pkgsrc change: eliminate ilbc option now that iLBC codec is always built
The Asterisk Development Team has announced the release of Asterisk 10.3.0.
The release of Asterisk 10.3.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix potential buffer overrun and memory leak when executing "sip
show peers"
* --- Fix ACK routing for non-2xx responses.
* --- Remove possible segfaults from res_odbc by adding locks around
usage of odbc handle
* --- Fix blind transfer parking issues if the dialed extension is not
recognized as a parking extension.
* --- Copy CDR variables when set during a bridge
* --- push 'outgoing' flag from sig_XXX up to chan_dahdi
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.3.0
Thank you for your continued support of Asterisk!
Changes:
1.06 Wed 9 Nov 2011
- No functional changes
- Moved to production version
- Updating to Module::Install::DSL 1.04
- New Perl back-compatibility target of 5.6
- Made the Perl back-compat target explicit
- Bumping a variety of dependencies to pick up bug fixes
- Don't import from Params::Util
- Various whitespace/tabbing fixes
- Removed the use of base.pm
- Updated bundled author tests and moved to xt
Changes:
1.56 Thu Sep 29 13:43:31 CEST 2011
- [RT#71330] Unbroken the MANIFEST file. 1.55 was non functional.
Thanks to Vita Cizek for reporting.
1.55 [BROKEN RELEASE. AVOID] Fri Sep 23 22:01:31 CEST 2011
- Performance improvements by Ed Wildgoose, long time user. Thanks Ed!
Windows users, please test this release!
Changes:
1.60 Fri Mar 16 12:14:07 CET 2012
- Removed the syslog test. Was artificial and pointless,
and it failed on Windows and Solaris. Thanks to CPAN testers reports.
1.59 Thu Mar 8 10:13:30 CET 2012
- Fixed RT #75619, POD fixes to make the POD clean for Debian packaging.
- Applied .perltidyrc to all source files. Watch out if you had patches :)
Changes:
1.03 Fix AGI.pm from printing warnings on some optional
variables (http://bugs.debian.org/525025)
1.02 Fix POD for AGI.pm thanks to Lawrence Gilbert
Fix Manager.pm parsing values that were 0
Fix verbose example in AGI.pm
Fix return in _readparse in AGI.pm
Fix quoting on a few AGI.pm commands
This is a security fix update. It fixes AST-2012-002.
NOTE NOTE NOTE
This is likely to be the last update to this package. This version
of Asterisk will be EOLed on April 21st, 2012. It will probably
be removed from pkgsrc not long after that. If you are still using
this package, you should consider switching to comms/asterisk18,
the Long Term Support version, or comms/asterisk10 in the near
future.
NOTE NOTE NOTE
The Asterisk Development Team has announced security releases for
Asterisk 1.4, 1.6.2, 1.8, and 10. The available security releases
are released as versions 1.4.44, 1.6.2.23, 1.8.10.1, and 10.2.1.
The release of Asterisk 1.4.44 and 1.6.2.23 resolve an issue wherein
app_milliwatt can potentially overrun a buffer on the stack, causing
Asterisk to crash. This does not have the potential for remote
code execution.
These issues and their resolution are described in the security
advisory.
For more information about the details of these vulnerabilities,
please read the security advisories AST-2012-002 and AST-2012-003,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.23
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
Thank you for your continued support of Asterisk!
This is a security fix release. It fixes AST-2012-002 and AST-2012-003.
pkgsrc changes:
- adapt to having iLBC source code included
- fix building on Solaris
- adapt to new sound tarball
----- 10.2.0 -----
The Asterisk Development Team has announced the release of Asterisk 10.2.0.
The release of Asterisk 10.2.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Prevent outbound SIP NOTIFY packets from displaying a port of 0 ---
* --- Include iLBC source code for distribution with Asterisk ---
* --- Fix callerid of originated calls ---
* --- Fix outbound DTMF for inband mode of chan_ooh323 ---
* --- Create and initialize udptl only when dialog requests image media ---
* --- Don't prematurely stop SIP session timer ---
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.2.0
Thank you for your continued support of Asterisk!
----- 10.2.1 -----
The Asterisk Development Team has announced security releases for
Asterisk 1.4, 1.6.2, 1.8, and 10. The available security releases
are released as versions 1.4.44, 1.6.2.23, 1.8.10.1, and 10.2.1.
The release of Asterisk 1.8.10.1 and 10.2.1 resolve two issues.
First, they resolve the issue in app_milliwatt, wherein a buffer
can potentially be overrun on the stack, but no remote code execution
is possible. Second, they resolve an issue in HTTP AMI where digest
authentication information can be used to overrun a buffer on the
stack, allowing for code injection and execution.
These issues and their resolution are described in the security
advisory.
For more information about the details of these vulnerabilities,
please read the security advisories AST-2012-002 and AST-2012-003,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.2.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-003.pdf
Thank you for your continued support of Asterisk!
pkgsrc changes: adapt to having iLBC coded included in the asterisk
tarball and newer version of sounds tarball.
----- 1.8.10.0 -----
The Asterisk Development Team has announced the release of Asterisk 1.8.10.0.
The release of Asterisk 1.8.10.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Prevent outbound SIP NOTIFY packets from displaying a port of 0 ---
* --- Include iLBC source code for distribution with Asterisk ---
* --- Fix callerid of originated calls ---
* --- Fix outbound DTMF for inband mode of chan_ooh323 ---
* --- Create and initialize udptl only when dialog requests image media ---
* --- Don't prematurely stop SIP session timer ---
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.10.0
Thank you for your continued support of Asterisk!
----- 1.8.10.1 -----
The Asterisk Development Team has announced security releases for
Asterisk 1.4, 1.6.2, 1.8, and 10. The available security releases
are released as versions 1.4.44, 1.6.2.23, 1.8.10.1, and 10.2.1.
The release of Asterisk 1.8.10.1 and 10.2.1 resolve two issues.
