--- - branch: MAIN date: Tue Jul 5 08:42:57 UTC 2011 files: - new: '1.10' old: '1.9' path: pkgsrc/comms/asterisk18/Makefile pathrev: pkgsrc/comms/asterisk18/Makefile@1.10 type: modified - new: '1.5' old: '1.4' path: pkgsrc/comms/asterisk18/PLIST pathrev: pkgsrc/comms/asterisk18/PLIST@1.5 type: modified - new: '1.11' old: '1.10' path: pkgsrc/comms/asterisk18/distinfo pathrev: pkgsrc/comms/asterisk18/distinfo@1.11 type: modified id: 20110705T084257Z.ea19bc642f73f63e7af47290621c66ec7de07d69 log: | Update to Asterisk 1.8.4.4 (fixes AST-2011-011): Asterisk Project Security Advisory - AST-2011-011 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Possible enumeration of SIP users due to | | | differing authentication responses | |--------------------+---------------------------------------------------| | Nature of Advisory | Unauthorized data disclosure | |--------------------+---------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | CVE Name | CVE-2011-2536 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Asterisk may respond differently to SIP requests from an | | | invalid SIP user than it does to a user configured on | | | the system, even when the alwaysauthreject option is set | | | in the configuration. This can leak information about | | | what SIP users are valid on the Asterisk system. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Respond to SIP requests from invalid and valid SIP users | | | in the same way. Asterisk 1.4 and 1.6.2 do not respond | | | identically by default due to backward-compatibility | | | reasons, and must have alwaysauthreject=yes set in | | | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes. | | | | | | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4 | | | and 1.6.2 set alwaysauthreject=yes in the general section | | | of sip.conf. | +------------------------------------------------------------------------+ module: pkgsrc subject: 'CVS commit: pkgsrc/comms/asterisk18' unixtime: '1309855377' user: jnemeth