* channels/chan_sip.c: Copy the From header into a variable so that
pedantic SIP handling does not try to mess with a NULL pointer.
(AST-2008-008)
* channels/chan_iax2.c: When we receive a full frame that is
supposed to contain our call number, ensure that it has the
correct one. (closes issue #10078) (AST-2008-006)
Update for several critical security issues:
* astobj.h: Fix character string being treated as format string
* chan_sip.c: Do not return with a successful
authentication if the From header ends up empty. (AST-2008-003)
* chan_iax2.c: Fix another potential seg fault (closes issue #11606)
* chan_iax2.c: Fix a couple of places where it's possible
to dereference a NULL pointer.
* chan_sip.c, channels/chan_iax2.c: Fixing AST-2007-027
* cdr_pgsql.c: Properly escape src and dst fields (Fixes AST-2007-026)
Version 1.2.24 is the final 1.2 release that contains normal bug fixes.
The 1.2 branch will only be maintained with security fix releases from
now until it is completely deprecated.
* channels/chan_iax2.c: Don't create the Asterisk channel until we
are starting the PBX on it. (ASA-2007-018)
* channels/chan_agent.c: (closes issue #5866) Reported by: tyler Do
not force channel format changes when a generator is present. The
generator may have changed the formats itself and changing them
back would cause issues.
* channels/chan_sip.c: (closes issue #10236) Reported by: homesick
Patches: rpid_1.4_75840.patch uploaded by homesick (license 91)
Accept Remote Party ID on guest calls.
* include/asterisk/app.h: We should not use C++ reserved words in
API headers (closes issue #10266)
* channels/chan_sip.c: Backport a fix for a memory leak that was
fixed in trunk in reivision 76221 by rizzo. The memory used for
the localaddr list was not freed during a configuration reload.
* channels/chan_sip.c: (closes issue #10247) Reported by:
fkasumovic Patches: chan_sip.patch uploaded by fkasumovic
(license #101) Drop any peer realm authentication entries when
reloading so multiple entries do not get added to the peer.
* channels/chan_iax2.c: When processing full frames, take sequence
number wraparound into account when deciding whether or not we
need to request retransmissions by sending a VNAK. This code
could cause VNAKs to be sent erroneously in some cases, and to
not be sent in other cases when it should have been. (closes
issue #10237, reported and patched by mihai)
* channels/chan_iax2.c: When traversing the queue of frames for
possible retransmission after receiving a VNAK, handle sequence
number wraparound so that all frames that should be retransmitted
actually do get retransmitted. (issue #10227, reported and
patched by mihai)
* apps/app_voicemail.c: Store prior to copy (closes issue #10193)
* apps/app_queue.c: removed the word 'pissed' from ast_log(...)
* channels/chan_skinny.c: Properly check for the length in the
skinny packet to prevent an invalid memcpy. (ASA-2007-016)
* channels/iax2-parser.h, channels/chan_iax2.c,
channels/iax2-parser.c: Ensure that when encoding the contents of
an ast_frame into an iax_frame, that the size of the destination
buffer is known in the iax_frame so that code won't write past
the end of the allocated buffer when sending outgoing frames.
(ASA-2007-014)
* channels/chan_iax2.c: After parsing information elements in IAX
frames, set the data length to zero, so that code later on does
not think it has data to copy. (ASA-2007-015)
* res/res_musiconhold.c: Fix a couple potential minor memory leaks.
load_moh_classes() could return without destroying the loaded
configuration.
* apps/app_chanspy.c: Fixed an issue where chanspy flags were
uninitialized if no options were passed.
* res/res_musiconhold.c: Ensure that adding a user to the list of
users of a specific music on hold class is not done at the same
time as any of the other operations on this list to prevent list
corruption.
* channels/chan_iax2.c: The function make_trunk() can fail and
return -1 instead of a valid new call number. Fix the uses of
this function to handle this instead of treating it as the new
call number. This would cause a deadlock and memory corruption.
* channels/chan_agent.c: The cli command "agent logoff Agent/x
soft" did not work...at all. Now it does.
* res/res_config_odbc.c: Make sure that the ESCAPE immediately
follows the condition that uses LIKE. This fixes realtime
extensions with ODBC.
* apps/app_queue.c: Fix an issue where it was possible to have a
service level of over 100% Between the time recalc_holdtime and
update_queue was called, it was possible that the call could have
been hungup.
* dns.c: Use res_ndestroy on systems that have it. Otherwise, use
res_nclose. This prevents a memleak on NetBSD - and possibly
others.
This release is a regular maintenance release. It has been made just
a couple of weeks after the previous set of releases because the
development team has been working especially hard on fixing bugs
lately. There has been a large volume of issues fixed in just two weeks.
This release contains a large number of fixes, including:
- A recently published security vulnerability in the manager
interface (ASA-2007-012)
- Another recently published security vulnerability in the
SIP channel driver (ASA-2007-011)
Along with minor bug fixes, this release incorporates a fix for the
SIP DoS vulnerability recently discovered by INRIA Lorraine.
All users of Asterisk 1.2 with the SIP channel driver loaded and
connected to an untrusted network are urged to update to this release
to avoid the possibility of experiencing this problem.
Note that the option "zaptel" won't compile any more since version 1.2.16.
This needs an upgrade of the netbsd zaptel driver.
changes:
1.2.15: This release contains a significant Astribank (XPP) driver update,
support for Digium's TE120P card, and various bug fixes.
1.2.16: This release contains a number of bug fixes, including a fix for
a recently discovered security vulnerability. All Asterisk 1.2 users are
urged to update to this release as soon as possible.