First, they resolve the issue in app_milliwatt, wherein a buffer
can potentially be overrun on the stack, but no remote code execution
is possible. Second, they resolve an issue in HTTP AMI where digest
authentication information can be used to overrun a buffer on the
stack, allowing for code injection and execution.
These issues and their resolution are described in the security
advisory.
For more information about the details of these vulnerabilities,
please read the security advisories AST-2012-002 and AST-2012-003,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.10.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-003.pdf
Thank you for your continued support of Asterisk!
The Asterisk Development Team has announced the release of Asterisk 10.1.3.
The release of Asterisk 10.1.3 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix ACK routing for non-2xx responses.
(Closes issue ASTERISK-19389. Reported by: Karsten Wemheuer)
* --- Fix regressions with regards to route-set creation on early dialogs ---
(Closes issue ASTERISK-19358. Reported-by: Karsten Wemheuer)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.3
Thank you for your continued support of Asterisk!
pkgsrc changes:
- maintain patch naming convention
- detect kqueue properly
The Asterisk Development Team has announced the release of Asterisk 1.8.9.3.
The release of Asterisk 1.8.9.3 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix ACK routing for non-2xx responses.
(Closes issue ASTERISK-19389. Reported by: Karsten Wemheuer)
* --- Fix regressions with regards to route-set creation on early dialogs ---
(Closes issue ASTERISK-19358. Reported-by: Karsten Wemheuer)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.9.3
Thank you for your continued support of Asterisk!
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix SIP INFO DTMF handling for non-numeric codes ---
(Closes issue ASTERISK-19290. Reported by: Ira Emus)
* --- Fix crash in ParkAndAnnounce ---
(Closes issue ASTERISK-19311. Reported-by: tootai)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.2
The release of Asterisk 1.8.9.2 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolve
The release of Asterisk 1.8.9.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Fixes deadlocks occuring in chan_agent ---
* --- Ensure entering T.38 passthrough does not cause an infinite loop ---
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.9.1
Thank you for your continued support of Asterisk!
The release of Asterisk 10.1.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Fixes deadlocks occuring in chan_agent ---
* --- Ensure entering T.38 passthrough does not cause an infinite loop ---
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.1
Thank you for your continued support of Asterisk!
The Asterisk Development Team is pleased to announce the release of
Asterisk 10.1.0. This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 10.1.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* AST-2012-001: prevent crash when an SDP offer
is received with an encrypted video stream when support for video
is disabled and res_srtp is loaded. (closes issue ASTERISK-19202)
Reported by: Catalin Sanda
* Allow playback of formats that don't support seeking. ast_streamfile
previously did unconditional seeking on files that broke playback of
formats that don't support that functionality. This patch avoids the
seek that was causing the problem.
(closes issue ASTERISK-18994) Patched by: Timo Teras
* Add pjmedia probation concepts to res_rtp_asterisk's learning mode. In
order to better handle RTP sources with strictrtp enabled (which is the
default setting in 10) using the learning mode to figure out new sources
when they change is handled by checking for a number of consecutive (by
sequence number) packets received to an rtp struct based on a new
configurable value called 'probation'. Also, during learning mode instead
of liberally accepting all packets received, we now reject packets until a
clear source has been determined.
* Handle AST_CONTROL_UPDATE_RTP_PEER frames in local bridge loop. Failing
to handle AST_CONTROL_UPDATE_RTP_PEER frames in the local bridge loop
causes the loop to exit prematurely. This causes a variety of negative side
effects, depending on when the loop exits. This patch handles the frame by
essentially swallowing the frame in the local loop, as the current channel
drivers expect the RTP bridge to handle the frame, and, in the case of the
local bridge loop, no additional action is necessary.
(closes issue ASTERISK-19095) Reported by: Stefan Schmidt Tested
by: Matt Jordan
* Fix timing source dependency issues with MOH. Prior to this patch,
res_musiconhold existed at the same module priority level as the timing
sources that it depends on. This would cause a problem when music on
hold was reloaded, as the timing source could be changed after
res_musiconhold was processed. This patch adds a new module priority
level, AST_MODPRI_TIMING, that the various timing modules are now loaded
at. This now occurs before loading other resource modules, such
that the timing source is guaranteed to be set prior to resolving
the timing source dependencies.
(closes issue ASTERISK-17474) Reporter: Luke H Tested by: Luke H,
Vladimir Mikhelson, zzsurf, Wes Van Tlghem, elguero, Thomas Arimont
Patched by elguero
* Fix RTP reference leak. If a blind transfer were initiated using a
REFER without a prior reINVITE to place the call on hold, AND if Asterisk
were sending RTCP reports, then there was a reference leak for the
RTP instance of the transferrer.
(closes issue ASTERISK-19192) Reported by: Tyuta Vitali
* Fix blind transfers from failing if an 'h' extension
is present. This prevents the 'h' extension from being run on the
transferee channel when it is transferred via a native transfer
mechanism such as SIP REFER. (closes issue ASTERISK-19173) Reported
by: Ross Beer Tested by: Kristjan Vrban Patches: ASTERISK-19173 by
Mark Michelson (license 5049)
* Restore call progress code for analog ports. Extracting sig_analog
from chan_dahdi lost call progress detection functionality. Fix
analog ports from considering a call answered immediately after
dialing has completed if the callprogress option is enabled.
(closes issue ASTERISK-18841)
Reported by: Richard Miller Patched by Richard Miller
* Fix regression that 'rtp/rtcp set debup ip' only works when a port
was also specified.
(closes issue ASTERISK-18693) Reported by: Davide Dal Reviewed by:
Walter Doekes
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.1.0
Thank you for your continued support of Asterisk!
The Asterisk Development Team is pleased to announce the release of
Asterisk 1.8.9.0. This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/
The release of Asterisk 1.8.9.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* AST-2012-001: prevent crash when an SDP offer
is received with an encrypted video stream when support for video
is disabled and res_srtp is loaded. (closes issue ASTERISK-19202)
Reported by: Catalin Sanda
* Handle AST_CONTROL_UPDATE_RTP_PEER frames in local bridge loop. Failing
to handle AST_CONTROL_UPDATE_RTP_PEER frames in the local bridge loop
causes the loop to exit prematurely. This causes a variety of negative side
effects, depending on when the loop exits. This patch handles the frame by
essentially swallowing the frame in the local loop, as the current channel
drivers expect the RTP bridge to handle the frame, and, in the case of the
local bridge loop, no additional action is necessary.
