pkgsrc change: adapt to splitting up of speex
The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,
11.15.1, 12.8.1, and 13.1.1.
The release of these versions resolves the following security vulnerabilities:
* AST-2015-001: File descriptor leak when incompatible codecs are offered
Asterisk may be configured to only allow specific audio or
video codecs to be used when communicating with a
particular endpoint. When an endpoint sends an SDP offer
that only lists codecs not allowed by Asterisk, the offer
is rejected. However, in this case, RTP ports that are
allocated in the process are not reclaimed.
This issue only affects the PJSIP channel driver in
Asterisk. Users of the chan_sip channel driver are not
affected.
* AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as well
as its res_config_curl.so (cURL realtime backend) modules.
Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.
For more information about the details of these vulnerabilities, please read
security advisory AST-2015-001 and AST-2015-002, which were released at the same
time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2015-001.pdf
* http://downloads.asterisk.org/pub/security/AST-2015-002.pdf
Thank you for your continued support of Asterisk!
This is the second attempt to fix the build problem that some people
have seen (I have received inconsistent reports). This should
force chan_mgcp to build on systems where it can. It was tested
on NetBSD 5.0, thus ensuring that it doesn't break previously
working systems; and NetBSD 6.99.7, where I finally saw the problem
that some people were reporting.
pkgsrc change: eliminate ilbc option now that the iLBC codec is always built
The Asterisk Development Team has announced the release of Asterisk 1.8.11.0.
The release of Asterisk 1.8.11.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following are the issues resolved in this release:
* --- Fix potential buffer overrun and memory leak when executing "sip
show peers"
* --- Fix ACK routing for non-2xx responses.
* --- Remove possible segfaults from res_odbc by adding locks around
usage of odbc handle
* --- Fix blind transfer parking issues if the dialed extension is not
recognized as a parking extension.
* --- Copy CDR variables when set during a bridge
* --- push 'outgoing' flag from sig_XXX up to chan_dahdi
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.11.0
Thank you for your continued support of Asterisk!
pkgsrc changes: adapt to having iLBC coded included in the asterisk
tarball and newer version of sounds tarball.
----- 1.8.10.0 -----
The Asterisk Development Team has announced the release of Asterisk 1.8.10.0.
The release of Asterisk 1.8.10.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* --- Prevent outbound SIP NOTIFY packets from displaying a port of 0 ---
* --- Include iLBC source code for distribution with Asterisk ---
* --- Fix callerid of originated calls ---
* --- Fix outbound DTMF for inband mode of chan_ooh323 ---
* --- Create and initialize udptl only when dialog requests image media ---
* --- Don't prematurely stop SIP session timer ---
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.10.0
Thank you for your continued support of Asterisk!
----- 1.8.10.1 -----
The Asterisk Development Team has announced security releases for
Asterisk 1.4, 1.6.2, 1.8, and 10. The available security releases
are released as versions 1.4.44, 1.6.2.23, 1.8.10.1, and 10.2.1.
The release of Asterisk 1.8.10.1 and 10.2.1 resolve two issues.
First, they resolve the issue in app_milliwatt, wherein a buffer
can potentially be overrun on the stack, but no remote code execution
is possible. Second, they resolve an issue in HTTP AMI where digest
authentication information can be used to overrun a buffer on the
stack, allowing for code injection and execution.
These issues and their resolution are described in the security
advisory.
For more information about the details of these vulnerabilities,
please read the security advisories AST-2012-002 and AST-2012-003,
which were released at the same time as this announcement.
For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.10.1
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2012-002.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-003.pdf
Thank you for your continued support of Asterisk!
This update adds a "jabber" option which is enabled by default.
This option pulls in iksemel which is used by the res_jabber.
Doing this allows chan_jingle (jabber) and chan_gtalk to work.
pkgsrc changes:
- adjust for ilbc changes after it was acquired by Google
- install AST.pdf IAX2-security.pdf into share/doc/asterisk
1.8.7.0:
========
The release of Asterisk 1.8.7.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
Please note that a significant numbers of changes and fixes have
gone into features.c in this release (call parking, built-in
transfers, call pickup, etc.).
