True aim is now in the book of blades, so you can learn it without an extra skill book. (Robert Barber)
Forgetting a spell while wielding a staff that imbues it will now properly fail. (Paul Strickland)
Failing to forget no longer uses a turn.
Unenchanted weapons and armor which you have found the enchantment of now report +0. (Mike Ratzlaff)
Objects collapsing into meatballs now properly state if the result is multiple meatballs. (Nathan Bogue)
Tutorial for signpost for kiwis now mentions the hostile tag on the look description. (Claudio)
Signpost added to surace world. (SilverAnalyst)
Someone to greet you on the surface world. (Andrew Walker)
Unequippable item slots say No Item slot rather than Empty slot. Empty body slots report the appendage name (left hand, radula, etc)
+ and * by the god reports when praying lets you know how much they like your fashion sense. (hotpoo)
Frogs have a bonus to attack vs insects. (Robert Barber)
Silver and gold weapons will occasionally dull if used against non-vulnerable targets.
Finally added the cute and cuddly triceratops!
If you id the enchantment of an item by throwing it, now the stack you threw it from wil also be ided. (Mike Ratzlaff)
Sleeping creatures have a visual indication. (Mike Ratzlaff)
Swapping worn armour with wielded sword no longer causes you to wear the sword. (Mike Ratzlaff)
Rolling boulder works on some monsters.
Fix minor spelling errors (Gurkan Sengun)
Full AI state was being cleared when nothing was edible rather than just the single edible bit. (Don Collins)
Dipping nothing into a potion no longer crashes, provided you figured a way to do that in the first place. (Richard Quirk)
Two or more equipped items with extra attacks now properly stack the chance of invoking the attacks, rather than jumping straight to a 99% chance. (Richard Quirk)
One new room type.
Mountain and Hills in Ibson The Grey's tileset are now in their correct positions.
2011-11-11 Dave Beckett <dave@dajobe.org>
* Snapshotted flickcurl_1_22 for 1.22 release (GIT
6698387f4240cec82b0e115adf8a863657dd7066)
* utils/oauth-test.c:
Update flickcurl_oauth_prepare_common call
* NEWS.html, src/common.c, src/flickcurl_internal.h: Disable
mtwist unless building experimental OAuth
* src/Makefile.am: Do not use libmtwist without oauth
* configure.ac, src/Makefile.am, src/common.c,
src/flickcurl_internal.h, utils/Makefile.am: Add --enable-oauth
default disabled
* src/common.c:
(flickcurl_free): Free OAuth urls
* src/oauth.c:
(test_signature_calc): Test free
* src/oauth.c: Make oauth test work again
* src/flickcurl_internal.h, src/oauth.c: Remove is_request arg -
just use od->callback
* src/common.c, src/flickcurl_internal.h, src/oauth.c,
utils/oauth-test.c: Move flickcurl_oauth_data into flickcurl
struct
* docs/flickcurl-docs.xml, docs/tmpl/section-config.sgml: Add
config section to docs
* autogen.sh, docs/tmpl/section-auth.sgml,
docs/tmpl/section-core.sgml, docs/tmpl/section-misc.sgml,
docs/tmpl/section-unused.sgml, docs/tmpl/section-upload.sgml,
libmtwist: Fix submodule checkouts
* autogen.sh: Init and update any git submodules
2011-11-09 Dave Beckett <dave@dajobe.org>
* src/flickcurl_internal.h, src/oauth.c:
Reduce visibility of oauth
internal functions These are internal to the library now because the
flickcurl_oauth_data is an internal structure.
2011-11-01 Dave Beckett <dave@dajobe.org>
* src/common.c: Return method details with curl errors
* src/Makefile.am: Clean tests
2011-10-30 Dave Beckett <dave@dajobe.org>
* utils/oauth-test.c: code style
* utils/oauth-test.c: casts
* src/oauth.c: docs
* src/oauth.c: consts
* docs/flickcurl-sections.txt: add oauth urls
* src/flickcurl_internal.h, src/oauth.c: fix const char keys
* src/oauth.c: docs
* src/oauth.c:
(flickcurl_oauth_access_token): Delete request token after success.