(closes issue ASTERISK-19095) Reported by: Stefan Schmidt Tested
by: Matt Jordan
* Fix timing source dependency issues with MOH. Prior to this patch,
res_musiconhold existed at the same module priority level as the timing
sources that it depends on. This would cause a problem when music on
hold was reloaded, as the timing source could be changed after
res_musiconhold was processed. This patch adds a new module priority
level, AST_MODPRI_TIMING, that the various timing modules are now loaded
at. This now occurs before loading other resource modules, such
that the timing source is guaranteed to be set prior to resolving
the timing source dependencies.
(closes issue ASTERISK-17474) Reporter: Luke H Tested by: Luke H,
Vladimir Mikhelson, zzsurf, Wes Van Tlghem, elguero, Thomas Arimont
Patched by elguero
* Fix RTP reference leak. If a blind transfer were initiated using a
REFER without a prior reINVITE to place the call on hold, AND if Asterisk
were sending RTCP reports, then there was a reference leak for the
RTP instance of the transferrer.
(closes issue ASTERISK-19192) Reported by: Tyuta Vitali
* Fix blind transfers from failing if an 'h' extension
is present. This prevents the 'h' extension from being run on the
transferee channel when it is transferred via a native transfer
mechanism such as SIP REFER. (closes issue ASTERISK-19173) Reported
by: Ross Beer Tested by: Kristjan Vrban Patches: ASTERISK-19173 by
Mark Michelson (license 5049)
* Restore call progress code for analog ports. Extracting sig_analog
from chan_dahdi lost call progress detection functionality. Fix
analog ports from considering a call answered immediately after
dialing has completed if the callprogress option is enabled.
(closes issue ASTERISK-18841)
Reported by: Richard Miller Patched by Richard Miller
* Fix regression that 'rtp/rtcp set debup ip' only works when a port
was also specified.
(closes issue ASTERISK-18693) Reported by: Davide Dal Reviewed by:
Walter Doekes
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.9.0
Thank you for your continued support of Asterisk!
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
The Asterisk Development Team is proud to announce the release of
Asterisk 10.0.0. This release is available for immediate download
at http://downloads.asterisk.org/pub/telephony/asterisk/
Asterisk 10 is the next major release series of Asterisk. It will
be a Standard support release, similar to Asterisk 1.6.2. For more
information about support time lines for Asterisk releases, see
the Asterisk versions page:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
With the release of the Asterisk 10 branch, the preceding '1.' has
been removed from the version number per the blog post available
at
http://blogs.digium.com/2011/07/21/the-evolution-of-asterisk-or-how-we-arrived-at-asterisk-10/
The release of Asterisk 10 would not have been possible without
the support and contributions of the community.
You can find an overview of the work involved with the 10.0.0
release in the summary:
http://svn.asterisk.org/svn/asterisk/tags/10.0.0/asterisk-10.0.0-summary.txt
A short list of available features includes:
* T.38 gateway functionality has been added to res_fax.
* Protocol independent out-of-call messaging support. Text messages not
associated with an active call can now be routed through the Asterisk
dialplan. SIP and XMPP are supported so far.
* New highly optimized and customizable ConfBridge application capable
of mixing audio at sample rates ranging from 8kHz-192kHz
* Addition of video_mode option in confbridge.conf to provide basic video
conferencing in the ConfBridge() dialplan application.
* Support for defining hints has been added to pbx_lua.
* Replacement of Berkeley DB with SQLite for the Asterisk Database (AstDB).
* Much, much more!
A full list of new features can be found in the CHANGES file.
http://svn.asterisk.org/svn/asterisk/branches/10/CHANGES
Also, when upgrading a system between major versions, it is imperative
that you read and understand the contents of the UPGRADE.txt file,
which is located at:
http://svn.asterisk.org/svn/asterisk/branches/10/UPGRADE.txt
Thank you for your continued support of Asterisk!
share/doc/asterisk/AST.{txt,pdf} has been replaced with
share/doc/asterisk/Asterisk_Admin_Guide. You will need a browser
to read the latter.
----- Asterisk 1.8.8.1 -----
The release of Asterisk 1.8.8.1 resolves a regression introduced
in Asterisk 1.8.8.0 reported by the community, and would have not
been possible without your participation. Thank you!
The following is the issue resolved in this release:
* Handle AST_CONTROL_UPDATE_RTP_PEER frames in local bridge loop
Failing to handle AST_CONTROL_UPDATE_RTP_PEER frames in the local
bridge loop causes the loop to exit prematurely. This causes a
variety of negative side effects, which may include having Music
On Hold failing during a SIP Hold.
For a full description of the changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.1
Thank you for your continued support of Asterisk!
----- Asterisk 1.8.8.0 -----
The release of Asterisk 1.8.8.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
The following is a sample of the issues resolved in this release:
* Updated SIP 484 handling; added Incomplete control frame
When a SIP phone uses the dial application and receives a 484
Address Incomplete response, if overlapped dialing is enabled
for SIP, then the 484 Address Incomplete is forwarded back to
the SIP phone and the HANGUPCAUSE channel variable is set to
28. Previously, the Incomplete application dialplan logic was
automatically triggered; now, explicit dialplan usage of the
application is required.
* Prevent IAX2 from getting IPv6 addresses via DNS
IAX2 does not support IPv6 and getting such addresses from DNS
can cause error messages on the remote end involving bad IPv4
address casts in the presence of IPv6/IPv4 tunnels.
* Fix bad RTP media bridges in directmedia calls on peers separated by
multiple Asterisk nodes.
* Fix crashes in ast_rtcp_write()
* Fix for incorrect voicemail duration in external notifications.
This patch fixes an issue where the voicemail duration was being
reported with a duration significantly less than the actual
sound file duration.