NOTE:
Recently, we were notified that the mechanism included in our
Asterisk source code releases to download and build support for
the iLBC codec had stopped working correctly; a little investigation
revealed that this occurred because of some changes on the
ilbcfreeware.org website. These changes occurred as a result of
Google's acquisition of GIPS, who produced (and provided licenses
for) the iLBC codec.
If you are a user of Asterisk and iLBC together, and you've already
executed a license agreement with GIPS, we believe you can continue
using iLBC with Asterisk. If you are a user of Asterisk and iLBC
together, but you had not executed a license agreement with GIPS,
we encourage you to research the situation and consult with your
own legal representatives to determine what actions you may want
to take (or avoid taking).
More information is available on the Asterisk blog:
http://blogs.asterisk.org/2011/09/19/ilbc-support-in-asterisk-after-googles-acquisition-of-gips/
The following is a sample of the issues resolved in this release:
* Added the 'storesipcause' option to sip.conf to allow the user to
disable the setting of HASH(SIP_CAUSE,) on the channel. Having
chan_sip set HASH(SIP_CAUSE,) on the channel carries a significant
performance penalty because of the usage of the MASTER_CHANNEL()
dialplan function.
We've decided to disable this feature by default in future 1.8
versions. This would be an unexpected behavior change for anyone
depending on that SIP_CAUSE update in their dialplan. Please
refer to the asterisk-dev mailing list more information:
http://lists.digium.com/pipermail/asterisk-dev/2011-August/050626.html
* Significant fixes and improvements to parking lots.
(Closes issues ASTERISK-17183, ASTERISK-17870, ASTERISK-17430,
ASTERISK-17452, ASTERISK-17452, ASTERISK-15792.)
* Numerous issues have been reported for deadlocks that are caused
by a blocking read in res_timing_timerfd on a file descriptor
that will never be written to.
A change to Asterisk adds some checks to make sure that the
timerfd is both valid and armed before calling read(). Should
fix: ASTERISK-18142, ASTERISK-18197, ASTERISK-18166 and possibly
others. (In essence, this change should make res_timing_timerfd
usable.)
* Resolve segfault when publishing device states via XMPP and not connected.
(Closes issue ASTERISK-18078.)
* Refresh peer address if DNS unavailable at peer creation.
(Closes issue ASTERISK-18000)
* Fix the missing DAHDI channels when using the newer chan_dahdi.conf
sections for channel configuration.
(Closes issue ASTERISK-18496.)
* Remove unnecessary libpri dependency checks in the configure script.
(Closes issue ASTERISK-18535.)
* Update get_ilbc_source.sh script to work again.
(Closes issue ASTERISK-18412)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.7.0
Thank you for your continued support of Asterisk!
1.8.6.0:
========
The release of Asterisk 1.8.6.0 resolves several issues reported
by the community and would have not been possible without your
participation. Thank you!
The following is a sample of the issues resolved in this release:
* Fix an issue with Music on Hold classes losing files in playlist
when realtime is used. (Closes issue ASTERISK-17875.)
* Resolve a potential crash in chan_sip when utilizing auth= and
performing a 'sip reload' from the console. (Closes issue
ASTERISK-17939.)
* Address some improper sql statements in res_odbc that would cause
an update to fail on realtime peers due to trying to set as
"(NULL)" rather than an actual NULL. (Closes issue ASTERISK-17791.)
* Resolve issue where 403 Forbidden would always be sent maximum
number of times regardless to receipt of ACK.
* Resolve issue where if a call to MeetMe includes both the dynamic(D)
and always request PIN(P) options, MeetMe will ask for the PIN
two times: once for creating the conference and once for entering
the conference.
