AST-2011-008: If a remote user sends a SIP packet containing a null,
Asterisk assumes available data extends past the null to the
end of the packet when the buffer is actually truncated when
copied. This causes SIP header parsing to modify data past
the end of the buffer altering unrelated memory structures.
This vulnerability does not affect TCP/TLS connections.
-- Resolved in 1.6.2.18.1 and 1.8.4.3
AST-2011-009: A remote user sending a SIP packet containing a Contact header
with a missing left angle bracket (<) causes Asterisk to
access a null pointer.
-- Resolved in 1.8.4.3
AST-2011-010: A memory address was inadvertently transmitted over the
network via IAX2 via an option control frame and the remote party would try
to access it.
-- Resolved in 1.4.41.1, 1.6.2.18.1, and 1.8.4.3
recorded in asterisk's menuselect system, knocking out ODBC build if not
present (though this is only done, afaict, due to a missing dependency
in a unixodbc package on some linux version), so add libltdl as a
BUILD_DEPENDS.
Doesn't affect the packages, other than -odbc wasn't built before
unless you had libltdl installed, so no bump.
- Fix compliance with RFC 3261 section 18.2.2. (aka Cisco phone fix)
- Resolve a change in IPv6 header parsing due to the Cisco phone fix issue.
- Resolve potential crash when using SIP TLS support.
- Improve reliability when using SIP TLS.
- AST-2011-006, shell access via remote authenticated manager
sessions (logged-in manager users can execute shell commands via
the manager interface without having the "system" privilege that
should be required)
- AST-2011-005, DoS with remote unauthenticated sessions (add limits
to prevent unauthenticated users from tying up all available FDs for
the manager interface, SIP-over-TCP, Skinny and the built in HTTP
server).
(updating by way of upstream patch file, the full tar.gz isn't
available yet).
"Due to a failed merge, Asterisk 1.8.2.1 which should have included
the security fix did not. Asterisk 1.8.2.2 contains the the changes
which should have been included in Asterisk 1.8.2.1." ok ajacoutot@
when forming an outgoing SIP request while in pedantic mode, which
can cause a stack buffer to be made to overflow if supplied with
carefully crafted caller ID information"
http://downloads.asterisk.org/pub/security/AST-2011-001.html
This is also a major version update to the long-term support
1.8 branch, previous versions of this diff have been tested by
various ports@ readers, thanks for testing.
Please review /usr/local/share/doc/asterisk/UPGRADE.txt
(also note that memory use has increased).
ok ajacoutot@ jasper@
- add various other missing WANTLIB (and LIB_DEPENDS in some cases)
- while there move PKGNAME=..pX to REVISION, and move some ports
to new-style LIB_DEPENDS
original diff from Brad, extensive checking by me (clean build of everything
related to liboil).
installed, which I won't add as a dependency just for this, but for people who
already have it, it makes the docs look nicer).
- install the sample features.conf which was @comment'ed.
receiving most updates in the future; notably, compared to the in-tree
version, this adds a portable (pthread-based) clocking source rather
than relying on a non-portable zaptel timer.
Main functions tested and working well for myself and Diego Casati (thanks!)
Note that ConfBridge (added since 1.6.0) may need more work
with something like 'deny 0.0.0.0/0' then this affects you. workaround:
'deny 0.0.0.0/0.0.0.0'
- fix fullpkgpath's for the subpackages, they were including the flavour
and shouldn't have - fixes problems with dpb3 found by naddy. add @pkgpath
markers relating to this fix.
ok naddy@
(reminder, ports is not fully open, do not commit without specific permission)
crash in SIP (and only this, thanks to Asterisk developers for pushing
security fixes separately from other changes).
Does not affect Asterisk 1.4 in -stable (it's in the T.38 support,
which was added in 1.6).
ok ajacoutot@
breaking cd /usr/ports && SUBDIR=some/path make something for
category makefiles. While there, also put spaces around += uniformously.
okay naddy@, jasper@
This also has a small change in CDR generation, it's been well tested
upstream but still this can be a touchy area to change, so it's
going in now so the first OpenBSD release with Asterisk 1.6
packages has the change already made.
ok ajacoutot@
from overriding supplied AUTOfoo_VERSION variables) instead of the
custom Makefile target to run autoconf.
No package change -> no bump. Discussed with fgsch in relation
to 1.6, but it makes sense here too.
AstManProxy is a multi-threaded proxy server for the Asterisk
Manager Interface. As well as straight proxying, it can also
translate between AMI and HTTP (with output in plaintext, XML,
or CSV formats). SSL is also available (for both AMI and HTTP).
"echo -e" -> "printf"
"exit -1" -> "exit 255"
- some of the patches had hand-rolled chunks to replace /bin/bash
with /bin/sh near a CVS keyword; remove these and replace with a
pre-configure target making it easier to update-patches
- change sample config to disable hardcoded escape sequences for
colours by default
- bump PKGNAME-main
Fixes sscanf without size bounds. The biggest problem affects SIP in
Asterisk 1.6.1+ (i.e. not OpenBSD ports/packages) but the update makes
sense anyway...
just disable by setting the default FLAVOR; the asterisk,h323 entry
in ../Makefile picked it up. the unused pkg/*-speex files don't hurt,
so keep them around. bump PKGNAME (most likely gratuitous, but it's
cheap).
It is completely unmaintained, barely working and prevent from updating the
whole VoIP gang (ptlib, h323plus, opal, gnugk, ekiga) which I'm working on.
some more work still to do but most things should run ok, and it's easier
to handle that in-tree.
KAMAILIO (OpenSER) is a mature and flexible open source SIP server (RFC3261).
It can be used on systems with limitted resources as well as on carrier grade
servers, scaling to up to thousands call setups per second. It is written in
pure C for Unix/Linux-like systems with architecture specific optimizations to
offer high performances. It is customizable, being able to feature as fast load
balancer; SIP server flavours: registrar, location server, proxy server,
redirect server; gateway to SMS/XMPP; or advanced VoIP application server.
