Asterisk's configure script so it can find these required libs. No bump
needed here as it didn't build previously since c-client's lib version
was last bumped.
useful on arches which have it, so this saves cycles/mirror space.
This replaces a previous SHARED_ONLY since many classic machines do have
shared libraries.
AST-2013-005: Remote crash from invalid SDP
If the SIP channel driver processes an invalid SDP that defines media
descriptions before connection information, it may attempt to
reference the socket address information even though that information
has not yet been set. This will cause a crash.
AST-2013-004: Fix crash when handling ACK on dialog that has no channel
A remotely exploitable crash vulnerability exists in the SIP channel
driver if an ACK with SDP is received after the channel has been
terminated. The handling code incorrectly assumed that the channel
would always be present.
STUNTMAN is an open source, high performance STUN server, implementation
of the STUN protocol as specified in RFCs 5389, 5769, and 5780. It also
includes backwards compatibility for RFC 3489.
a new libmysqlclient non-blocking API which utilizes co-routines. The X86
specific GCC ASM co-routine support hid the fact that there was an issue.
The only fallback code so far is POSIX user contexts which OpenBSD does not
support.
Input from and Ok sthen@ jasper@
(core)
- Italian language prompts for core sounds
- missing prompts for VoiceMailMain application in Russian
(extra)
- various fixed files in extra-sounds
- various new files in extra-sounds (some in French, many in English)
- many files duplicated from core-sounds have been removed
- note: "an-error-has-occured" has been renamed "an-error-has-occurred"
Additionally the packages now install the text files detailing changes
and a text description of the font files (renamed to avoid conflicts
between flavours).
sln16 versions have been dropped from packages for now to save a
few hundred MB per arch on the mirrors, g729 versions have been added
in their place.
REVISION doesn't change the stem of the package name. Came after some head
scratching after naddy@ reported a PLIST_DB change to telephony/asterisk's
@depend lines which happened after I bumped REVISION on the asterisk-sounds
ports when I tweaked CATEGORIES.
This module provides an interface to the Asterisk Manager Interface.
Its goal is to provide a flexible, powerful, and reliable way to
interact with Asterisk upon which other applications may be built.
It utilizes AnyEvent and therefore can integrate very easily into
event-based applications, but still provides blocking functions for use
with standard scripting.
* A possible buffer overflow during H.264 (video) format negotiation.
CVE-2013-2685
* A denial of service exists in Asterisk's HTTP server.
CVE-2013-2686
* A potential username disclosure exists in the SIP channel driver.
CVE-2013-2264
AST-2012-014: crashes due to large stack allocations in TCP;
affects remote unauthenticated SIP *over TCP* and remote authenticated
XMPP/HTTP connections.
AST-2012-015: DoS through resource consumption by exploiting device
state caching; exploitable if anonymous calls are permitted.
- while there, revise pbx_spool.c kevent timeout fix; rather than
clamping the timestamp, in the particular problem situation we hit
the loop (where dirlist is empty), pass in NULL rather than
INT_MAX-timenow similar to what's done in the inotify case.
Note: this port may be removed in the future; users are recommended to
migrate to ConfBridge, which is part of Asterisk itself and has improved
greatly in the rewrite for Asterisk 10.x.
- Fix channel reference leak in ChanSpy.
- dsp.c: Fix multiple issues when no-interdigit delay is present,
and fast DTMF 50ms/50ms.
- Fix bug where final queue member would not be removed from memory.
- Fix memory leak when CEL is successfully written to PostgreSQL database.
- Fix DUNDi message routing bug when neighboring peer is unreachable.
- If using ConfBridge, note that the dialplan arguments have changed.
- If using the built-in HTTP server, note that a bindaddr must now be given,
previously the default was 0.0.0.0 but this must now be given explicitly.
- Internal database now uses SQLite3 not BDB, conversion tools are provided.
See share/doc/asterisk/UPGRADE.txt for more.
- strip core-sounds and moh out of the main asterisk package,
they change comparatively rarely.
- provide all available languages.
- provide multiple codecs for all files, replacing the asterisk-native-sounds
package which only provided ulaw versions of the asterisk 1.4 files, ports
laid out to permit parallel building.
- the old asterisk-sounds package providing additional sound files beyond
the core ones is now "extra-sounds" modelled after the filename of the
distributed files.
Sofia-SIP is an open-source SIP User-Agent library, compliant with the
IETF RFC3261 specification (see the feature table). It can be used as a
building block for SIP client software for uses such as VoIP, IM, and
many other real-time and person-to-person communication services.
ok sthen@
- RTP port exhaustion (DoS) if an endpoint responds to SIP INVITEs with
provisional responses but never sends a final response.