* src/oauth.c:
(flickcurl_oauth_build_key): Build sign key from request OR access
token
* utils/oauth-test.c: docs
* src/Makefile.am, src/oauth.c, utils/oauth-test.c: Add oauth
checksum test
* src/.gitignore: ignore *_test
2011-10-29 Dave Beckett <dave@dajobe.org>
* utils/oauth-test.c: Report request token
* src/oauth.c:
(flickcurl_oauth_prepare_common): docs and send all oauth params
except callback to requests
* src/flickcurl_internal.h, src/oauth.c, utils/oauth-test.c:
(flickcurl_oauth_access_token): Pass in verifier
* src/flickcurl_internal.h, src/oauth.c: request_token* fields
renamed from tmp_token*
* docs/flickcurl-sections.txt, src/auth-api.c, src/flickcurl.h:
Added flickr.auth.oauth.getAccessToken partial support
(flickcurl_auth_oauth_getAccessToken): Added for
flickr.auth.oauth.getAccessToken - right now it exchanges the old
tokens for OAuth ones and drops them both.
* src/flickcurl_internal.h, utils/oauth-test.c: oauth field
client_key_len renamed from client_len
* utils/oauth-test.c: FLICKCURL_MAX_OAUTH_PARAM_COUNT
* src/oauth.c: is_oauth_method fix
* src/flickcurl_internal.h, src/oauth.c:
FLICKCURL_MAX_OAUTH_PARAM_COUNT
* src/flickcurl.h, src/flickcurl_internal.h, src/oauth.c,
utils/oauth-test.c: Compute authorize URI after getting back oauth
request token (flickcurl_oauth_get_authorize_uri): Added.
* src/common.c, src/flickcurl_internal.h, src/oauth.c: Add utility
functions for oauth responses as HTTP forms
(flickcurl_invoke_get_form_content): Added to get content as k/v
array of strings.
(flickcurl_free_form): Added to free the above.
(flickcurl_oauth_request_token), flickcurl_oauth_access_token):
Use above.
* src/common.c, src/flickcurl_internal.h, src/oauth.c,
utils/Makefile.am, utils/oauth-test.c: Move OAuth test code into
oauth.c and refactor a little
* src/oauth.c:
(flickcurl_oauth_prepare_common): Do not use oath method name in
params
* libmtwist: Update to libmtwist head
* utils/oauth-test.c: Pass in (fake) flickr method for
flickcurl_oauth_prepare_common()
* src/oauth.c:
(flickcurl_oauth_prepare_common): Use http method not flickr method
* utils/oauth-test.c: remove unused srand()
* src/common.c, src/flickcurl_internal.h, src/oauth.c,
utils/oauth-test.c: Use libmtwist for PRNG for nonce
* libmtwist: Update to libmtwist head
* docs/flickcurl-sections.txt: Add symbols
* src/Makefile.am:
Add mtwist_config.h
* NEWS.html, docs/flickcurl-sections.txt:
flickcurl_get_hidden_from_string
* README.html: libmtwist submodule
2011-10-28 Dave Beckett <dave@dajobe.org>
* .gitmodules, configure.ac, libmtwist, src/Makefile.am,
src/mtwist_config.h: Add libmtwist as a git submodule
2011-10-16 Dave Beckett <dave@dajobe.org>
* src/oauth.c:
(flickcurl_oauth_compute_signature): Simplify greatly.
* src/config.c, src/flickcurl.h, utils/flickcurl.c:
(flickcurl_config_write_ini): Now writes to a filename
* utils/codegen.c, utils/flickcurl.c, utils/flickrdf.c,
utils/list-methods.c, utils/oauth-test.c: Update the utilities to
use flickcurl_config_ functions
* docs/flickcurl-sections.txt, src/common.c, src/config.c,
src/flickcurl.h: Update flickcurl config file reading and writing
support Move ini reading and writing into the library.
(flickcurl_config_read_ini): Added, deprecating read_ini_config()
and adding a flickcurl* param. Reads in library configuration.
(flickcurl_config_var_handler): Added as standard handler for
above.
(flickcurl_config_write_ini): Added to write an ini file for
library configuration.
* src/oauth.c:
(flickcurl_oauth_compute_signature): Docs and error path.
