Wed Dec 3 01:00:23 2014 UTC ()

Update to Asterisk 1.8.32.1: this is a security fix release.

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
11.14.1, 12.7.1, and 13.0.1.

The release of these versions resolves the following security vulnerabilities:

* AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
  address families

  Many modules in Asterisk that service incoming IP traffic have ACL options
  ("permit" and "deny") that can be used to whitelist or blacklist address
  ranges. A bug has been discovered where the address family of incoming
  packets is only compared to the IP address family of the first entry in the
  list of access control rules. If the source IP address for an incoming
  packet is not of the same address as the first ACL entry, that packet
  bypasses all ACL rules.

* AST-2014-018: Permission Escalation through DB dialplan function

  The DB dialplan function when executed from an external protocol, such as AMI,
  could result in a privilege escalation. Users with a lower class authorization
  in AMI can access the internal Asterisk database without the required SYSTEM
  class authorization.

For more information about the details of these vulnerabilities, please read
security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1

The security advisories are available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
 * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf

Thank you for your continued support of Asterisk!


(jnemeth)

diff -r1.89 -r1.90 pkgsrc/comms/asterisk18/Makefile
diff -r1.57 -r1.58 pkgsrc/comms/asterisk18/distinfo

--- pkgsrc/comms/asterisk18/Makefile 2014/11/19 08:30:56 1.89
+++ pkgsrc/comms/asterisk18/Makefile 2014/12/03 01:00:23 1.90

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.89 2014/11/19 08:30:56 jnemeth Exp $
+# $NetBSD: Makefile,v 1.90 2014/12/03 01:00:23 jnemeth Exp $
+#
 # NOTE: when updating this package, there are two places that sound
 #       tarballs need to be checked
-DISTNAME=	asterisk-1.8.32.0
+DISTNAME=	asterisk-1.8.32.1
 DIST_SUBDIR=	${PKGNAME_NOREV}
 DISTFILES=	${DEFAULT_DISTFILES}
 EXTRACT_ONLY=	${DISTNAME}.tar.gz
 CATEGORIES=	comms net audio
 MASTER_SITES=	http://downloads.asterisk.org/pub/telephony/asterisk/ \
 		http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ \
 		http://downloads.asterisk.org/pub/telephony/sounds/releases/
 OWNER=		jnemeth@NetBSD.org
 HOMEPAGE=	http://www.asterisk.org/
 COMMENT=	The Asterisk Software PBX
 LICENSE=	gnu-gpl-v2

--- pkgsrc/comms/asterisk18/distinfo 2014/11/19 08:30:56 1.57
+++ pkgsrc/comms/asterisk18/distinfo 2014/12/03 01:00:23 1.58

 @@ -1,21 +1,21 @@
-$NetBSD: distinfo,v 1.57 2014/11/19 08:30:56 jnemeth Exp $
+$NetBSD: distinfo,v 1.58 2014/12/03 01:00:23 jnemeth Exp $
-SHA1 (asterisk-1.8.32.0/asterisk-1.8.32.0.tar.gz) = 3cecd9a31d99f2a9372e062c058d84962224c7c3
+SHA1 (asterisk-1.8.32.1/asterisk-1.8.32.1.tar.gz) = 0cdba970a970859a98289d2bad0a585ecc877fa2
-RMD160 (asterisk-1.8.32.0/asterisk-1.8.32.0.tar.gz) = ef90b650e202c3902115d6738ef468b2a53eb80f
+RMD160 (asterisk-1.8.32.1/asterisk-1.8.32.1.tar.gz) = 29401ac57b03a0d1ba4a3e7722d95e710a5033c5
-Size (asterisk-1.8.32.0/asterisk-1.8.32.0.tar.gz) = 29639709 bytes
+Size (asterisk-1.8.32.1/asterisk-1.8.32.1.tar.gz) = 29636238 bytes
-SHA1 (asterisk-1.8.32.0/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = fbb94494e31fc08eee8fdf2ce7d12eb274018050
+SHA1 (asterisk-1.8.32.1/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = fbb94494e31fc08eee8fdf2ce7d12eb274018050
-RMD160 (asterisk-1.8.32.0/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 53656a3d6771602504f220ad312093e3503e1150
+RMD160 (asterisk-1.8.32.1/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 53656a3d6771602504f220ad312093e3503e1150
-Size (asterisk-1.8.32.0/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 4409969 bytes
+Size (asterisk-1.8.32.1/asterisk-extra-sounds-en-gsm-1.4.15.tar.gz) = 4409969 bytes
 SHA1 (patch-aa) = 832f1c043b15198e0a286094dd0cc1a251bcfed0
 SHA1 (patch-af) = 19786616bb606c38f769ec85f2e4d118573659ab
 SHA1 (patch-ai) = e92edab5c1ff323478f41d0b0783102ed527fe39
 SHA1 (patch-ak) = 7cbc0e6e757e5d39cd7a92b76e266623b9fbe680
 SHA1 (patch-al) = b2a1134786d7c3b118ee8c47892f91dd2a4c783a
 SHA1 (patch-am) = 5f9cbf47ec1cb66758492a5ed1bf843006eae9b7
 SHA1 (patch-an) = 93a5df66fd6459fb76e9191dc3bf37b9ee5483b5
 SHA1 (patch-ao) = aa95464a8bd4a417f313541b465142d2e4c3ee47
 SHA1 (patch-ap) = bfb7b15224571f86a78fa7787f29002eb0c5d352
 SHA1 (patch-aq) = ac3e937c5ec1f2b8edd7343d47247274e0dae8c7
 SHA1 (patch-ar) = 04c76c54d3962a4eae5bc69bf946fc8ea2c3427f
 SHA1 (patch-as) = b2e1aadf49f20506243ab40796f15aab12d95bad
 SHA1 (patch-at) = df318d7b492121ff6f766b0e6ea73415293e96f0