---
- branch: MAIN
  date: Tue Dec 17 05:37:10 UTC 2013
  files:
  - new: '1.56'
    old: '1.55'
    path: pkgsrc/comms/asterisk10/Makefile
    pathrev: pkgsrc/comms/asterisk10/Makefile@1.56
    type: modified
  - new: '1.29'
    old: '1.28'
    path: pkgsrc/comms/asterisk10/distinfo
    pathrev: pkgsrc/comms/asterisk10/distinfo@1.29
    type: modified
  id: 20131217T053710Z.567f7369545b553fd0b085c901aac058c43762bb
  log: |
    Update to Asterisk 10.12.4:  this is a security fix update that fixes
    AST-2013-006 and AST-2013-007.

    The Asterisk Development Team has announced security releases for Certified
    Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security
    releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4,
    10.12.4-digiumphones, and 11.6.1.

    The release of these versions resolve the following issues:

    * A buffer overflow when receiving odd length 16 bit messages in app_sms. An
      infinite loop could occur which would overwrite memory when a message is
      received into the unpacksms16() function and the length of the message is an
      odd number of bytes.

    * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk
      now marks certain individual dialplan functions as 'dangerous', which will
      inhibit their execution from external sources.

      A 'dangerous' function is one which results in a privilege escalation. For
      example, if one were to read the channel variable SHELL(rm -rf /) Bad
      Things(TM) could happen; even if the external source has only read
      permissions.

      Execution from external sources may be enabled by setting 'live_dangerously'
      to 'yes' in the [options] section of asterisk.conf. Although doing so is not
      recommended.

    These issues and their resolutions are described in the security advisories.

    For more information about the details of these vulnerabilities, please read
    security advisories AST-2013-006 and AST-2013-007, which were
    released at the same time as this announcement.

    For a full list of changes in the current releases, please see the ChangeLogs:

    http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1

    The security advisories are available at:

     * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
     * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf

    Thank you for your continued support of Asterisk!
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/comms/asterisk10'
  unixtime: '1387258630'
  user: jnemeth