- while there, revise pbx_spool.c kevent timeout fix; rather than
clamping the timestamp, in the particular problem situation we hit
the loop (where dirlist is empty), pass in NULL rather than
INT_MAX-timenow similar to what's done in the inotify case.
- If using ConfBridge, note that the dialplan arguments have changed.
- If using the built-in HTTP server, note that a bindaddr must now be given,
previously the default was 0.0.0.0 but this must now be given explicitly.
- Internal database now uses SQLite3 not BDB, conversion tools are provided.
See share/doc/asterisk/UPGRADE.txt for more.
- strip core-sounds and moh out of the main asterisk package,
they change comparatively rarely.
- provide all available languages.
- provide multiple codecs for all files, replacing the asterisk-native-sounds
package which only provided ulaw versions of the asterisk 1.4 files, ports
laid out to permit parallel building.
- the old asterisk-sounds package providing additional sound files beyond
the core ones is now "extra-sounds" modelled after the filename of the
distributed files.
AST-2012-007, AST-2012-008 fixed in the short-lived 1.8.12.1 release:
* A remotely exploitable crash vulnerability exists in the IAX2 channel
driver if an established call is placed on hold without a suggested music
class. Asterisk will attempt to use an invalid pointer to the music
on hold class name, potentially causing a crash.
* A remotely exploitable crash vulnerability was found in the Skinny (SCCP)
Channel driver. When an SCCP client closes its connection to the server,
a pointer in a structure is set to NULL. If the client was not in the
on-hook state at the time the connection was closed, this pointer is later
dereferenced. This allows remote authenticated connections the ability to
cause a crash in the server, denying services to legitimate users.
Also from 1.8.12.2
* Resolve crash in subscribing for MWI notifications.
ASTOBJ_UNREF sets the variable to NULL after unreffing it, so the
variable should definitely not be used after that. To solve this in
the two cases that affect subscribing for MWI notifications, we
instead save the ref locally, and unref them in the error
conditions.
- add an extra file to PLIST-calendar
- add comments to the sample sip.conf showing how to hide version numbers
- fix use of _POSIX_THREAD_PRIORITY_SCHEDULING, from Brad
use and possible uninitialized var use, some memory leaks, a couple of
possible deadlocks and other issues.
While there, enable the http post module (done as a subpackage to
avoid pulling gmime/glib2 into the main package) and WANTLIB cleanup.
AEL dialplan users should see UPGRADE.txt for information about
changes to inheritance of the 'h' extension.
- crash in app_voicemail
- resource leak in SIP TCP/TLS
- ACK routing for non-2xx responses
- buffer overrun/memory leak in 'sip show peers' (race when adding peers whilst displaying)
- various locking problems
- remove unused non-working patches and framework for chan_h323;
this driver is deprecated upstream anyway.
- add patches to let the alternative chan_ooh323 addon module build.
currently unused in the port, 'make configure; cd $WRKSRC; gmake menuselect'
and enable it there if you want to play.
- sync unistim patch.
- mention the IMAP flavour in DESCR (and thus bump REVISION-main).
rthread. kern_time.c:itimerfix() requires the kevent interval timer to be
<= 100M seconds otherwise it passes an EINVAL back up, giving an error
return from kevent(). The initial timestamp is (INT_MAX-cur time) i.e.
around 800M so we hit this. Workaround by clamping tv_sec to 100M sec.
- includes the iLBC codec which now has a free copyright license; patent
licensing has a "no litigation" clause (see codecs/ilbc/LICENSE_ADDENDUM)
so mark as not permitted for CDs
AST-2011-008: If a remote user sends a SIP packet containing a null,
Asterisk assumes available data extends past the null to the
end of the packet when the buffer is actually truncated when
copied. This causes SIP header parsing to modify data past
the end of the buffer altering unrelated memory structures.
This vulnerability does not affect TCP/TLS connections.
-- Resolved in 1.6.2.18.1 and 1.8.4.3
AST-2011-009: A remote user sending a SIP packet containing a Contact header
with a missing left angle bracket (<) causes Asterisk to
access a null pointer.
-- Resolved in 1.8.4.3
AST-2011-010: A memory address was inadvertently transmitted over the
network via IAX2 via an option control frame and the remote party would try
to access it.
-- Resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3
when forming an outgoing SIP request while in pedantic mode, which
can cause a stack buffer to be made to overflow if supplied with
carefully crafted caller ID information"
http://downloads.asterisk.org/pub/security/AST-2011-001.html
This is also a major version update to the long-term support
1.8 branch, previous versions of this diff have been tested by
various ports@ readers, thanks for testing.
Please review /usr/local/share/doc/asterisk/UPGRADE.txt
(also note that memory use has increased).
ok ajacoutot@ jasper@
receiving most updates in the future; notably, compared to the in-tree
version, this adds a portable (pthread-based) clocking source rather
than relying on a non-portable zaptel timer.
Main functions tested and working well for myself and Diego Casati (thanks!)
Note that ConfBridge (added since 1.6.0) may need more work
This also has a small change in CDR generation, it's been well tested
upstream but still this can be a touchy area to change, so it's
going in now so the first OpenBSD release with Asterisk 1.6
packages has the change already made.
ok ajacoutot@