* configure.ac: Fix libcurl version check to actually check curl
not libxml twice
* configure.ac: Remove unused libcurl_min_vernum
* NEWS.html: Tim Harder is 'radhermit' on GitHub.
2011-10-15 Dave Beckett <dave@dajobe.org>
* NEWS.html: 1.22
* utils/flickcurl.c: Tidy help output; describe all upload params
defaults
* docs/flickcurl-sections.txt: Add flickcurl_get_hidden_label,
flickcurl_get_hidden_level_from_string
* src/common.c, src/flickcurl.h, src/upload-api.c,
utils/flickcurl.c: Add support for upload field 'hidden'
flickcurl_upload_params gains int param hidden with values 1 for
global and 2 for hidden.
(flickcurl_get_hidden_label, flickcurl_get_hidden_from_string):
Added utility functions to turn the int to a label and vice versa
* utils/flickcurl.c: Document upload params safety_level and
content_type
* docs/Makefile.am, docs/tmpl/section-favorite.sgml: Update tmpls
* docs/flickcurl-sections.txt:
Add flickcurl_favorites_getContext
* src/favorites-api.c, src/flickcurl.h, utils/flickcurl.c:
Implement API favorites.getContext
(flickcurl_favorites_getContext): Added returning an array of two
photo lists for previous and next photos. flickcurl utility adds
new command favorites.getContext to call above.
* src/flickcurl_internal.h, src/photo.c:
(flickcurl_new_photos_list): Added to construct a photos list
* configure.ac, src/common.c, utils/flickrdf.c: Support Raptor V2
only. Raptor V1 was last supported in January 2010
* src/panda-api.c: extras docs
2011-09-02 Dave Beckett <dajobe@digg.com>
* utils/oauth-test.c: access token testing
* src/flickcurl_internal.h: Add verifier field
2011-08-15 Dave Beckett <dave@dajobe.org>
* Merge pull request #13 from kumanna/help-without-auth (below)
Help without authentication
2011-08-14 Kumar Appaiah <a.kumar@alumni.iitm.ac.in>
* utils/flickcurl.c: Use stdout for non-error user output
Since users usually expect any non-error output to come to stdout,
this commit changes all output except error reports to be directed
to stdout.
* utils/flickcurl.c: Fix indentation
* utils/flickcurl.c: Provision for help message even when not
authenticated.
Even when not authenticated, the user might desire to see the list
of API calls available. This commit facilitates the display of
that message.
* utils/flickcurl.c: Move printing help details to a function.
This commit moves printing the help message to a function, viz.
print_help_string, so that it can be called from multiple places
without having to duplicate code. In addition, displays an extra
newline at the end for neater output.
2011-08-14 Dave Beckett <dave@dajobe.org>
* Merge pull request #12 from kumanna/kumar (below)
Fix man page and documentation quirks reported at Debian.
Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635892
2011-08-14 Kumar Appaiah <a.kumar@alumni.iitm.ac.in>
* utils/flickcurl.c: Fix grammatical error in description of
galleries.create
* docs/flickrdf.1: Fix incorrect spacing in flickrdf man page
Fixes an incorrect space in the reference to the flickcurl man
page.
* docs/flickrdf.1: Remove reference to missing README for flickrdf
This removes the reference to a missing README file for flickrdf.
This fixes Debian bug 637196 in flickcurl.
2011-07-28 Dave Beckett <dave@dajobe.org>
* Merge pull request #10 from radhermit/curl-headers (below)
Remove old curl header include
2011-06-25 Dave Beckett <dave@dajobe.org>
* src/flickcurl_internal.h, src/oauth.c, utils/oauth-test.c: Test
code calls Flickr OAuth endpoint with correctly signed call
2011-06-23 Dave Beckett <dave@dajobe.org>
* src/flickcurl_internal.h: ws
* src/flickcurl_internal.h, src/oauth.c, utils/oauth-test.c:
(flickcurl_oauth_build_key_data): Added internal call with API
that will change
* utils/oauth-test.c:
(oauth_build_key_data): Added
* utils/oauth-test.c:
Add a structure oauth_data
* utils/oauth-test.c:
Do URI encoding and concatenating
* src/Makefile.am, src/flickcurl_internal.h, src/oauth.c,
src/sha1.c, utils/.gitignore, utils/Makefile.am, utils/oauth-test.c:
OAuth test code
2011-05-08 Dave Beckett <dave@dajobe.org>
* src/galleries-api.c, src/method.c, src/photosets-api.c,
src/prefs-api.c, src/test-api.c, src/upload-api.c: code style
* src/person.c:
(flickcurl_build_persons): Do not zap any existing data if a field
is not found.
