Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id A9B7CA5864 for ; Wed, 3 Dec 2014 01:00:29 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 246CA14A1F8; Wed, 3 Dec 2014 01:00:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id AC30114A1F4 for ; Wed, 3 Dec 2014 01:00:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id aeZi4Nt9N7Bt for ; Wed, 3 Dec 2014 01:00:24 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 096BC14A1A5 for ; Wed, 3 Dec 2014 01:00:24 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 03E5F98; Wed, 3 Dec 2014 01:00:24 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Wed, 3 Dec 2014 01:00:23 +0000 From: "John Nemeth" Subject: CVS commit: pkgsrc/comms/asterisk18 To: pkgsrc-changes@NetBSD.org Reply-To: jnemeth@netbsd.org X-Mailer: log_accum Message-Id: <20141203010024.03E5F98@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: jnemeth Date: Wed Dec 3 01:00:23 UTC 2014 Modified Files: pkgsrc/comms/asterisk18: Makefile distinfo Log Message: Update to Asterisk 1.8.32.1: this is a security fix release. The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1, 11.14.1, 12.7.1, and 13.0.1. The release of these versions resolves the following security vulnerabilities: * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP address families Many modules in Asterisk that service incoming IP traffic have ACL options ("permit" and "deny") that can be used to whitelist or blacklist address ranges. A bug has been discovered where the address family of incoming packets is only compared to the IP address family of the first entry in the list of access control rules. If the source IP address for an incoming packet is not of the same address as the first ACL entry, that packet bypasses all ACL rules. * AST-2014-018: Permission Escalation through DB dialplan function The DB dialplan function when executed from an external protocol, such as AMI, could result in a privilege escalation. Users with a lower class authorization in AMI can access the internal Asterisk database without the required SYSTEM class authorization. For more information about the details of these vulnerabilities, please read security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015, AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1 The security advisories are available at: * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf Thank you for your continued support of Asterisk! To generate a diff of this commit: cvs rdiff -u -r1.89 -r1.90 pkgsrc/comms/asterisk18/Makefile cvs rdiff -u -r1.57 -r1.58 pkgsrc/comms/asterisk18/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.