* Prevent segfault if call arrives before Asterisk is fully booted.
* Fix remote Crash Vulnerability in SIP channel driver (AST-2011-012)
http://downloads.asterisk.org/pub/security/AST-2011-012.pdf
* Fix locking order in app_queue.c which caused deadlocks
* Fix regression in configure script for libpri capability checks
* Prevent BLF subscriptions from causing deadlocks.
* Fix deadlock if peer is destroyed while sending MWI notice.
* Fix issue with setting defaultenabled on categories that are already
enabled by default.
* Don't crash on INFO automon request with no channel
AST-2011-014. When automon was enabled in features.conf, it
was possible to crash Asterisk by sending an INFO request if
no channel had been created yet.
* Fixed crash from orphaned MWI subscriptions in chan_sip
This patch resolves the issue where MWI subscriptions are orphaned
by subsequent SIP SUBSCRIBE messages.
* Default to nat=yes; warn when nat in general and peer differ
AST-2011-013. It is possible to enumerate SIP usernames when
the general and user/peer nat settings differ in whether to
respond to the port a request is sent from or the port listed
for responses in the Via header.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.8.0
Thank you for your continued support of Asterisk!
The release of Asterisk 1.6.2.22 corrects two flaws in sip.conf.sample
related to AST-2011-013:
* The sample file listed *two* values for the 'nat' option as being the default.
Only 'yes' is the default.
* The warning about having differing 'nat' settings confusingly referred to both
peers and users.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.22
Thank you for your continued support of Asterisk!
Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
Reported By Ben Williams
Posted On
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description It is possible to enumerate SIP usernames when the general
and user/peer NAT settings differ in whether to respond to
the port a request is sent from or the port listed for
responses in the Via header. In 1.4 and 1.6.2, this would
mean if one setting was nat=yes or nat=route and the other
was either nat=no or nat=never. In 1.8 and 10, this would
mean when one was nat=force_rport or nat=yes and the other
was nat=no or nat=comedia.
Resolution Handling NAT for SIP over UDP requires the differing
behavior introduced by these options.
To lessen the frequency of unintended username disclosure,
the default NAT setting was changed to always respond to the
port from which we received the request-the most commonly
used option.
Warnings were added on startup to inform administrators of
the risks of having a SIP peer configured with a different
setting than that of the general setting. The documentation
now strongly suggests that peers are no longer configured
for NAT individually, but through the global setting in the
"general" context.
Affected Versions
Product Release Series
Asterisk Open Source All All versions
Corrected In
As this is more of an issue with SIP over UDP in general, there is no
fix supplied other than documentation on how to avoid the problem. The
default NAT setting has been changed to what we believe the most
commonly used setting for the respective version in Asterisk 1.4.43,
1.6.2.21, and 1.8.7.2.
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-013.pdf and
http://downloads.digium.com/pub/security/AST-2011-013.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-013
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-014
Product Asterisk
Summary Remote crash possibility with SIP and the "automon"
feature enabled
Nature of Advisory Remote crash vulnerability in a feature that is
disabled by default
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known Yes
Reported On November 2, 2011
Reported By Kristijan Vrban
Posted On 2011-11-03
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description When the "automon" feature is enabled in features.conf, it
is possible to send a sequence of SIP requests that cause
Asterisk to dereference a NULL pointer and crash.
Resolution Applying the referenced patches that check that the pointer
is not NULL before accessing it will resolve the issue. The
"automon" feature can be disabled in features.conf as a
workaround.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Corrected In
Product Release
Asterisk Open Source 1.6.2.21, 1.8.7.2
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-014.pdf and
http://downloads.digium.com/pub/security/AST-2011-014.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-014
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
in the iLBC codec files.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
Reported By Ben Williams
Posted On
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description It is possible to enumerate SIP usernames when the general
and user/peer NAT settings differ in whether to respond to
the port a request is sent from or the port listed for
responses in the Via header. In 1.4 and 1.6.2, this would
mean if one setting was nat=yes or nat=route and the other
was either nat=no or nat=never. In 1.8 and 10, this would
mean when one was nat=force_rport or nat=yes and the other
was nat=no or nat=comedia.
Resolution Handling NAT for SIP over UDP requires the differing
behavior introduced by these options.
To lessen the frequency of unintended username disclosure,
the default NAT setting was changed to always respond to the
port from which we received the request-the most commonly
used option.
Warnings were added on startup to inform administrators of
the risks of having a SIP peer configured with a different
setting than that of the general setting. The documentation
now strongly suggests that peers are no longer configured
for NAT individually, but through the global setting in the
"general" context.
Affected Versions
Product Release Series
Asterisk Open Source All All versions
Corrected In
As this is more of an issue with SIP over UDP in general, there is no
fix supplied other than documentation on how to avoid the problem. The
default NAT setting has been changed to what we believe the most
commonly used setting for the respective version in Asterisk 1.4.43,
1.6.2.21, and 1.8.7.2.
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-013.pdf and
http://downloads.digium.com/pub/security/AST-2011-013.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-013
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
__________________________________________________________________
Asterisk Project Security Advisory - AST-2011-014
Product Asterisk
Summary Remote crash possibility with SIP and the "automon"
feature enabled
Nature of Advisory Remote crash vulnerability in a feature that is
disabled by default
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known Yes
Reported On November 2, 2011
Reported By Kristijan Vrban
Posted On 2011-11-03
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson at digium.com>
CVE Name
Description When the "automon" feature is enabled in features.conf, it
is possible to send a sequence of SIP requests that cause
Asterisk to dereference a NULL pointer and crash.
Resolution Applying the referenced patches that check that the pointer
is not NULL before accessing it will resolve the issue. The
"automon" feature can be disabled in features.conf as a
workaround.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Corrected In
Product Release
Asterisk Open Source 1.6.2.21, 1.8.7.2
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-014.pdf and
http://downloads.digium.com/pub/security/AST-2011-014.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-014
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
2) Pass BUILDLINK_CPPFLAGS and BUILDLINK_LDFLAGS to the make process.
