Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11]) by www.NetBSD.org (Postfix) with ESMTP id 13DE363C882 for ; Tue, 5 Jul 2011 08:43:01 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id DEE7014A12D; Tue, 5 Jul 2011 08:43:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id DA65C14A12B for ; Tue, 5 Jul 2011 08:42:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id ToKOZ-zt1ctk for ; Tue, 5 Jul 2011 08:42:57 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 39B7C14A129 for ; Tue, 5 Jul 2011 08:42:57 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 1FC19175DD; Tue, 5 Jul 2011 08:42:57 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Date: Tue, 5 Jul 2011 08:42:57 +0000 From: "John Nemeth" Subject: CVS commit: pkgsrc/comms/asterisk18 To: pkgsrc-changes@NetBSD.org Reply-To: jnemeth@netbsd.org X-Mailer: log_accum Message-Id: <20110705084257.1FC19175DD@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: jnemeth Date: Tue Jul 5 08:42:57 UTC 2011 Modified Files: pkgsrc/comms/asterisk18: Makefile PLIST distinfo Log Message: Update to Asterisk 1.8.4.4 (fixes AST-2011-011): Asterisk Project Security Advisory - AST-2011-011 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Possible enumeration of SIP users due to | | | differing authentication responses | |--------------------+---------------------------------------------------| | Nature of Advisory | Unauthorized data disclosure | |--------------------+---------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | CVE Name | CVE-2011-2536 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Asterisk may respond differently to SIP requests from an | | | invalid SIP user than it does to a user configured on | | | the system, even when the alwaysauthreject option is set | | | in the configuration. This can leak information about | | | what SIP users are valid on the Asterisk system. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Respond to SIP requests from invalid and valid SIP users | | | in the same way. Asterisk 1.4 and 1.6.2 do not respond | | | identically by default due to backward-compatibility | | | reasons, and must have alwaysauthreject=yes set in | | | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes. | | | | | | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4 | | | and 1.6.2 set alwaysauthreject=yes in the general section | | | of sip.conf. | +------------------------------------------------------------------------+ To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 pkgsrc/comms/asterisk18/Makefile cvs rdiff -u -r1.4 -r1.5 pkgsrc/comms/asterisk18/PLIST cvs rdiff -u -r1.10 -r1.11 pkgsrc/comms/asterisk18/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.