reference to
SSLv3_client_method (Reported by Alexander Traud)
* ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
for playing back messages stored in IMAP - play_message: No
origtime (Reported by Graham Barnett)
* ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
OSX with 64 bit integers (Reported by Corey Farrell)
* ASTERISK-24796 - Codecs and bucket schema's prevent module
unload (Reported by Corey Farrell)
* ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
(Reported by Ashley Sanders)
* ASTERISK-24797 - bridge_softmix: G.729 codec license held
(Reported by Kevin Harwell)
* ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
thread ID being passed to pthread_kill (Reported by JoshE)
* ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
fail (Reported by Terry Wilson)
* ASTERISK-23214 - chan_sip WARNING message 'We are requesting
SRTP for audio, but they responded without it' is ambiguous and
wrong in some cases (Reported by Rusty Newton)
* ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
error response and BYE are sent to the caller (Reported by
Makoto Dei)
* ASTERISK-18105 - most of asterisk modules are unbuildable in
cygwin environment (Reported by feyfre)
* ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
* ASTERISK-24838 - chan_sip: Locking inversion occurs when
building a peer causes a peer poke during request handling
(Reported by Richard Mudgett)
* ASTERISK-24825 - Caller ID not recognized using
Centrex/Distinctive dialing (Reported by Richard Mudgett)
* ASTERISK-24739 - [patch] - Out of files -- call fails --
numerous files with inodes from under /usr/share/zoneinfo,
mostly posixrules (Reported by Ed Hynan)
* ASTERISK-23390 - NewExten Event with application AGI shows up
before and after AGI runs (Reported by Benjamin Keith Ford)
* ASTERISK-24786 - [patch] - Asterisk terminates when playing a
voicemail stored in LDAP (Reported by Graham Barnett)
* ASTERISK-24808 - res_config_odbc: Improper escaping of
backslashes occurs with MySQL (Reported by Javier Acosta)
* ASTERISK-20850 - [patch]Nested functions aren't portable.
Adapting RAII_VAR to use clang/llvm blocks to get the
same/similar functionality. (Reported by Diederik de Groot)
* ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
by Frank DiGennaro)
* ASTERISK-21038 - Bad command completion of "core set debug
channel" (Reported by Richard Kenner)
* ASTERISK-18708 - func_curl hangs channel under load (Reported by
Dave Cabot)
* ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
Atis Lezdins)
* ASTERISK-24876 - Investigate reference leaks from
tests/channels/local/local_optimize_away (Reported by Corey
Farrell)
* ASTERISK-24817 - init_logger_chain: unreachable code block
(Reported by Corey Farrell)
* ASTERISK-24880 - [patch]Compilation under OpenBSD (Reported by
snuffy)
* ASTERISK-24879 - [patch]Compilation fails due to 64bit time
under OpenBSD (Reported by snuffy)
Improvements made in this release:
-----------------------------------
* ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
Couldn't find mailbox %s in context (Reported by Graham Barnett)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0
Thank you for your continued support of Asterisk!
-----
The Asterisk Development Team has announced the release of Asterisk 11.16.0.
The release of Asterisk 11.16.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-24472 - Asterisk Crash in OpenSSL when calling over WSS
from JSSIP (Reported by Badalian Vyacheslav)
* ASTERISK-24614 - Deadlock when DEBUG_THREADS compiler flag
enabled (Reported by Richard Mudgett)
* ASTERISK-24449 - Reinvite for T.38 UDPTL fails if SRTP is
enabled (Reported by Andreas Steinmetz)
* ASTERISK-24619 - [patch]Gcc 4.10 fixes in r413589 (1.8) wrongly
casts char to unsigned int (Reported by Walter Doekes)
* ASTERISK-24337 - Spammy DEBUG message needs to be at a higher
level - 'Remote address is null, most likely RTP has been
stopped' (Reported by Rusty Newton)
* ASTERISK-23733 - 'reload acl' fails if acl.conf is not present
on startup (Reported by Richard Kenner)
* ASTERISK-24628 - [patch] chan_sip - CANCEL is sent to wrong
destination when 'sendrpid=yes' (in proxy environment) (Reported
by Karsten Wemheuer)
* ASTERISK-24672 - [PATCH] Memory leak in func_curl CURLOPT
(Reported by Kristian Høgh)
* ASTERISK-20744 - [patch] Security event logging does not work
over syslog (Reported by Michael Keuter)
* ASTERISK-23850 - Park Application does not respect Return
Context Priority (Reported by Andrew Nagy)
* ASTERISK-23991 - [patch]asterisk.pc file contains a small error
in the CFlags returned (Reported by Diederik de Groot)
* ASTERISK-24288 - [patch] - ODBC usage with app_voicemail -
voicemail is not deleted after review, hangup (Reported by LEI
FU)
* ASTERISK-24048 - [patch] contrib/scripts/install_prereq selects
32-bit packages on 64-bit hosts (Reported by Ben Klang)
* ASTERISK-24709 - [patch] msg_create_from_file used by MixMonitor
m() option does not queue an MWI event (Reported by Gareth
Palmer)
* ASTERISK-24355 - [patch] chan_sip realtime uses case sensitive
column comparison for 'defaultuser' (Reported by
HZMI8gkCvPpom0tM)
* ASTERISK-24719 - ConfBridge recording channels get stuck when
recording started/stopped more than once (Reported by Richard
Mudgett)
* ASTERISK-24715 - chan_sip: stale nonce causes failure (Reported
by Kevin Harwell)
* ASTERISK-24728 - tcptls: Bad file descriptor error when
reloading chan_sip (Reported by Kevin Harwell)
* ASTERISK-24676 - Security Vulnerability: URL request injection
in libCURL (CVE-2014-8150) (Reported by Matt Jordan)
* ASTERISK-24711 - DTLS handshake broken with latest OpenSSL
versions (Reported by Jared Biel)
* ASTERISK-24646 - PJSIP changeset 4899 breaks TLS (Reported by
Stephan Eisvogel)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.16.0
Thank you for your continued support of Asterisk!
