Thu Jan 3 02:16:17 2013 UTC ()

de to Asterisk 1.8.19.1;  this is a security fix to fix AST-2012-14
and AST-2012-015.

Approved for commit during freeze by: agc

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8, 10, and 11. The available security releases
are released as versions 1.8.11-cert10, 1.8.19.1, 10.11.1, 10.11.1-digiumphones,
and 11.1.1.

The release of these versions resolve the following two issues:

* Stack overflows that occur in some portions of Asterisk that manage a TCP
  connection. In SIP, this is exploitable via a remote unauthenticated session;
  in XMPP and HTTP connections, this is exploitable via remote authenticated
  sessions.

* A denial of service vulnerability through exploitation of the device state
  cache. Anonymous calls had the capability to create devices in Asterisk that
  would never be disposed of.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
 * http://downloads.asterisk.org/pub/security/AST-2012-015.pdf

Thank you for your continued support of Asterisk!


(jnemeth)

diff -r1.55 -r1.56 pkgsrc/comms/asterisk18/Makefile
diff -r1.41 -r1.42 pkgsrc/comms/asterisk18/distinfo

--- pkgsrc/comms/asterisk18/Makefile 2012/12/16 01:52:01 1.55
+++ pkgsrc/comms/asterisk18/Makefile 2013/01/03 02:16:17 1.56

 @@ -1,23 +1,22 @@
-# $NetBSD: Makefile,v 1.55 2012/12/16 01:52:01 obache Exp $
+# $NetBSD: Makefile,v 1.56 2013/01/03 02:16:17 jnemeth Exp $
+#
 # NOTE: when updating this package, there are two places that sound
 #       tarballs need to be checked
-DISTNAME=	asterisk-1.8.19.0
+DISTNAME=	asterisk-1.8.19.1
 DIST_SUBDIR=	${PKGNAME_NOREV}
 DISTFILES=	${DEFAULT_DISTFILES}
 EXTRACT_ONLY=	${DISTNAME}.tar.gz
 PKGREVISION=	1
 CATEGORIES=	comms net audio
 MASTER_SITES=	http://downloads.asterisk.org/pub/telephony/asterisk/ \
 		http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ \
 		http://downloads.asterisk.org/pub/telephony/sounds/releases/
 OWNER=		jnemeth@NetBSD.org
 HOMEPAGE=	http://www.asterisk.org/
 COMMENT=	The Asterisk Software PBX
 LICENSE=	gnu-gpl-v2
 CONFLICTS+=	asterisk-sounds-extra-[0-9]*
 .include "../../mk/bsd.prefs.mk"

--- pkgsrc/comms/asterisk18/distinfo 2012/12/14 01:32:00 1.41
+++ pkgsrc/comms/asterisk18/distinfo 2013/01/03 02:16:17 1.42

 @@ -1,21 +1,21 @@
-$NetBSD: distinfo,v 1.41 2012/12/14 01:32:00 jnemeth Exp $
+$NetBSD: distinfo,v 1.42 2013/01/03 02:16:17 jnemeth Exp $
-SHA1 (asterisk-1.8.19.0/asterisk-1.8.19.0.tar.gz) = 4630823f8137b46dd36d55299fc5521de6548e54
+SHA1 (asterisk-1.8.19.1/asterisk-1.8.19.1.tar.gz) = e540aa387bf0cbceb7f208ac5bfaf9b5c1482d6c
-RMD160 (asterisk-1.8.19.0/asterisk-1.8.19.0.tar.gz) = 44e9b0b4a65f3630ad27b337ddd792df25be1387
+RMD160 (asterisk-1.8.19.1/asterisk-1.8.19.1.tar.gz) = 9f455f40f8248257f12b833f3fa3d31919fa6cc3
-Size (asterisk-1.8.19.0/asterisk-1.8.19.0.tar.gz) = 25160700 bytes
+Size (asterisk-1.8.19.1/asterisk-1.8.19.1.tar.gz) = 25158882 bytes
-SHA1 (asterisk-1.8.19.0/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 8692fa61423b4769dc8bfa78faf9ed5ef7a259b9
+SHA1 (asterisk-1.8.19.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 8692fa61423b4769dc8bfa78faf9ed5ef7a259b9
-RMD160 (asterisk-1.8.19.0/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 68170c769d739d6b5b35b00f999ad6bbf876f9f6
+RMD160 (asterisk-1.8.19.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 68170c769d739d6b5b35b00f999ad6bbf876f9f6
-Size (asterisk-1.8.19.0/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 3349898 bytes
+Size (asterisk-1.8.19.1/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz) = 3349898 bytes
 SHA1 (patch-aa) = 832f1c043b15198e0a286094dd0cc1a251bcfed0
 SHA1 (patch-af) = 19786616bb606c38f769ec85f2e4d118573659ab
 SHA1 (patch-ai) = e92edab5c1ff323478f41d0b0783102ed527fe39
 SHA1 (patch-ak) = f8d5de733807bc6c0701886a3095901d6815a8bd
 SHA1 (patch-al) = b2a1134786d7c3b118ee8c47892f91dd2a4c783a
 SHA1 (patch-am) = 5f9cbf47ec1cb66758492a5ed1bf843006eae9b7
 SHA1 (patch-an) = 93a5df66fd6459fb76e9191dc3bf37b9ee5483b5
 SHA1 (patch-ao) = aa95464a8bd4a417f313541b465142d2e4c3ee47
 SHA1 (patch-ap) = 94a986e6e24c04ee8e95ea6809f826cb99c90c8a
 SHA1 (patch-aq) = 682891a6c77d809bebc3085dcb88be9b1ab8589f
 SHA1 (patch-ar) = da8e614e68e476ce32c66fed5ee9dcb8c5f9a060
 SHA1 (patch-as) = b2e1aadf49f20506243ab40796f15aab12d95bad
 SHA1 (patch-at) = df318d7b492121ff6f766b0e6ea73415293e96f0