Age | Commit message (Collapse) | Author | Files | Lines |
|
systems come with LDAP support built-in. This has no effect on
such systems. However, on older systems, it will pull in
openldap-client. But, a builder may still disable the option if
they wish. This fixes:
PR pkg/41987 - Robert Elz -- comms/asterisk16 PLIST problem
|
|
README-SERIOUSLY.bestpractices.txt is the new README from 1.6.1.16
and AST-2010-002.
|
|
with a PKGREVISION bump since this doesn't affect the installed
"binaries" and there have already been two bumps today.
|
|
|
|
voicemail using a browser.
|
|
|
|
|
|
Bump PKGREVISION
OK wiz@
|
|
|
|
This is to get 0.12.5 out with the new Calendar code so J-Pilot
can get their release out. I will be dropping a 0.12.5.1 release
shortly after this with the patches rolled up from 0.12.4 to current
pushed in.
|
|
- mark as destdir ready
XXX The Makefile has a comment saying that "this program" is licensed
under GPL. There is a README file saying that the sounds are licensed
under a BSD licence. Need to check for updates and/or contact upstream
for clarification and a proper licence file.
XXX The PLIST needs some serious TLC.
|
|
|
|
AST-2010-003. AST-2010-002 was just a warning about dialplan
scripting errors that could lead to security issues.
Asterisk 1.6.1.13: general bug fixes
Asterisk 1.6.1.14: fix AST-2010-001
Asterisk 1.6.1.15: not released, skipped for security releases
Asterisk 1.6.1.16: fix AST-2010-002
Asterisk 1.6.1.17: fix AST-2010-003
Note that the only change in Asterisk 1.6.1.16 was the addtion of
a README file. However, the package doesn't install random docs.
That is planned for a future update seperate from the upstream
updates.
-----
Asterisk 1.6.1.13:
The release of Asterisk 1.6.1.13 resolved several issues reported
by the community, and would have not been possible without your
participation. Thank you!
* Restarts busydetector (if enabled) when DTMF is received after
call is bridged
(Closes issue #16389. Reported, Tested, Patched by alecdavis.)
* Send parking lot announcement to the channel which parked the
call, not the park-ee.
(Closes issue #16234. Reported, Tested by yeshuawatso. Patched
by tilghman.)
* When the field is blank, don't warn about the field being unable
to be coerced just skip the column.
(Closes
http://lists.digium.com/pipermail/asterisk-dev/2009-December/041362.html)
Reported by Nic Colledge on the -dev list.)
* Don't queue frames to channels that have no means to process
them.
(Closes issue #15609. Reported, Tested by aragon. Patched by
tilghman.)
* Fixes holdtime playback issue in app_queue.
(Closes issue #16168. Reported, Patched by nickilo. Tested by
wonderg, nickilo.)
A summary of changes in this release can be found in the release
summary:
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.1.13-summary.t
xt
For a full list of changes in this releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.13
-----
Asterisk 1.6.1.14:
The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include
the fix described in security advisory AST-2010-001.
The issue is that an attacker attempting to negotiate T.38 over
SIP can remotely crash Asterisk by modifying the FaxMaxDatagram
field of the SDP to contain either a negative or exceptionally
large value. The same crash will occur when the FaxMaxDatagram
field is omitted from the SDP, as well.
For more information about the details of this vulnerability, please
read the security advisory AST-2009-009, which was released at the
same time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14
Security advisory AST-2010-001 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-001.pdf
-----
Asterisk 1.6.1.16:
The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and
1.6.2.4 include documention describing a possible dialplan string
injection with common usage of the ${EXTEN} (and other expansion
variables). The issue and resolution are described in the AST-2010-002
security advisory.
If you have a channel technology which can accept characters other
than numbers and letters (such as SIP) it may be possible to craft
an INVITE which sends data such as 300&Zap/g1/4165551212 which
would create an additional outgoing channel leg that was not
originally intended by the dialplan programmer.
