Update to Asterisk 1.8.8.2. This fixes AST-2010-001:
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
(jnemeth)
diff -r1.19 -r1.20 pkgsrc/comms/asterisk18/Makefile| @@ -1,20 +1,19 @@ | @@ -1,20 +1,19 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.19 2012/01/17 06:29:41 jnemeth Exp $ | 1 | # $NetBSD: Makefile,v 1.20 2012/01/20 07:31:17 jnemeth Exp $ | |
| 2 | # | 2 | # | |
| 3 | # NOTE: when updating this package, there are two places that sound | 3 | # NOTE: when updating this package, there are two places that sound | |
| 4 | # tarballs need to be checked | 4 | # tarballs need to be checked | |
| 5 | 5 | |||
| 6 | DISTNAME= asterisk-1.8.8.1 | 6 | DISTNAME= asterisk-1.8.8.2 | |
| 7 | PKGREVISION= 1 | |||
| 8 | DIST_SUBDIR= ${PKGNAME_NOREV} | 7 | DIST_SUBDIR= ${PKGNAME_NOREV} | |
| 9 | DISTFILES= ${DEFAULT_DISTFILES} | 8 | DISTFILES= ${DEFAULT_DISTFILES} | |
| 10 | EXTRACT_ONLY= ${DISTNAME}.tar.gz | 9 | EXTRACT_ONLY= ${DISTNAME}.tar.gz | |
| 11 | CATEGORIES= comms net audio | 10 | CATEGORIES= comms net audio | |
| 12 | MASTER_SITES= http://downloads.asterisk.org/pub/telephony/asterisk/ \ | 11 | MASTER_SITES= http://downloads.asterisk.org/pub/telephony/asterisk/ \ | |
| 13 | http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ \ | 12 | http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ \ | |
| 14 | http://downloads.asterisk.org/pub/telephony/sounds/releases/ | 13 | http://downloads.asterisk.org/pub/telephony/sounds/releases/ | |
| 15 | 14 | |||
| 16 | OWNER= jnemeth@NetBSD.org | 15 | OWNER= jnemeth@NetBSD.org | |
| 17 | HOMEPAGE= http://www.asterisk.org/ | 16 | HOMEPAGE= http://www.asterisk.org/ | |
| 18 | COMMENT= The Asterisk Software PBX | 17 | COMMENT= The Asterisk Software PBX | |
| 19 | LICENSE= gnu-gpl-v2 | 18 | LICENSE= gnu-gpl-v2 | |
| 20 | 19 |
| @@ -1,27 +1,27 @@ | @@ -1,27 +1,27 @@ | |||
| 1 | $NetBSD: distinfo,v 1.16 2012/01/15 03:32:47 jnemeth Exp $ | 1 | $NetBSD: distinfo,v 1.17 2012/01/20 07:31:17 jnemeth Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (asterisk-1.8.8.1/asterisk-1.8.8.1.tar.gz) = ef4e58a00b1e8a9ae6b1923dd9feab1a0e6cd582 | 3 | SHA1 (asterisk-1.8.8.2/asterisk-1.8.8.2.tar.gz) = 4046350bc9143882db6569d1fa8df90a63c53f26 | |
| 4 | RMD160 (asterisk-1.8.8.1/asterisk-1.8.8.1.tar.gz) = 8bf3d816786b2b5ba0bc87b3e008d5ab3a1b3955 | 4 | RMD160 (asterisk-1.8.8.2/asterisk-1.8.8.2.tar.gz) = 140d2bafdeeb259469b1514c3c6a4d09eb17aa17 | |
| 5 | Size (asterisk-1.8.8.1/asterisk-1.8.8.1.tar.gz) = 24774178 bytes | 5 | Size (asterisk-1.8.8.2/asterisk-1.8.8.2.tar.gz) = 24776534 bytes | |
| 6 | SHA1 (asterisk-1.8.8.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 8692fa61423b4769dc8bfa78faf9ed5ef7a259b9 | 6 | SHA1 (asterisk-1.8.8.2/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 8692fa61423b4769dc8bfa78faf9ed5ef7a259b9 | |
| 7 | RMD160 (asterisk-1.8.8.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 68170c769d739d6b5b35b00f999ad6bbf876f9f6 | 7 | RMD160 (asterisk-1.8.8.2/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 68170c769d739d6b5b35b00f999ad6bbf876f9f6 | |