* Fix New Zealand indications profile based on
http://www.telepermit.co.nz/TNA102.pdf
(Closes issue ASTERISK-16263.)
* Segfault in shell_helper in func_shell.c
(Closes issue ASTERISK-18109.)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.6.0
Thank you for your continued support of Asterisk!
The release of Asterisk 1.8.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Fix Deadlock with attended transfer of SIP call
* Fixes thread blocking issue in the sip TCP/TLS implementation.
* Be more tolerant of what URI we accept for call completion PUBLISH requests.
* Fix a nasty chanspy bug which was causing a channel leak every time a spied on
channel made a call.
* This patch fixes a bug with MeetMe behavior where the 'P' option for always
prompting for a pin is ignored for the first caller.
* Fix issue where Asterisk does not hangup a channel after endpoint hangs up. If
the call that the dialplan started an AGI script for is hungup while the AGI
script is in the middle of a command then the AGI script is not notified of
the hangup.
* Resolve issue where leaving a voicemail, the MWI message is never sent. The
same thing happens when checking a voicemail and marking it as read.
* Resolve issue where wait for leader with Music On Hold allows crosstalk
between participants. Parenthesis in the wrong position. Regression from issue
#14365 when expanding conference flags to use 64 bits.
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.5.0
Thank you for your continued support of Asterisk!
to enable res_fax_spandsp.so. Don't bother with a PKGREVISION bump since
this doesn't change default builds and there is no need tobother people
that don't need the option.
Asterisk is a complete PBX in software. It provides all of the
features you would expect from a PBX and more. Asterisk does voice
over IP in three protocols, and can interoperate with almost all
standards-based telephony equipment using relatively inexpensive
hardware.
Asterisk 1.8 is a long term support version (i.e. it will be
supported for four years with an additional year of security only
fixes). See:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
What's new:
Asterisk 1.8 is the next major release series of Asterisk.
The release of Asterisk 1.8.0 would not have been possible without the support
and contributions of the community. Since Asterisk 1.6.2, we've had over 500
reporters, more than 300 testers and greater than 200 developers contributed to
this release.
You can find a summary of the work involved with the 1.8.0 release in the
sumary:
http://svn.asterisk.org/svn/asterisk/tags/1.8.0/asterisk-1.8.0-summary.txt
A short list of available features includes:
* Secure RTP
* IPv6 Support in the SIP channel driver
* Connected Party Identification Support
* Calendaring Integration
* A new call logging system, Channel Event Logging (CEL)
* Distributed Device State using Jabber/XMPP PubSub
* Call Completion Supplementary Services support
* Advice of Charge support
* Much, much more!
A full list of new features can be found in the CHANGES file.
http://svn.digium.com/view/asterisk/branches/1.8/CHANGES?view=markup
For a full list of changes in the current release candidate, please see the
ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.0
-----
The Asterisk Development Team has announced the release of Asterisk 1.8.1.
The release of Asterisk 1.8.1 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!
The following is a sample of the issues resolved in this release:
* Fix issue when using directmedia. Asterisk needs to limit the codecs offered
to just the ones that both sides recognize, otherwise they may end up sending
audio that the other side doesn't understand.
(Closes issue #17403. Reported, patched by one47. Tested by one47, falves11)
* Resolve issue where Party A in an analog 3-way call would continue to hear
ringback after party C answers.
(Patched by rmudgett)
* Fix playback failure when using IAX with the timerfd module.
(Closes issue #18110. Reported, tested by tpanton. Patched by jpeeler)
* Fix problem with qualify option packets for realtime peers never stopping.
The option packets not only never stopped, but if a realtime peer was not in
the peer list multiple options dialogs could accumulate over time.
(Closes issue #16382. Reported by lftsy. Tested by zerohalo. Patched by
jpeeler)
* Fix issue where it is possible to crash Asterisk by feeding the curl engine
invalid data.
(Closes issue #18161. Reported by wdoekes. Patched by tilghman)
For a full list of changes in this release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.1