Please note that this is not limited to an specific protocol or
the Dial() application.
The expansion of variables into programmatically-interpreted strings
is a common behavior in many script or script-like languages,
Asterisk included. The ability for a variable to directly replace
components of a command is a feature, not a bug - that is the entire
point of string expansion.
However, it is often the case due to expediency or design
misunderstanding that a developer will not examine and filter string
data from external sources before passing it into potentially
harmful areas of their dialplan.
With the flexibility of the design of Asterisk come these risks if
the dialplan designer is not suitably cautious as to how foreign
data is allowed to enter the system unchecked.
This security release is intended to raise awareness of how it is
possible to insert malicious strings into dialplans, and to advise
developers to read the best practices documents so that they may
easily avoid these dangers.
For more information about the details of this vulnerability, please
read the security advisory AST-2010-002, which was released at the
same time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16
Security advisory AST-2010-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-002.pdf
The README-SERIOUSLY.bestpractices.txt document is available in
the top-level directory of your Asterisk sources, or available in
all Asterisk branches from 1.2 and up.
http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
-----
Asterisk 1.6.1.17:
The releases of Asterisk 1.6.0.25, 1.6.1.17, and 1.6.2.5 resolve
an issue with invalid parsing of ACL (Access Control List) rules
leading to a possible compromise in security. The issue and resolution
are described in the AST-2010-003 security advisory.
For more information about the details of this vulnerability, please
read the security advisory AST-2010-003, which was released at the
same time as this announcement.
For a full list of changes in the current releases, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.17
Security advisory AST-2010-003 is available at:
http://downloads.asterisk.org/pub/security/AST-2010-003.pdf
-----
|
|
|
|
|
|
Adding license
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
makefile scheme.
It's clear nobody'd maintained tn3270 in base for a long, long time.
|
|
|
|
|
|
build except on netbsd-5 and -current, but we can take that as it comes.
|
|
|
|
|
|
|
|
|
|
is just the sources, and they're unchanged from base except that the
rcsids have been preserved. The package will be along shortly.
|
|
- obexapp does not now require GNU libiconv (this was in pkgsrc already)
- compiler errors fixed
- no longer tries to provide username/groupname in file listings (info
not available in chroot)
|
|
|
|
hardcoding.
Note: This effectively adds x86_64 to NOT_FOR_PLATFORM for some packages.
|
|
From Daniel Horecki.
|
|
noticing the problem and seb@ for help with the Makefile contortions.
|
|
fix releases. For more information see:
http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/asterisk-1.6.1.10-summary.html or http://tinyurl.com/yzyr9tt and
http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/asterisk-1.6.1.12-summary.html or http://tinyurl.com/yfxlyjp .
1.6.1.11 fixes AST-2009-010 which allows people to remotely crash the
server. The description of the issue is:
An attacker sending a valid RTP comfort noise payload containing
a data length of 24 bytes or greater can remotely crash Asterisk.
Commit during freeze approved by wiz@.
|
|
1.2.36 fixed AST-2009-008, and 1.2.37 fixed AST-2009-010. The
problem in AST-2009-008 is:
-----
It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of "403 Authentication user name does not
match account name". If the peer does not exist the response will
be "404 Not Found" if alwaysauthreject is disabled and "401
Unauthorized" if alwaysauthreject is enabled.
-----
And, the problem in AST-2009-010 is:
-----
An attacker sending a valid RTP comfort noise payload containing
a data length of 24 bytes or greater can remotely crash Asterisk.
-----
|
|
Somewhat more than 11 rooms later... PKG_DESTDIR_SUPPORT
|
|
|
|
Updated from 2.7p1 to 2.7p4 as original distfile no longer available
No changelog available
added PKG_DESTDIR_SUPPORT
|
|
|
|
|
|
This was tested by sending vcards with non-ASCII names; the result
was identical as before with GNU libiconv.
bump PKGREVISION
approved by plunky
|
|
|