and AST-2012-015. Apparently the last update didn't completely
fix the issues.
The Asterisk Development Team has announced a security release for
Asterisk 11, Asterisk 11.1.2. This release addresses the security
vulnerabilities reported in AST-2012-014 and AST-2012-015, and
replaces the previous version of Asterisk 11 released for these
security vulnerabilities. The prior release left open a vulnerability
in res_xmpp that exists only in Asterisk 11; as such, other versions
of Asterisk were resolved correctly by the previous releases.
The release of these versions resolve the following two issues:
* Stack overflows that occur in some portions of Asterisk that manage a TCP
connection. In SIP, this is exploitable via a remote unauthenticated session;
in XMPP and HTTP connections, this is exploitable via remote authenticated
sessions. The vulnerabilities in SIP and HTTP were corrected in a prior
release of Asterisk; the vulnerability in XMPP is resolved in this release.
* A denial of service vulnerability through exploitation of the device state
cache. Anonymous calls had the capability to create devices in Asterisk that
would never be disposed of. Handling the cachability of device states
aggregated via XMPP is handled in this release.
These issues and their resolutions are described in the security advisories.
For more information about the details of these vulnerabilities, please read
security advisories AST-2012-014 and AST-2012-015.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.1.2
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-014.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-015.pdf
Thank you for your continued support of Asterisk - and we apologize for having
to do this twice!
comes from Perl, so this will still build if libidn and Perl are
installed in different trees. Belt-and-suspenders fix for PR 47187 on
NetBSD, may also fix the problem seen on Dragonfly.
Fix a bug, introduced in version 3.7.15, that causes a segfault if the AS name of a result column of a SELECT statement is used as a logical term in the WHERE clause.
---------------
- /usr/bin/env police
Upstream Changes:
-----------------
Version 1.9.6:
SECURITY HINT: make sure you have allow_xslt = False (or just do not use
allow_xslt at all in your wiki configs, False is the internal default).
Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.
Fixes:
* fix remote code execution vulnerability in twikidraw/anywikidraw action
* fix path traversal vulnerability in AttachFile action
* fix XSS issue, escape page name in rss link
* escape user- or admin-defined css url
* make taintfilename more secure
* use a constant time str comparison function to prevent timing attacks
* Attachment handler: catch all Zip-related errors
Version 1.9.5:
Fixes:
* Security fix: fix virtual group bug in ACL evaluation.
* Avoid crash if #refresh processing instruction is used without arguments.
* Fix issue with non-ASCII textchas.
* Xapian indexing: remove copy.copy() that crashed on Windows/IIS/isapi-wsgi
after page save.
* Fix dictionary file reading crash under Windows.
* Work around crash of AdvancedSearch macro rendering caused by non-ascii
mimetypes.types_map entries.
* Added migration script for moin 1.8.9.
* rss_rc: Fix diffs added in RSS with diffs=1 (now they correspond to item
listed in feed and not just last page diffs). Links generated with ddiffs=1
also fixed.
* rss_rc: fix double escaping issue.
* rss_rc: respect show_names configuration option.
* rss_rc: proper support of rename, revert, page creation.
* modern/modernized theme: fix padding/width for editor preview
* group/pagelinks formatters: avoid to create unnecessary output, redirect
output of send_page call with the groups formatter, it must not be written
to the output stream
* rst parser: fix include and macro directives
* wikisync: fix unicode pagename sending for python 2.7 httplib
New features:
* add a comment_required config option (default: False) to require a
non-empty comment when saving a page
* when a save error happens, show the editor again and highlight the error
* rss_rc: several new options added: lines parameter gives ability to set
maximum size of diffs showed in RSS. show_att parameter gives ability
to show information aboout attachment-related items in RSS. page parameter
gives ability to specify set of pages for which changes RSS feed should be
generated. Configuration of defaults and limits can now be done via wiki
configuration mechanism.
* As soon as it is now possible to provide RSS for page change history,
appropriate alternate link is now added for every page (controlled by
rss_show_page_history_link configuration parameter).
* Search: "no_highlight:" search query option provided for suppressing
highlighting search results.
* Search macros: new options for FullSearch, FullSearchCached and PageList
available:
* highlight_titles option controls highlighting of matches in search
results provided by these macros. Default value is set in
search_macro_highlight_titles configuration option)
* highlight_pages option controls adding of highlight URL parameter to
page links (so search term is highlighted when user goes to one of
these pages via provided link) in search results. Default value is set
in search_macro_highlight_pages configuration option.
Usage of these options is disabled (via search_macro_parse_args
configuration option) by default due to behavioural changes introduced
in macro parameter parsing mechanism to support them. Related to
http://moinmo.in/FeatureRequests/FullSearchResultsWithoutHighlight .
Other changes:
* Remove 4suite dependency for docbook formatter, use minidom (included in
Python).
* Upgraded FCKeditor to 2.6.8.
Differencing and Compression, into the packages collection:
An encoder and decoder for the format described in RFC 3284: "The
VCDIFF Generic Differencing and Compression Data Format." The encoding
strategy is largely based on Bentley-McIlroy 99: "Data Compression
Using Long Common Strings." A library with a simple API is included,
as well as a command-line executable that can apply the encoder and
decoder to source, target, and delta files. A slight variation from
the draft standard is defined to allow chunk-by-chunk decoding when
only a partial delta file window is available.
pysmb is an experimental SMB/CIFS library written in Python. It
implements the client-side SMB/CIFS protocol (SMB1 and SMB2) which
allows your Python application to access and transfer files to/from
SMB/CIFS shared folders like your Windows file sharing and Samba
folders.
Changelog:
Changes since 5.0.0
-------------------
Numeric constants encountered in mathematical expressions (but not other
contexts) can contain underscores as separators that will be ignored on
evaluation, as allowed in other scripting languages. For example,
0xFFFF_FFFF, or 3.141_592_654.
"functions -T" turns on tracing for the specified function(s) only,
similar to "functions -t" except that tracing is turned off for any
functions called from the specified one(s) that don't also have the -t
or -T flag.
In file completion, the recursive-files style can be set to an array of
patterns to match against "$PWD/". In any matched location, it is
possibly to complete files in arbitrarily deep subdirectories without
needing to type the directory prefix. See example in the zshcompsys
manual.
The _user_expand completer now allows expansion functions in the
user-expand files to return a string in REPLY that will be used to name
the set of expansions returned.
Pyflakes is similar to PyChecker in scope, but differs in that it does
not execute the modules to check them. This is both safer and faster,
although it does not perform as many checks. Unlike PyLint, Pyflakes
checks only for logical errors in programs; it does not perform any
checks on style
grappelli_safe was created to provide a snapshot of the Grappelli
admin skin for Django, to be referenced as a dependency for the
Mezzanine CMS for Django.
Bleach is an HTML sanitizing library that escapes or strips markup
and attributes based on a white list. Bleach can also linkify text
safely, applying filters that Django's ``urlize`` filter cannot,
and optionally setting ``rel`` attributes, even on links already
in the text.