3) Have the build variables HAVE_LIBCURSES and HAVE_CURSES needed for the
linux build set the by pkgsrc.
Bump PKGREVISION
pkgsrc change: now what sqlite3 has been imported into NetBSD, enable it
Asterisk Project Security Advisory - AST-2011-012
Product Asterisk
Summary Remote crash vulnerability in SIP channel driver
Nature of Advisory Remote crash
Susceptibility Remote authenticated sessions
Severity Critical
Exploits Known No
Reported On October 4, 2011
Reported By Ehsan Foroughi
Posted On October 17, 2011
Last Updated On October 17, 2011
Advisory Contact Terry Wilson <twilson@digium.com>
CVE Name CVE-2011-4063
Description A remote authenticated user can cause a crash with a
malformed request due to an unitialized variable.
Resolution Ensure variables are initialized in all cases when parsing
the request.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions (currently in beta)
Corrected In
Product Release
Asterisk Open Source 1.8.7.1, 10.0.0-rc1
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-012-1.8.diff 1.8
http://downloads.asterisk.org/pub/security/AST-2011-012-10.diff 10
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-012.pdf and
http://downloads.digium.com/pub/security/AST-2011-012.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-012
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
This update adds a "jabber" option which is enabled by default.
This option pulls in iksemel which is used by the res_jabber.
Doing this allows chan_jingle (jabber) and chan_gtalk to work.
pkgsrc changes:
- adjust for ilbc changes after it was acquired by Google
- install AST.pdf IAX2-security.pdf into share/doc/asterisk
1.8.7.0:
========
The release of Asterisk 1.8.7.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
Please note that a significant numbers of changes and fixes have
gone into features.c in this release (call parking, built-in
transfers, call pickup, etc.).
NOTE:
Recently, we were notified that the mechanism included in our
Asterisk source code releases to download and build support for
the iLBC codec had stopped working correctly; a little investigation
revealed that this occurred because of some changes on the
ilbcfreeware.org website. These changes occurred as a result of
Google's acquisition of GIPS, who produced (and provided licenses
for) the iLBC codec.
If you are a user of Asterisk and iLBC together, and you've already
executed a license agreement with GIPS, we believe you can continue
using iLBC with Asterisk. If you are a user of Asterisk and iLBC
together, but you had not executed a license agreement with GIPS,
we encourage you to research the situation and consult with your
own legal representatives to determine what actions you may want
to take (or avoid taking).
More information is available on the Asterisk blog:
http://blogs.asterisk.org/2011/09/19/ilbc-support-in-asterisk-after-googles-acquisition-of-gips/
The following is a sample of the issues resolved in this release:
* Added the 'storesipcause' option to sip.conf to allow the user to
disable the setting of HASH(SIP_CAUSE,) on the channel. Having
chan_sip set HASH(SIP_CAUSE,) on the channel carries a significant
performance penalty because of the usage of the MASTER_CHANNEL()
dialplan function.
We've decided to disable this feature by default in future 1.8
versions. This would be an unexpected behavior change for anyone
depending on that SIP_CAUSE update in their dialplan. Please
refer to the asterisk-dev mailing list more information:
http://lists.digium.com/pipermail/asterisk-dev/2011-August/050626.html
* Significant fixes and improvements to parking lots.
(Closes issues ASTERISK-17183, ASTERISK-17870, ASTERISK-17430,
ASTERISK-17452, ASTERISK-17452, ASTERISK-15792.)
* Numerous issues have been reported for deadlocks that are caused
by a blocking read in res_timing_timerfd on a file descriptor
that will never be written to.
A change to Asterisk adds some checks to make sure that the
timerfd is both valid and armed before calling read(). Should
fix: ASTERISK-18142, ASTERISK-18197, ASTERISK-18166 and possibly
others. (In essence, this change should make res_timing_timerfd
usable.)
* Resolve segfault when publishing device states via XMPP and not connected.
(Closes issue ASTERISK-18078.)
* Refresh peer address if DNS unavailable at peer creation.
(Closes issue ASTERISK-18000)
* Fix the missing DAHDI channels when using the newer chan_dahdi.conf
sections for channel configuration.
(Closes issue ASTERISK-18496.)
* Remove unnecessary libpri dependency checks in the configure script.
(Closes issue ASTERISK-18535.)
* Update get_ilbc_source.sh script to work again.
(Closes issue ASTERISK-18412)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.7.0
Thank you for your continued support of Asterisk!
1.8.6.0:
========
The release of Asterisk 1.8.6.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
The following is a sample of the issues resolved in this release:
* Fix an issue with Music on Hold classes losing files in playlist
when realtime is used. (Closes issue ASTERISK-17875.)
* Resolve a potential crash in chan_sip when utilizing auth= and
performing a 'sip reload' from the console. (Closes issue
ASTERISK-17939.)
* Address some improper sql statements in res_odbc that would cause
an update to fail on realtime peers due to trying to set as
"(NULL)" rather than an actual NULL. (Closes issue ASTERISK-17791.)
* Resolve issue where 403 Forbidden would always be sent maximum
number of times regardless to receipt of ACK.
* Resolve issue where if a call to MeetMe includes both the dynamic(D)
and always request PIN(P) options, MeetMe will ask for the PIN
two times: once for creating the conference and once for entering
the conference.
* Fix New Zealand indications profile based on
http://www.telepermit.co.nz/TNA102.pdf
(Closes issue ASTERISK-16263.)
* Segfault in shell_helper in func_shell.c
(Closes issue ASTERISK-18109.)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.6.0
Thank you for your continued support of Asterisk!
misuse of function pointer casts and mismatched function calls and
arguments. Now this has some chance at running on something other
than i386.
PKGREVISION -> 12.
require you to use movd (instead of movq) when transferring data
between reg32/64 and an mmx register. No PKGREVISION bump since it
failed to compile on amd64 meaning there was no binary package.
Changes:
0.4, 20110831 - jeagle
Fix packet timeout bug reported by Dave S.
Replace call to die() in __data_to_int with return undef, update docs to
reflect this.