2011-03-31 Dave Beckett <dave@dajobe.org>
* NEWS.html: 1.22
2011-03-31 Dave Beckett <dave@dajobe.org>
* utils/Makefile.am: Add raptor_fake.h to sources and
distribution.
2011-03-30 Dave Beckett <dave@dajobe.org>
* NEWS.html, configure.ac:
Bumped version to 1.22
* docs/tmpl/section-tag.sgml:
Added flickcurl_free_tags to doc tmpls
* docs/flickcurl-sections.txt:
(flickcurl_free_tags): Added
2011-03-30 Naruto TAKAHASHI <tnaruto@gmail.com>
* src/flickcurl.h, src/photo.c, src/tags.c: add
flickcurl_free_tags
* docs/tmpl/section-photoset.sgml, src/flickcurl.h,
src/photoset.c: move owner filed to the end of the structure.
2011-03-29 Naruto TAKAHASHI <tnaruto@gmail.com>
* docs/tmpl/section-photoset.sgml, src/flickcurl.h,
src/photoset.c: add owner to flickcurl_photoset
changes:
- README file was improved to provide better guidance
for users
- show the text-web-browser converting command in
verbose mode for better debugging
- workaround passivetex limitation for chapters
titles starting with L
- use passivetex/fop extensions by default, provide
--noextensions option to disable them
- basic experimental support for conversion from docbook
to epub
-bugfixes
Version 8d 15-Jan-2012
-----------------------
Add cjpeg -rgb option to create RGB JPEG files.
Using this switch suppresses the conversion from RGB
colorspace input to the default YCbCr JPEG colorspace.
This feature allows true lossless JPEG coding of RGB color images.
The recommended command for this purpose is currently
cjpeg -rgb -block 1 -arithmetic.
SmartScale capable decoder (introduced with IJG JPEG 8) required.
Thank to Michael Koch for the initial suggestion.
Add option to disable the region adjustment in the transupp crop code.
Thank to Jeffrey Friedl for the suggestion.
Thank to Richard Jones and Edd Dawson for various minor corrections.
Thank to Akim Demaille for configure.ac cleanup.
sox-14.3.2 2011-02-27
----------
File formats:
o Add seek support to mp3 handler for speed improvements. (Pavel Karneliuk)
o Fix bug were WavPack header was not updated correctly when closing
file. Fixed libsox memory leak when closing WavPack files.
(David Bryant)
o Fix RIFF chunk length error when writing 24-bit files. (David Bryant)
o 24-bit WAV files were leaving channel maps unassigned. Change to use
common channel mappings based on channel count. This allows to
work more seemlessly with other apps such as WavPack and Foobar2000.
(David Bryant)
o Fix ffmpeg playback bug caused by alignment requirements on some platforms.
Closes bug #3017690. (Reuben Thomas).
o Fix memory leak in ffmpeg. (Doug Cook)
o Handle 0 length chunks in WAV files gracefully. (Beat Jorg)
o When skipping over chunks, account for word alignment. Helps
with some Logic Pro generated files. (D Lambley)
o Fix incorrect MP3 file length determination with VBR & .5s initial
silence. (robs)
Audio device drivers:
o Fix immediate segfault on OSX while attempting to record. (Adam Fritzler)
o Fix segfault on OSX playback for some HW that gives smaller then
requested buffers. (cbagwell)
o Clean up system resource in coreaudio on close. Allows running
back-to-back open()/close()'s without exiting app first. (cbagwell)
o Add support for 32-bit samples to OSS driver. (Eric Lammerts)
o Add support for 24 and 32-bit samples to waveaudio (Win32) driver.
