From bc913928883dcb2fe988ce077c54a0cd660bed08 Mon Sep 17 00:00:00 2001 From: jnemeth Date: Wed, 3 Dec 2014 01:57:37 +0000 Subject: Update to Asterisk 11.14.1: this is a security fix release. The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1, 11.14.1, 12.7.1, and 13.0.1. The release of these versions resolves the following security vulnerabilities: * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP address families Many modules in Asterisk that service incoming IP traffic have ACL options ("permit" and "deny") that can be used to whitelist or blacklist address ranges. A bug has been discovered where the address family of incoming packets is only compared to the IP address family of the first entry in the list of access control rules. If the source IP address for an incoming packet is not of the same address as the first ACL entry, that packet bypasses all ACL rules. * AST-2014-018: Permission Escalation through DB dialplan function The DB dialplan function when executed from an external protocol, such as AMI, could result in a privilege escalation. Users with a lower class authorization in AMI can access the internal Asterisk database without the required SYSTEM class authorization. In addition, the release of 11.6-cert8 and 11.14.1 resolves the following security vulnerability: * AST-2014-014: High call load with ConfBridge can result in resource exhaustion The ConfBridge application uses an internal bridging API to implement conference bridges. This internal API uses a state model for channels within the conference bridge and transitions between states as different things occur. Unload load it is possible for some state transitions to be delayed causing the channel to transition from being hung up to waiting for media. As the channel has been hung up remotely no further media will arrive and the channel will stay within ConfBridge indefinitely. In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves the following security vulnerability: * AST-2014-017: Permission Escalation via ConfBridge dialplan function and AMI ConfbridgeStartRecord Action The CONFBRIDGE dialplan function when executed from an external protocol (such as AMI) can result in a privilege escalation as certain options within that function can affect the underlying system. Additionally, the AMI ConfbridgeStartRecord action has options that would allow modification of the underlying system, and does not require SYSTEM class authorization in AMI. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1 The security advisories are available at: * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf Thank you for your continued support of Asterisk! --- comms/asterisk/Makefile | 4 ++-- comms/asterisk/distinfo | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) (limited to 'comms') diff --git a/comms/asterisk/Makefile b/comms/asterisk/Makefile index 0b9a9cb694b..0d22a58f1ec 100644 --- a/comms/asterisk/Makefile +++ b/comms/asterisk/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.114 2014/11/19 08:32:48 jnemeth Exp $ +# $NetBSD: Makefile,v 1.115 2014/12/03 01:57:37 jnemeth Exp $ # # NOTE: when updating this package, there are two places that sound # tarballs need to be checked -DISTNAME= asterisk-11.14.0 +DISTNAME= asterisk-11.14.1 DIST_SUBDIR= ${PKGNAME_NOREV} DISTFILES= ${DEFAULT_DISTFILES} EXTRACT_ONLY= ${DISTNAME}.tar.gz diff --git a/comms/asterisk/distinfo b/comms/asterisk/distinfo index 77b41d09bc7..3c64fdeffd5 100644 --- a/comms/asterisk/distinfo +++ b/comms/asterisk/distinfo @@ -1,11 +1,11 @@ -$NetBSD: distinfo,v 1.68 2014/11/19 08:32:48 jnemeth Exp $ +$NetBSD: distinfo,v 1.69 2014/12/03 01:57:37 jnemeth Exp $ -SHA1 (asterisk-11.14.0/asterisk-11.14.0.tar.gz) = 388f58e98e33f72099b484b1a8ac99b271e18791 -RMD160 (asterisk-11.14.0/asterisk-11.14.0.tar.gz) = 7c9502ea030a8c467e6c7edcf78ac61435ecc742 -Size (asterisk-11.14.0/asterisk-11.14.0.tar.gz) = 34975152 bytes -SHA1 (asterisk-11.14.0/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = fbb94494e31fc08eee8fdf2ce7d12eb274018050 -RMD160 (asterisk-11.14.0/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 53656a3d6771602504f220ad312093e3503e1150 -Size (asterisk-11.14.0/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 4409969 bytes +SHA1 (asterisk-11.14.1/asterisk-11.14.1.tar.gz) = 10f1ac8c282bbb99c07eaa13c93f994294dd552f +RMD160 (asterisk-11.14.1/asterisk-11.14.1.tar.gz) = 6f7bcde4be32a35bfc9b5c23c6f021fcfc52e205 +Size (asterisk-11.14.1/asterisk-11.14.1.tar.gz) = 34966823 bytes +SHA1 (asterisk-11.14.1/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = fbb94494e31fc08eee8fdf2ce7d12eb274018050 +RMD160 (asterisk-11.14.1/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 53656a3d6771602504f220ad312093e3503e1150 +Size (asterisk-11.14.1/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 4409969 bytes SHA1 (patch-Makefile) = ed581d46026e8e89ed8be374c7085efca19911d2 SHA1 (patch-apps_app__confbridge.c) = c815905994355a19c32e8e3e2eb5dc9f1679eb29 SHA1 (patch-apps_app__dial.c) = 0f78d2571af88384a2d472ece08bf4b06f9ad211 -- cgit v1.2.3