Device::XBee::API is a module designed to encapsulate the Digi XBee API in
object-oriented Perl. This module expects to communicate with an XBee
module using the API firmware via a serial (or serial over USB) device.
1.58 Mon Mar 7 22:31:22 EST 2011
- Fixed RT #48229, an uninitialized value when registering to the network
but getting no answer from the phone.
1.57 Mon Mar 7 20:53:03 EST 2011
- Fixed a bug in send_sms() that prevented it from working at all.
The bug was introduced with the "assume_registered" option.
- Fixed RT #57585. Thanks to Eric Kössldorfer for his patch and
test case.
- Added PDU<->latin1 conversion functions in Device::Gsm::Pdu
- Note to self: first release from Australia!
* Handle device reconnected more smoothly (USB-serial dongles)
* Translation updates: Danish
* Several fixes (see ChangeLog)
Changes 2.4:
* Add -D and -b options to specify device and baud rate on the command
line.
* Do character conversion between local and remote side (-R option)
* Added indonesian translation
* Compatibility fixes for recent build environments
* Remove code that handled very old systems
Changes 2.3:
* Fix build on Mac OS X
* New version of the dial format to be little and big endian as well as
32/64 bit safe
* Support more baud rates
* Handle device disappearances (e.g. serial-USB device unplug)
* Various build and other fixes
Changes 2.2:
* Vietnamese translation added
* Norwegian translation added
* Traditional chinese translation added
* Swedish translation added
* Romanian translation added
* default to 8bit mode if LANG or LC_ALL are set
* default baud rate set to 115200
* Various code cleanups and fixes
The release of Asterisk 1.8.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Fix Deadlock with attended transfer of SIP call
* Fixes thread blocking issue in the sip TCP/TLS implementation.
* Be more tolerant of what URI we accept for call completion PUBLISH requests.
* Fix a nasty chanspy bug which was causing a channel leak every time a spied on
channel made a call.
* This patch fixes a bug with MeetMe behavior where the 'P' option for always
prompting for a pin is ignored for the first caller.
* Fix issue where Asterisk does not hangup a channel after endpoint hangs up. If
the call that the dialplan started an AGI script for is hungup while the AGI
script is in the middle of a command then the AGI script is not notified of
the hangup.
* Resolve issue where leaving a voicemail, the MWI message is never sent. The
same thing happens when checking a voicemail and marking it as read.
* Resolve issue where wait for leader with Music On Hold allows crosstalk
between participants. Parenthesis in the wrong position. Regression from issue
#14365 when expanding conference flags to use 64 bits.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.5.0
Thank you for your continued support of Asterisk!
Asterisk Project Security Advisory - AST-2011-011
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Possible enumeration of SIP users due to |
| | differing authentication responses |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Unauthorized data disclosure |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2011-2536 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | Asterisk may respond differently to SIP requests from an |
| | invalid SIP user than it does to a user configured on |
| | the system, even when the alwaysauthreject option is set |
| | in the configuration. This can leak information about |
| | what SIP users are valid on the Asterisk system. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Respond to SIP requests from invalid and valid SIP users |
| | in the same way. Asterisk 1.4 and 1.6.2 do not respond |
| | identically by default due to backward-compatibility |
| | reasons, and must have alwaysauthreject=yes set in |
| | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes. |
| | |
| | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4 |
| | and 1.6.2 set alwaysauthreject=yes in the general section |
| | of sip.conf. |
+------------------------------------------------------------------------+
Please note that Asterisk 1.6.2.19 is the final maintenance release
from the 1.6.2 branch. Support for security related issues will
continue until April 21, 2012. For more information about support
of the various Asterisk branches, see
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
The release of Asterisk 1.6.2.19 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
The following is a sample of the issues resolved in this release:
* Don't broadcast FullyBooted to every AMI connection
The FullyBooted event should not be sent to every AMI connection
every time someone connects via AMI. It should only be sent to
the user who just connected.
(Closes issue #18168. Reported, patched by FeyFre)
* Fix thread blocking issue in the sip TCP/TLS implementation.
(Closes issue #18497. Reported by vois. Tested by vois, rossbeer, kowalma,
Freddi_Fonet. Patched by dvossel)
* Don't delay DTMF in core bridge while listening for DTMF features.
(Closes issue #15642, #16625. Reported by jasonshugart, sharvanek. Tested by
globalnetinc, jde. Patched by oej, twilson)
* Fix chan_local crashs in local_fixup()
Thanks OEJ for tracking down the issue and submitting the patch.
(Closes issue #19053. Reported, patched by oej)
* Don't offer video to directmedia callee unless caller offered it as well
(Closes issue #19195. Reported, patched by one47)
Additionally security announcements AST-2011-008, AST-2011-010, and
AST-2011-011 have been resolved in this release.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.19
AST-2011-002, AST-2011-003, AST-2011-004, AST-2011-005, AST-2011-006,
and AST-2011-007.
pkgsrc changes:
- add patch for autosupport script; == -> =
- patch configure to not unconditionally set PBX_LAUNCHD=1
- this allows res_timing_kqueue.so to build
This last change brings a timing source to NetBSD which allows IAX
trunking and allows the bridging modules to work, a rather major
piece that was missing. Note that I haven't extensively tested
it. But, have at it...
===========================================================================
1.8.4.2:
The Asterisk Development Team has announced the release of Asterisk
version 1.8.4.2, which is a security release for Asterisk 1.8.
The release of Asterisk 1.8.4.2 resolves an issue with SIP URI parsing
which can lead to a remotely exploitable crash:
Remote Crash Vulnerability in SIP channel driver (AST-2011-007)
The issue and resolution is described in the AST-2011-007 security
advisory.
For more information about the details of this vulnerability, please
read the security advisory AST-2011-007, which was released at the same
time as this announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.4.2
Security advisory AST-2011-007 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-007.pdf
===========================================================================
1.8.4.1:
The Asterisk Development Team has announced the release of Asterisk 1.8.4.1.