| 8 | Size (asterisk-1.8.8.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 3349898 bytes | 8 | Size (asterisk-1.8.8.2/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 3349898 bytes | |
| 9 | SHA1 (asterisk-1.8.8.1/extract-cfile.txt) = b22874814c83a53bcd1a8d96b5911304f304971e | 9 | SHA1 (asterisk-1.8.8.2/extract-cfile.txt) = b22874814c83a53bcd1a8d96b5911304f304971e | |
| 10 | RMD160 (asterisk-1.8.8.1/extract-cfile.txt) = e7205fe7e95793f3ca6e384edeef1ad5713485e0 | 10 | RMD160 (asterisk-1.8.8.2/extract-cfile.txt) = e7205fe7e95793f3ca6e384edeef1ad5713485e0 | |
| 11 | Size (asterisk-1.8.8.1/extract-cfile.txt) = 643 bytes | 11 | Size (asterisk-1.8.8.2/extract-cfile.txt) = 643 bytes | |
| 12 | SHA1 (asterisk-1.8.8.1/rfc3951.txt) = 1a6c769be750fb02456d60db2470909254496017 | 12 | SHA1 (asterisk-1.8.8.2/rfc3951.txt) = 1a6c769be750fb02456d60db2470909254496017 | |
| 13 | RMD160 (asterisk-1.8.8.1/rfc3951.txt) = 15f7ec61653ec9953172f8f2150e7d8f6f620926 | 13 | RMD160 (asterisk-1.8.8.2/rfc3951.txt) = 15f7ec61653ec9953172f8f2150e7d8f6f620926 | |
| 14 | Size (asterisk-1.8.8.1/rfc3951.txt) = 373442 bytes | 14 | Size (asterisk-1.8.8.2/rfc3951.txt) = 373442 bytes | |
| 15 | SHA1 (patch-aa) = 496565e1e567c42ab6ba8f996c506f52cb9c8cfe | 15 | SHA1 (patch-aa) = 496565e1e567c42ab6ba8f996c506f52cb9c8cfe | |
| 16 | SHA1 (patch-af) = 19786616bb606c38f769ec85f2e4d118573659ab | 16 | SHA1 (patch-af) = 19786616bb606c38f769ec85f2e4d118573659ab | |
| 17 | SHA1 (patch-ag) = c71c61350cefbbe53eefa99245ca7712753f22d5 | 17 | SHA1 (patch-ag) = c71c61350cefbbe53eefa99245ca7712753f22d5 | |
| 18 | SHA1 (patch-ai) = e92edab5c1ff323478f41d0b0783102ed527fe39 | 18 | SHA1 (patch-ai) = e92edab5c1ff323478f41d0b0783102ed527fe39 | |
| 19 | SHA1 (patch-ak) = adee75b7716a8794de1b8cb054af7a5a8f0e5ffd | 19 | SHA1 (patch-ak) = adee75b7716a8794de1b8cb054af7a5a8f0e5ffd | |
| 20 | SHA1 (patch-al) = b2a1134786d7c3b118ee8c47892f91dd2a4c783a | 20 | SHA1 (patch-al) = b2a1134786d7c3b118ee8c47892f91dd2a4c783a | |
| 21 | SHA1 (patch-am) = 5f9cbf47ec1cb66758492a5ed1bf843006eae9b7 | 21 | SHA1 (patch-am) = 5f9cbf47ec1cb66758492a5ed1bf843006eae9b7 | |
| 22 | SHA1 (patch-an) = 93a5df66fd6459fb76e9191dc3bf37b9ee5483b5 | 22 | SHA1 (patch-an) = 93a5df66fd6459fb76e9191dc3bf37b9ee5483b5 | |
| 23 | SHA1 (patch-ao) = aa95464a8bd4a417f313541b465142d2e4c3ee47 | 23 | SHA1 (patch-ao) = aa95464a8bd4a417f313541b465142d2e4c3ee47 | |
| 24 | SHA1 (patch-ap) = ed22f6483191f429389c0d3198d30c63b96d4df6 | 24 | SHA1 (patch-ap) = ed22f6483191f429389c0d3198d30c63b96d4df6 | |
| 25 | SHA1 (patch-aq) = c23bcf0a2e6acc78366d22c57b79278fc428e999 | 25 | SHA1 (patch-aq) = c23bcf0a2e6acc78366d22c57b79278fc428e999 | |
| 26 | SHA1 (patch-ar) = da8e614e68e476ce32c66fed5ee9dcb8c5f9a060 | 26 | SHA1 (patch-ar) = da8e614e68e476ce32c66fed5ee9dcb8c5f9a060 | |
| 27 | SHA1 (patch-as) = b2e1aadf49f20506243ab40796f15aab12d95bad | 27 | SHA1 (patch-as) = b2e1aadf49f20506243ab40796f15aab12d95bad |