This is in response to PR pkg/35924 by David Wetzel. The PR suggests
to update to 1.4.1, but since I'm not using Asterisk myself I prefer
to do just the minor update (which also fixes the security vulnerability)
for now.
This release contains a fix for a security vulnerability recently
found in the chan_skinny channel driver (for Cisco SCCP phones).
This vulnerability would enable an attacker to remotely execute
code as the system user running Asterisk (frequently 'root').
The exploit does not require that the skinny.conf contain any
valid phone entries, only that chan_skinny is loaded and operational.
This release also contains a number of bug fixes, and some improvements
to the chan_sip channel driver (for SIP devices) to mitigate the impacts
of a certain class of denial-of-service attacks that have recently been
published.
All Asterisk 1.2 users are urged to update to this release if they use
the chan_skinny channel driver, or to stop loading it if it is not
needed ('noload=>chan_skinny.so' in modules.conf will cause this behavior).
Asterisk 1.2.11 includes a number of bug fixes, along with an update
to the chan_misdn driver for mISDN devices.
Asterisk 1.2.12 includes a number of bug fixes, including fixes for
two regressions that occurred in the 1.2.11 release. Specifically,
the AGI 'GET VARIABLE' command has now gone back to its previous
behavior, and CDR records now reflect the CallerID number instead
of ANI in the situations that this was the case in earlier 1.2 releases.
* Number of bug fixes
* New option to help to avoid a potential denial of service in IAX2 channel driver
* Support for TE407P and TE412P quad T1/E1 interface cards
* apps/app_page.c: oops... let's not set a variable and then
immediately overwrite it while assuming its old value will
magically return
* pbx.c: Bug 6957 - variable names beginning with CALLERID weren't
substituted correctly
* channels/chan_zap.c: disable buggy PRI user-user code until it
can be fixed
* channels/chan_sip.c: Issue 6182 - Don't remove scheduled event
until it's really done.
* channels/chan_sip.c: Issue 6362 - Register without Contact: and
Expires: fails
* ast_expr2.h, ast_expr2f.c, ast_expr2.c: Bug 6072 - Revisions to
the source bison and flex files don't auto-regenerate these files
* channels/chan_zap.c: fix problem with dtmf on e&m (issue #6364)
* channels/chan_sip.c: Issue 5898: Registrations does not get
deleted if there's an active SIP dialog
* channels/chan_sip.c: don't call ast_update_realtime with
uninitialized variables if we get a registration with an expirey
of 0 seconds (issue #6173)
* channels/chan_features.c: fix memory leak (inspired by issue
#6351)
- Replaced absolute directories like /usr/pkg and /var with ${PREFIX} and
${VARBASE}.
- USE_TOOLS+=perl:run, since there is one Perl program installed with the
package.
- Bumped PKGREVISION.
new features, including support for DUNDi. (http://www.dundi.com/ for
more information)
The initial framework and porting of this package upgrade was done by
Martin J. Laubach, with lots of feature/PLIST fixes by me. DragonFly
support added by Joerg Sonnenberger.
-- fix bug in callerid matching in the dialplan that was introduced in 1.0.8
Changes 1.0.8:
-- chan_zap
-- Asterisk will now also look in the regular context for the fax extension
while executing a macro. Previously, for this to work, the fax extension
would have to be included in the macro definition.
-- On some systems, ALERTING will be sent after PROCEEDING, so code has been
added to account for this case.
-- If no extension is specified on an overlap call, the 's' extension will
be used.
-- chan_sip
-- We no longer send a "to" tag on "100 Trying" messages, as it is
inappropriate to do so.
-- We now respond correctly to an invite for T.38 with a "488 Not acceptable
here"
-- We now discard saved tags on 401/407 responses in case the provider we're
talking to tries to pull a dirty trick on us and change it.
-- rtptimeout options will now be correctly set on a peer basis rather than
only global
-- chan_mgcp
-- Fixed setting of accountcode
-- Fixed where *67 to block callerid only worked for first call
-- chan_agent
-- We now will not pass audio until the agent has acked the call if the
configuration
is set up for the agent to do so.
-- chan_alsa
-- Fixed problems with the unloading of this module
-- res_agi
-- A fix has been added to prevent calls from being hung up when more than
one call is executing an AGI script calling the GET DATA command.
-- AGI scripts will now continue to run even if a file was not found with
the GET DATA command.
-- When calling SAY NUMBER with a number like 09, we will now say "nine"
instead of "zero"
-- app_dial
-- There was a problem where text frames would not be forwarded before the
channel has been answered.
-- app_disa
-- Fixed the timeout used when no password is set
-- app_queue
-- Distinctive ring has been fixed to work for queue members
-- rtp
-- Fixed a logic error when setting the "rtpchecksums" option
-- say.c
-- A problem has been fixed with saying the date in Spanish.
-- Makefile
-- A line was missing for the autosupport script that caused "make rpm" to
fail
-- format_wav_gsm
-- Fixed a problem with wav formatting that prevented files from being
played in some media players
-- pbx_spool
-- Fixed if the last line of text in a file for the call spool did not
contain a new line, it would not be processed
-- logger
-- Fixed the logger so that color escape sequences wouldn't be sent to the
logs
-- format_sln
-- A lot of changes were made to correctly handle signed linear format on
big endian machines
There are still some features not enabled by default, but this is a
solid foundation upon which to build - a fully-functional PBX can be
built, including PSTN gatewaying using the comms/zaptel-netbsd package.
From the DESCR:
Asterisk is a complete PBX in software. It provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
Asterisk provides Voicemail services with Directory, Call Conferencing,
Interactive Voice Response, Call Queuing. It has support for
three-way calling, caller ID services, ADSI, SIP and H.323 (as both
client and gateway).