The release of Asterisk 1.8.4.1 resolves several issues reported by the
community. Without your help this release would not have been possible.
Thank you!
Below is a list of issues resolved in this release:
* Fix our compliance with RFC 3261 section 18.2.2. (aka Cisco phone fix)
* Resolve a change in IPv6 header parsing due to the Cisco phone fix issue.
This issue was found and reported by the Asterisk test suite.
* Resolve potential crash when using SIP TLS support.
* Improve reliability when using SIP TLS.
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4.1
===========================================================================
1.8.4:
The Asterisk Development Team has announced the release of Asterisk 1.8.4.
The release of Asterisk 1.8.4 resolves several issues reported by the community.
Without your help this release would not have been possible. Thank you!
Below is a sample of the issues resolved in this release:
* Use SSLv23_client_method instead of old SSLv2 only.
* Resolve crash in ast_mutex_init()
* Resolution of several DTMF based attended transfer issues.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve deadlocks related to device states in chan_sip
* Resolve an issue with the Asterisk manager interface leaking memory when
disabled.
* Support greetingsfolder as documented in voicemail.conf.sample.
* Fix channel redirect out of MeetMe() and other issues with channel softhangup
* Fix voicemail sequencing for file based storage.
* Set hangup cause in local_hangup so the proper return code of 486 instead of
503 when using Local channels when the far sides returns a busy. Also affects
CCSS in Asterisk 1.8+.
* Fix issues with verbose messages not being output to the console.
* Fix Deadlock with attended transfer of SIP call
Includes changes per AST-2011-005 and AST-2011-006
For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.4
Information about the security releases are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.8.3.3:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:
* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)
The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.3
Security advisory AST-2011-005 and AST-2011-006 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.8.3.2:
he Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).
The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.2
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.8.3.1:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.23, 1.6.2.17.1, and 1.8.3.1.
The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.3.1
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.8.3:
The Asterisk Development Team has announced the release of Asterisk 1.8.3.
The release of Asterisk 1.8.3 resolves several issues reported by the community
and would have not been possible without your participation. Thank you!
The following is a sample of the issues resolved in this release:
* Resolve duplicated data in the AstDB when using DIALGROUP()
* Ensure the ipaddr field in realtime is large enough to handle IPv6 addresses.
* Reworking parsing of mwi => lines to resolve a segfault. Also add a set of
unit tests for the function that does the parsing.
* When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
* Resolve memory leak in iCalendar and Exchange calendaring modules.
* This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
* Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
* Resolve a memory leak when the Asterisk Manager Interface is disabled.
* Reimplemented fax session reservation to reverse the ABI breakage introduced
in r297486.
* Fix regression that changed behavior of queues when ringing a queue member.
* Resolve deadlock involving REFER.
Additionally, this release has the changes related to security bulletin
AST-2011-002 which can be found at
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.3
===========================================================================
1.8.2.4:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems configured for
T.38 pass through or termination are vulnerable. The issue and resolution are
described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.2.4
Security advisory AST-2011-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
AST-2011-002, AST-2011-003, AST-2011-004, AST-2011-005, and AST-2011-006.
===========================================================================
1.6.2.18:
The Asterisk Development Team has announced the release of Asterisk 1.6.2.18.
The release of Asterisk 1.6.2.18 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Only offer codecs both sides support for directmedia.
* Resolution of several DTMF based attended transfer issues.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve deadlocks related to device states in chan_sip
* Fix channel redirect out of MeetMe() and other issues with channel softhangup
* Fix voicemail sequencing for file based storage.
* Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18
===========================================================================
1.6.2.17.3
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:
* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)
The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.3
Security advisory AST-2011-005 and AST-2011-006 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.6.2.17.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).
The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.2
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.17.1:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.23, 1.6.2.17.1, and 1.8.3.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.1
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.16.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems configured for
T.38 pass through or termination are vulnerable. The issue and resolution are
described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2
Security advisory AST-2011-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
AST-2011-002, AST-2011-003, AST-2011-004, AST-2011-005, and AST-2011-006.
===========================================================================
1.6.2.18:
The Asterisk Development Team has announced the release of Asterisk 1.6.2.18.
The release of Asterisk 1.6.2.18 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Only offer codecs both sides support for directmedia.
* Resolution of several DTMF based attended transfer issues.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve deadlocks related to device states in chan_sip
* Fix channel redirect out of MeetMe() and other issues with channel softhangup
* Fix voicemail sequencing for file based storage.
* Guard against retransmitting BYEs indefinitely during attended transfers with
chan_sip.
In addition to the changes listed above, commits to resolve security issues
AST-2011-005 and AST-2011-006 have been merged into this release. More
information about AST-2011-005 and AST-2011-006 can be found at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.18
===========================================================================
1.6.2.17.3
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3.
The releases of Asterisk 1.4.40.1, 1.6.1.25, 1.6.2.17.3, and 1.8.3.3 resolve two
issues:
* File Descriptor Resource Exhaustion (AST-2011-005)
* Asterisk Manager User Shell Access (AST-2011-006)
The issues and resolutions are described in the AST-2011-005 and AST-2011-006
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-005 and AST-2011-006, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.3
Security advisory AST-2011-005 and AST-2011-006 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-005.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-006.pdf
===========================================================================
1.6.2.17.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2.
** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which
contained a bug which caused duplicate manager entries (issue #18987).
The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.2
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.17.1:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.6.1.23, 1.6.2.17.1, and 1.8.3.1.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:
* Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
* Remote crash vulnerability in TCP/TLS server (AST-2011-004)
The issues and resolutions are described in the AST-2011-003 and AST-2011-004
security advisories.
For more information about the details of these vulnerabilities, please read the
security advisories AST-2011-003 and AST-2011-004, which were released at the
same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.17.1
Security advisory AST-2011-003 and AST-2011-004 are available at:
http://downloads.asterisk.org/pub/security/AST-2011-003.pdfhttp://downloads.asterisk.org/pub/security/AST-2011-004.pdf
===========================================================================
1.6.2.17:
The Asterisk Development Team has announced the release of Asterisk 1.6.2.17.