|
|
|
|
|
|
|
|
|
|
pkgsrc change: adapt to splitting up of speex
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,
11.15.1, 12.8.1, and 13.1.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2015-001: File descriptor leak when incompatible codecs are offered
Asterisk may be configured to only allow specific audio or
video codecs to be used when communicating with a
particular endpoint. When an endpoint sends an SDP offer
that only lists codecs not allowed by Asterisk, the offer
is rejected. However, in this case, RTP ports that are
allocated in the process are not reclaimed.
This issue only affects the PJSIP channel driver in
Asterisk. Users of the chan_sip channel driver are not
affected.
* AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as well
as its res_config_curl.so (cURL realtime backend) modules.
Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.
For more information about the details of these vulnerabilities, please read
security advisory AST-2015-001 and AST-2015-002, which were released at the same
time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2015-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2015-002.pdf
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced the release of Asterisk 11.15.0.
The release of Asterisk 11.15.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
Bugs fixed in this release:
-----------------------------------
* ASTERISK-20127 - [Regression] Config.c config_text_file_load()
unescapes semicolons ("\;" -> ";") turning them into comments
(corruption) on rewrite of a config file (Reported by George
Joseph)
* ASTERISK-24307 - Unintentional memory retention in stringfields
(Reported by Etienne Lessard)
* ASTERISK-24492 - main/file.c: ast_filestream sometimes causes
extra calls to ast_module_unref (Reported by Corey Farrell)
* ASTERISK-24504 - chan_console: Fix reference leaks to pvt
(Reported by Corey Farrell)
* ASTERISK-24468 - Incoming UCS2 encoded SMS truncated if SMS
length exceeds 50 (roughly) national symbols (Reported by
Dmitriy Bubnov)
* ASTERISK-24500 - Regression introduced in chan_mgcp by SVN
revision r227276 (Reported by Xavier Hienne)
* ASTERISK-20402 - Unable to cancel (features.conf) attended
transfer (Reported by Matt Riddell)
* ASTERISK-24505 - manager: http connections leak references
(Reported by Corey Farrell)
* ASTERISK-24502 - Build fails when dev-mode, dont optimize and
coverage are enabled (Reported by Corey Farrell)
* ASTERISK-24444 - PBX: Crash when generating extension for
pattern matching hint (Reported by Leandro Dardini)
* ASTERISK-24522 - ConfBridge: delay occurs between kicking all
endmarked users when last marked user leaves (Reported by Matt
Jordan)
* ASTERISK-15242 - transmit_refer leaks sip_refer structures
(Reported by David Woolley)
* ASTERISK-24440 - Call leak in Confbridge (Reported by Ben Klang)
* ASTERISK-24469 - Security Vulnerability: Mixed IPv4/IPv6 ACLs
allow blocked addresses through (Reported by Matt Jordan)
* ASTERISK-24516 - [patch]Asterisk segfaults when playing back
voicemail under high concurrency with an IMAP backend (Reported
by David Duncan Ross Palmer)
* ASTERISK-24572 - [patch]App_meetme is loaded without its
defaults when the configuration file is missing (Reported by
Nuno Borges)
* ASTERISK-24573 - [patch]Out of sync conversation recording when
divided in multiple recordings (Reported by Nuno Borges)
Improvements made in this release:
-----------------------------------
* ASTERISK-24283 - [patch]Microseconds precision in the eventtime
column in the cel_odbc module (Reported by Etienne Lessard)
* ASTERISK-24530 - [patch] app_record stripping 1/4 second from
recordings (Reported by Ben Smithurst)
* ASTERISK-24577 - Speed up loopback switches by avoiding unneeded
lookups (Reported by Birger "WIMPy" Harzenetter)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.15.0
Thank you for your continued support of Asterisk!
|
|
The Asterisk Development Team has announced security releases for
Certified Asterisk 11.6 and Asterisk 11, 12, and 13. The available
security releases are released as versions 11.6-cert9, 11.14.2,
12.7.2, and 13.0.2.
The release of these versions resolves the following security vulnerability:
* AST-2014-019: Remote Crash Vulnerability in WebSocket Server
When handling a WebSocket frame the res_http_websocket module
dynamically changes the size of the memory used to allow the
provided payload to fit. If a payload length of zero was received
the code would incorrectly attempt to resize to zero. This
operation would succeed and end up freeing the memory but be
treated as a failure. When the session was subsequently torn down
this memory would get freed yet again causing a crash.
For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.
For a full list of changes in the current releases, please see the Change Logs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
The security advisory is available at:
* http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
Thank you for your continued support of Asterisk!
|