(Doug Cook)
o Support specifying audio device other than default on OSX (cbagwell)
Effects:
o F.R. [3051700] spectrogram -r for `raw' spectrogram, no legend. (robs)
o Fix -w option on stats effect. (Ronald Sprouse)
o Fix segfault with some ladspa plugins (Thor Andreassen)
o Optionally look for png.h in libpng directory to support OpenBSD
packaging. Helps enable spectrograph effect. (cbagwell)
o libpng15 requires application to include zlib.h header file. (cbagwell)
Add this to spectrograph effect. [3184238]
o Enable LADSPA effects on all platforms without any external
dependencies. Mainly useful for Linux, Windows and OS X which have
binaries readily available. (cbagwell)
o Support specifying an absolute end location for trim effect instead
only an offset from trim begin location. (Ulrich Klauer)
o Fix regression where MP3 handler required libmad headers to be installed.
(Samuli Suominen)
o Allow dynamic loading of lame to be enabled even if lame header files
are not installed. (Doug Cook)
Other new features:
o Soxi now reports duration of AMR files. (robs)
o Document the "multiple" combine option in man pages and in
usage output (Ulrich Klauer).
Internal improvements:
o Distribute msvc9 project files that had been in CVS only. (cbagwell)
o Add msvc10 project files (also compatible with the Windows SDK 7.1).
(Doug Cook)
o cmake now compiles waveaudio driver under windows environment. (cbagwell)
[3072672]
=== RELEASE 2.5 ===
Sat Dec 24 20:30:41 MET 2011 mikulas:
Use icon in pmshell
Wed Dec 21 01:46:04 cet 2011 mikulas:
Do not guess compression type from extension if Content-Type is html
Mon Dec 19 03:09:04 MET 2011 mikulas:
Recognise tgz extension
Sun Dec 18 21:33:52 cet 2011 mikulas:
Fixed some visual glitches in the list editor, window is automatically
resized with the terminal
Fixed a crash if the user changes bookmarks location while some bookmark
editing dialog was displayed
Fixed a bug that bookmark location couldn't be changed on text-only
builds
Removed save bookmarks menu option, bookmarks are saved always when
closing bookmark window
Fri Dec 16 02:12:37 MET 2011 mikulas:
Search for viewer application according to file extension if the server
returns content type application/x-<compression method>.
Tue Dec 6 20:03:21 cet 2011 mikulas:
Implemented forward history
Sun Dec 4 11:35:17 CET 2011 mikulas:
Fixed memory leaks or lockups if a connection between
two links instances was unexpectedly broken
Implemented a handshake in the communication protocol so that
different Links versions won't communicate with each other
Fixed a possible lockup if the user presses key and the master
Links instance disconnects at the same time
Sun Dec 4 06:05:03 CEST 2011 mikulas:
Use AF_UNIX on Windows
Tue Nov 29 02:44:44 CET 2011 mikulas:
Do not send spaces in Accept-Charset
Mon Nov 28 03:03:26 CET 2011 mikulas:
Identify compier in User-Agent
Sun Nov 27 02:28:35 cet 2011 mikulas:
Heap in high memory on OS/2
Fri Nov 25 01:25:56 CET 2011 mikulas:
Support lzma compression
=== 2.0.16 ===
5 Jan 2011
- Add sample for Docs List API to delete ACL.
- Added support for label deletion in the Email Settings API client library
- Added a sample for Email Settings create label and filters with exponential
back-off
- Added sample for enabling pop settings using Email Settings API
- Fixed typo in analytics sample.
- Fixed ACL batching URI in Docs.
- Updated RetrieveAllUsers and RetrieveAllAliases to return all pages instead
of one.
- Removing force=True from some ACL requests in DocsClient
- Added RetrieveGroups method and updated RetrieveAllGroups and
RetrieveAllMembers method
- Added a quick start sample for user provisioning
- Added a client for organization unit provisioning
- Added client architecture for group provisioning
- Added a new sample for multidonain provisioning. Demonstrates all the
functions available.
- Added test for RetrieveAllUserAliases and changed OAuth scopes for Apps
- Added client architecture for provisioning api and tests for client
- Added support for batch requests to update spreadsheet cells.
- Added GetAcl alias for get_acl in DocsClient
- Added new ACL and get by ID methods to DocsClient.
- Added some conditional imports for tlslite.
- Updates to category handling for Documents list API
- Added a function to retrieve all the aliases for a given user email.
