Fri Jan 20 07:31:17 2012 UTC ()
Update to Asterisk 1.8.8.2. This fixes AST-2010-001:
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
(jnemeth)
diff -r1.19 -r1.20 pkgsrc/comms/asterisk18/Makefile
diff -r1.16 -r1.17 pkgsrc/comms/asterisk18/distinfo
--- pkgsrc/comms/asterisk18/Makefile 2012/01/17 06:29:41 1.19
+++ pkgsrc/comms/asterisk18/Makefile 2012/01/20 07:31:17 1.20
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.19 2012/01/17 06:29:41 jnemeth Exp $
+# $NetBSD: Makefile,v 1.20 2012/01/20 07:31:17 jnemeth Exp $
#
# NOTE: when updating this package, there are two places that sound
# tarballs need to be checked
-DISTNAME= asterisk-1.8.8.1
-PKGREVISION= 1
+DISTNAME= asterisk-1.8.8.2
DIST_SUBDIR= ${PKGNAME_NOREV}
DISTFILES= ${DEFAULT_DISTFILES}
EXTRACT_ONLY= ${DISTNAME}.tar.gz
--- pkgsrc/comms/asterisk18/distinfo 2012/01/15 03:32:47 1.16
+++ pkgsrc/comms/asterisk18/distinfo 2012/01/20 07:31:17 1.17
@@ -1,17 +1,17 @@
-$NetBSD: distinfo,v 1.16 2012/01/15 03:32:47 jnemeth Exp $
+$NetBSD: distinfo,v 1.17 2012/01/20 07:31:17 jnemeth Exp $
-SHA1 (asterisk-1.8.8.1/asterisk-1.8.8.1.tar.gz) = ef4e58a00b1e8a9ae6b1923dd9feab1a0e6cd582
-RMD160 (asterisk-1.8.8.1/asterisk-1.8.8.1.tar.gz) = 8bf3d816786b2b5ba0bc87b3e008d5ab3a1b3955
-Size (asterisk-1.8.8.1/asterisk-1.8.8.1.tar.gz) = 24774178 bytes
-SHA1 (asterisk-1.8.8.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 8692fa61423b4769dc8bfa78faf9ed5ef7a259b9
-RMD160 (asterisk-1.8.8.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 68170c769d739d6b5b35b00f999ad6bbf876f9f6
-Size (asterisk-1.8.8.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 3349898 bytes
-SHA1 (asterisk-1.8.8.1/extract-cfile.txt) = b22874814c83a53bcd1a8d96b5911304f304971e
-RMD160 (asterisk-1.8.8.1/extract-cfile.txt) = e7205fe7e95793f3ca6e384edeef1ad5713485e0
-Size (asterisk-1.8.8.1/extract-cfile.txt) = 643 bytes
-SHA1 (asterisk-1.8.8.1/rfc3951.txt) = 1a6c769be750fb02456d60db2470909254496017
-RMD160 (asterisk-1.8.8.1/rfc3951.txt) = 15f7ec61653ec9953172f8f2150e7d8f6f620926
-Size (asterisk-1.8.8.1/rfc3951.txt) = 373442 bytes
+SHA1 (asterisk-1.8.8.2/asterisk-1.8.8.2.tar.gz) = 4046350bc9143882db6569d1fa8df90a63c53f26
+RMD160 (asterisk-1.8.8.2/asterisk-1.8.8.2.tar.gz) = 140d2bafdeeb259469b1514c3c6a4d09eb17aa17
+Size (asterisk-1.8.8.2/asterisk-1.8.8.2.tar.gz) = 24776534 bytes
+SHA1 (asterisk-1.8.8.2/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 8692fa61423b4769dc8bfa78faf9ed5ef7a259b9
+RMD160 (asterisk-1.8.8.2/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 68170c769d739d6b5b35b00f999ad6bbf876f9f6
+Size (asterisk-1.8.8.2/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 3349898 bytes
+SHA1 (asterisk-1.8.8.2/extract-cfile.txt) = b22874814c83a53bcd1a8d96b5911304f304971e
+RMD160 (asterisk-1.8.8.2/extract-cfile.txt) = e7205fe7e95793f3ca6e384edeef1ad5713485e0
+Size (asterisk-1.8.8.2/extract-cfile.txt) = 643 bytes
+SHA1 (asterisk-1.8.8.2/rfc3951.txt) = 1a6c769be750fb02456d60db2470909254496017
+RMD160 (asterisk-1.8.8.2/rfc3951.txt) = 15f7ec61653ec9953172f8f2150e7d8f6f620926
+Size (asterisk-1.8.8.2/rfc3951.txt) = 373442 bytes
SHA1 (patch-aa) = 496565e1e567c42ab6ba8f996c506f52cb9c8cfe
SHA1 (patch-af) = 19786616bb606c38f769ec85f2e4d118573659ab
SHA1 (patch-ag) = c71c61350cefbbe53eefa99245ca7712753f22d5