Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Date: Thu, 29 Jan 2015 21:54:33 +0000
From: "John Nemeth" <jnemeth@netbsd.org>
Subject: CVS commit: pkgsrc/comms/asterisk
To: pkgsrc-changes@NetBSD.org
Reply-To: jnemeth@netbsd.org
Message-Id: <20150129215433.CE71398@cvs.netbsd.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

Module Name:	pkgsrc
Committed By:	jnemeth
Date:		Thu Jan 29 21:54:33 UTC 2015

Modified Files:
	pkgsrc/comms/asterisk: Makefile distinfo options.mk

Log Message:
Update to Asterisk 11.15.1:  this is a security fix.

pkgsrc change: adapt to splitting up of speex

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,
11.15.1, 12.8.1, and 13.1.1.

The release of these versions resolves the following security vulnerabilities:

* AST-2015-001: File descriptor leak when incompatible codecs are offered

                Asterisk may be configured to only allow specific audio or
                video codecs to be used when communicating with a
                particular endpoint. When an endpoint sends an SDP offer
                that only lists codecs not allowed by Asterisk, the offer
                is rejected. However, in this case, RTP ports that are
                allocated in the process are not reclaimed.

                This issue only affects the PJSIP channel driver in
                Asterisk. Users of the chan_sip channel driver are not
                affected.

* AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability

                CVE-2014-8150 reported an HTTP request injection
                vulnerability in libcURL. Asterisk uses libcURL in its
                func_curl.so module (the CURL() dialplan function), as well
                as its res_config_curl.so (cURL realtime backend) modules.

                Since Asterisk may be configured to allow for user-supplied
                URLs to be passed to libcURL, it is possible that an
                attacker could use Asterisk as an attack vector to inject
                unauthorized HTTP requests if the version of libcURL
                installed on the Asterisk server is affected by
                CVE-2014-8150.

For more information about the details of these vulnerabilities, please read
security advisory AST-2015-001 and AST-2015-002, which were released at the same
time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1

The security advisories are available at:

* http://downloads.asterisk.org/pub/security/AST-2015-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2015-002.pdf

Thank you for your continued support of Asterisk!


To generate a diff of this commit:
cvs rdiff -u -r1.117 -r1.118 pkgsrc/comms/asterisk/Makefile
cvs rdiff -u -r1.71 -r1.72 pkgsrc/comms/asterisk/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/comms/asterisk/options.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.