a crash when receiving a WebSocket packet with a payload length of zero.
"Frames with a payload length of 0 were incorrectly handled in
res_http_websocket. Provided a frame with a payload had been received
prior it was possible for a double free to occur. The realloc operation
would succeed (thus freeing the payload) but be treated as an error.
When the session was then torn down the payload would be freed again
causing a crash. The read function now takes this into account."
* AST-2014-012: Fix error with mixed address family ACLs.
* AST-2014-014: Fix race condition where channels may get stuck in
ConfBridge under load.
* AST-2014-017 - app_confbridge: permission escalation/class authorization.
* AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI.
...
2014-012 doesn't really affect OpenBSD; Asterisk generally only allows
a single bind address so can't really do multi AF on OpenBSD where
v4-mapped-in-v6 is disabled.
2014-017 is a priv escalation via AMI; ConfbridgeStartRecord didn't require
system privs, but allowed arbitrary system commands to be executed.
Zfone is VoIP encryption software, designed by Phil Zimmermann of PGP. This
SDK is suitable for inclusion in software VoIP clients, firmware for hardware
VoIP phones, VoIP PBX servers, mobile VoIP clients, and SIP border control
servers. The SDK enables interoperation with the rest of the ZRTP community.
- AST-2014-006: MixMonitor manager action allows arbitrary shell commands
to be called from AMI (management interface) users without having proper
permissions.
- AST-2014-007: add a timeout to mitigate possible DoS on http interface
(connecting but making no request ties up a connection)
Asterisk's configure script so it can find these required libs. No bump
needed here as it didn't build previously since c-client's lib version
was last bumped.