The release of Asterisk 1.6.2.17 resolves several issues reported by the
community and would have not been possible without your participation.
The following is a sample of the issues resolved in this release:
* Resolve duplicated data in the AstDB when using DIALGROUP()
* Correct issue where res_config_odbc could populate fields with invalid data.
* When using cdr_pgsql the billsec field was not populated correctly on
unanswered calls.
* Resolve issue where re-transmissions of SUBSCRIBE could break presence.
* Fix regression causing forwarding voicemails to not work with file storage.
* This version of Asterisk includes the new Compiler Flags option
BETTER_BACKTRACES which uses libbfd to search for better symbol information
within both the Asterisk binary, as well as loaded modules, to assist when
using inline backtraces to track down problems.
* Resolve several issues with DTMF based attended transfers.
NOTE: Be sure to read the ChangeLog for more information about these changes.
* Resolve issue where no Music On Hold may be triggered when using
res_timing_dahdi.
* Fix regression that changed behavior of queues when ringing a queue member.
Additionally, this release has the changes related to security bulletin
AST-2011-002 which can be found at
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.17
===========================================================================
1.6.2.16.2:
The Asterisk Development Team has announced security releases for Asterisk
branches 1.4, 1.6.1, 1.6.2, and 1.8. The available security releases are
released as versions 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4.
The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an
issue that when decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems configured for
T.38 pass through or termination are vulnerable. The issue and resolution are
described in the AST-2011-002 security advisory.
For more information about the details of this vulnerability, please read the
security advisory AST-2011-002, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6.2.16.2
Security advisory AST-2011-002 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-002.pdf
=============================================================================
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
SMS::Send is intended to provide a driver-based single API for sending SMS and
MMS messages. The intent is to provide a single API against which to write the
code to send an SMS message.
At the same time, the intent is to remove the limits of some of the previous
attempts at this sort of API, like "must be free internet-based SMS services".
SMS::Send drivers are installed seperately, and might use the web, email or
physical SMS hardware. It could be a free or paid. The details shouldn't matter.
You should not have to care how it is actually sent, only that it has been sent
(although some drivers may not be able to provide certainty).
sample per second world of E1s, T1s, and higher order PCM channels.
It contains low level functions, such as basic filters. It also
contains higher level functions, such as cadenced supervisory tone
detection, and a complete software FAX machine. The software has
been designed to avoid intellectual property issues, using mature
techniques where all relevant patents have expired. See the file
DueDiligence for important information about these intellectual
property issues.
to enable res_fax_spandsp.so. Don't bother with a PKGREVISION bump since
this doesn't change default builds and there is no need tobother people
that don't need the option.
pkgsrc: fix issue with patch for detecting sys/atomic.h
The Asterisk Development Team has announced the release of Asterisk 1.8.2.3.
The release of Asterisk 1.8.2.3 resolves the following issue:
* Reimplemented fax session reservation to reverse the ABI breakage introduced
in r297486.
(Reported by Jeremy Kister on the asterisk-users mailing list. Patched by
mnicholson)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.2.3
This is to fix AST-2011-001: Stack buffer overflow in SIP channel driver
Asterisk Project Security Advisory - AST-2011-001
Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
For full details, see:
http://downloads.digium.com/pub/security/AST-2011-001.html
This is to fix AST-2011-001: Stack buffer overflow in SIP channel driver
Asterisk Project Security Advisory - AST-2011-001
Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
For full details, see:
http://downloads.digium.com/pub/security/AST-2011-001.html
The release of Asterisk 1.8.2 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* 'sip notify clear-mwi' needs terminating CRLF.
(Closes issue #18275. Reported, patched by klaus3000)
* Patch for deadlock from ordering issue between channel/queue locks in
app_queue (set_queue_variables).
(Closes issue #18031. Reported by rain. Patched by bbryant)
* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Fix reloading of peer when a user is requested. Prevent peer reloading from
causing multiple MWI subscriptions to be created when using realtime.
(Closes issue #18342. Reported, patched by nivek.)
* Fix XMPP PubSub-based distributed device state. Initialize pubsubflags to 0
so res_jabber doesn't think there is already an XMPP connection sending
device state. Also clean up CLI commands a bit.
(Closes issue #18272. Reported by klaus3000. Patched by Marquis42)
* Don't crash after Set(CDR(userfield)=...) in ast_bridge_call. Instead of
setting peer->cdr = NULL, set it to not post.
(Closes issue #18415. Reported by macbrody. Patched, tested by jsolares)
* Fixes issue with outbound google voice calls not working. Thanks to az1234
and nevermind_quack for their input in helping debug the issue.
(Closes issue #18412. Reported by nevermind_quack. Patched by dvossel)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.2
The release of Asterisk 1.6.2.16 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Fix cache of device state changes for multiple servers.
(Closes issue #18284, #18280. Reported, tested by klaus3000. Patched, tested
by russellb)
* Resolve issue where channel redirect function (CLI or AMI) hangs up the call
instead of redirecting the call.
(Closes issue #18171. Reported by: SantaFox)
(Closes issue #18185. Reported by: kwemheuer)
(Closes issue #18211. Reported by: zahir_koradia)
(Closes issue #18230. Reported by: vmarrone)
(Closes issue #18299. Reported by: mbrevda)
(Closes issue #18322. Reported by: nerbos)
* Linux and *BSD disagree on the elements within the ucred structure. Detect
which one is in use on the system.
(Closes issue #18384. Reported, patched, tested by bjm, tilghman)
* app_followme: Don't create a Local channel if the target extension does not
exist.
(Closes issue #18126. Reported, patched by junky)
* Revert code that changed SSRC for DTMF.
(Closes issue #17404, #18189, #18352. Reported by sdolloff, marcbou. rsw686.
Tested by cmbaker82)
* Resolve issue where REGISTER request with a Call-ID matching an existing
transaction is received it was possible that the REGISTER request would
overwrite the initreq of the private structure.
(Closes issue #18051. Reported by eeman. Patched, tested by twilson)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.16