- double free with simultaneous access to a single voicemail account.
HAVE_SCHED_YIELD should be set since we have sched_yield(). The
sched_yield.h compatibility wrapper then does not try to create a
fallback macro which conflicts with the prototype of the syscall
wrapper.
While here, add "ac_cv_header_uuid_uuid_h=no" alongside
"ac_cv_lib_uuid_uuid_generate=no" to fix:
configure: WARNING: uuid/uuid.h: accepted by the compiler, rejected by the preprocessor!
OK fgsch@
AST-2012-007, AST-2012-008 fixed in the short-lived 1.8.12.1 release:
* A remotely exploitable crash vulnerability exists in the IAX2 channel
driver if an established call is placed on hold without a suggested music
class. Asterisk will attempt to use an invalid pointer to the music
on hold class name, potentially causing a crash.
* A remotely exploitable crash vulnerability was found in the Skinny (SCCP)
Channel driver. When an SCCP client closes its connection to the server,
a pointer in a structure is set to NULL. If the client was not in the
on-hook state at the time the connection was closed, this pointer is later
dereferenced. This allows remote authenticated connections the ability to
cause a crash in the server, denying services to legitimate users.
Also from 1.8.12.2
* Resolve crash in subscribing for MWI notifications.
ASTOBJ_UNREF sets the variable to NULL after unreffing it, so the
variable should definitely not be used after that. To solve this in
the two cases that affect subscribing for MWI notifications, we
instead save the ref locally, and unref them in the error
conditions.
- add an extra file to PLIST-calendar
- add comments to the sample sip.conf showing how to hide version numbers
- fix use of _POSIX_THREAD_PRIORITY_SCHEDULING, from Brad
- avoid compiler warnings due to missing headers, duplicate #defines etc.,
from maintainer Roman Kravchuk, slight tweak by me (ifndef rather than
delete the lines).
- fix WANTLIB/LIB_DEPENDS in the subpackages, from me.
- Use sample interface names that might exist on OpenBSD rather than eth0/1
- Make it clear that "if_outbound" is the external interface and "if_inbound"
is the lan.
use and possible uninitialized var use, some memory leaks, a couple of
possible deadlocks and other issues.
While there, enable the http post module (done as a subpackage to
avoid pulling gmime/glib2 into the main package) and WANTLIB cleanup.
AEL dialplan users should see UPGRADE.txt for information about
changes to inheritance of the 'h' extension.
* A permission escalation vulnerability in Asterisk Manager Interface. This
would potentially allow remote authenticated users the ability to execute
commands on the system shell with the privileges of the user running the
Asterisk application.
* A heap overflow vulnerability in the Skinny Channel driver. The keypad
button message event failed to check the length of a fixed length buffer
before appending a received digit to the end of that buffer. A remote
authenticated user could send sufficient keypad button message events that
the buffer would be overrun.
* A remote crash vulnerability in the SIP channel driver when processing UPDATE
requests. If a SIP UPDATE request was received indicating a connected line
update after a channel was terminated but before the final destruction of the
associated SIP dialog, Asterisk would attempt a connected line update on a
non-existing channel, causing a crash.
- crash in app_voicemail
- resource leak in SIP TCP/TLS
- ACK routing for non-2xx responses
- buffer overrun/memory leak in 'sip show peers' (race when adding peers whilst displaying)
- various locking problems
- remove unused non-working patches and framework for chan_h323;
this driver is deprecated upstream anyway.
- add patches to let the alternative chan_ooh323 addon module build.
currently unused in the port, 'make configure; cd $WRKSRC; gmake menuselect'
and enable it there if you want to play.
- sync unistim patch.
- mention the IMAP flavour in DESCR (and thus bump REVISION-main).
rthread. kern_time.c:itimerfix() requires the kevent interval timer to be
<= 100M seconds otherwise it passes an EINVAL back up, giving an error
return from kevent(). The initial timestamp is (INT_MAX-cur time) i.e.
around 800M so we hit this. Workaround by clamping tv_sec to 100M sec.
AST-2012-002: stack buffer overflow (remote unauthenticated sessions).
requires a dialplan using the Milliwatt application with the 'o' option,
and internal_timing off. Affects all 1.4+ Asterisk versions.
AST-2012-003: stack buffer overflow (remote unauth'd sessions) in HTTP
manager interface; triggered by long digest authentication strings.
Code injection possibility. Affects 1.8+.
- includes the iLBC codec which now has a free copyright license; patent
licensing has a "no litigation" clause (see codecs/ilbc/LICENSE_ADDENDUM)
so mark as not permitted for CDs