- Fixed#553
=== 2.0.15 ===
18 Oct 2011
- New Documents List API client
- Added support for MDM Provisioning API
- Added Batch support for Documents List API ACL changes
- Added category handling for Documents List API client
- Added commenter role to Documents List API client
- Added support for gContact:status
- Added subdomain support for Email Settings API
- Added support for Apparel attributes in Content API for Shopping client
- Added Documents List sample
- Added Sample for Provisioning API with OAuth2
- Added Sample for Email Settings API with OAuth2
- Added Sample for Provisioning API with Sites and Profiles API
- Fixed Youtube client to use SSL
- Fixed Sites API sample to use SSL
- Removed Google Base Data API support
- Issues closed:
#190, #206, #215, #230, #268, #270, #279, #281, #288, #296, #303, #312,
#346, #363, #399, #424, #435, #483, #492, #494, #498, #508, #512, #516,
#526, #532, #533, #534, #541, #547
2.2
---
* migration to https://github.com/collective/icalendar using svn2git preserving
tags, branches and authors.
[garbas]
* using tox for testing on python 2.4, 2.5, 2.6, 2.6.
[garbas]
* fixed tests so they pass also under python 2.7.
[garbas]
* running tests on https://jenkins.plone.org/job/icalendar (only 2.6 for now)
with some other metrics (pylint, clonedigger, coverage).
[garbas]
* review and merge changes from https://github.com/cozi/icalendar fork.
[garbas]
* created sphinx documentation and started documenting development and goals.
[garbas]
* hook out github repository to http://readthedocs.org service so sphinx
documentation is generated on each commit (for master). Documentation can be
visible on: http://readthedocs.org/docs/icalendar/en/latest/
[garbas]
libgsf 1.14.22
Damien Lespiau:
* Fix thumbnailer manual install problem.
Morten:
* Fix error messages on win32.
* Fix resource limiting in thumbnailer.
* Ensure GsfOutput::name and GsfInput::name notifications.
* Cleanup old code.
* Drop support for gnome-vfs and bonobo.
* Fix ole2 entry sorting based on patch from Junping Zhang. [#665712]
Vincent Untz:
* New installation method for thumbnailer. [#651187]
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension <= 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
to arbitrary remote code execution, if the FORTIFY_SOURCE
compile option was not used when Suhosin was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
vulnerability
Reference: http://www.suhosin.org/https://github.com/stefanesser/suhosin
Fixes since v1.7.7.2
--------------------
* Adjust the "quick-install-doc" procedures as preformatted
html/manpage are no longer in the source repository.
* The logic to optimize the locality of the data in a pack introduced in
1.7.7 was grossly inefficient.
* The logic to filter out forked projects in the project list in
"gitweb" was broken for some time.
* "git branch -m/-M" advertised to update RENAME_REF ref in the
commit log message that introduced the feature but not anywhere in
the documentation, and never did update such a ref anyway. This
undocumented misfeature that did not exist has been excised.
Fixes since v1.7.7.3
--------------------
* A few header dependencies were missing from the Makefile.
* Some newer parts of the code used C99 __VA_ARGS__ while we still
try to cater to older compilers.
* "git name-rev --all" tried to name all _objects_, naturally failing to
describe many blobs and trees, instead of showing only commits as
advertised in its documentation.
Fixes since v1.7.7.4
--------------------
* After fetching from a remote that has very long refname, the reporting
output could have corrupted by overrunning a static buffer.
* "git checkout" and "git merge" treated in-tree .gitignore and exclude
file in $GIT_DIR/info/ directory inconsistently when deciding which
untracked files are ignored and expendable.
Fixes since v1.7.7.5
--------------------
* The code to look up attributes for paths reused entries from a wrong
directory when two paths in question are in adjacent directories and
the name of the one directory is a prefix of the other.
* A wildcard that matches deeper hierarchy given to the "diff-index" command,
e.g. "git diff-index HEAD -- '*.txt'", incorrectly reported additions of
matching files even when there is no change.
* When producing a "thin pack" (primarily used in bundles and smart
HTTP transfers) out of a fully packed repository, we unnecessarily
avoided sending recent objects as a delta against objects we know
the other side has.
changes:
-handle more attributes
-added support of clipPath element
-added support of visibility style property
-fixed handling of aspect ratio of video
