Add missing DEPENDS
Upstream changes:
0.19 2016-11-08 08:08:16 Europe/Copenhagen
- The standard is not clear on this, and some servers don't allow them, but it seems that DELETE can take a request body.
- Added serializer_options so it's possible to instantiate the serializer w/ parameters
- Fixed "Use of uninitialized value in concatenation (.) or string" warning when $self->server is not initialized
- Changes for rt #118413. Thanks to abraxxa
http_headers return a combined hashref of http_headers and persistent_headers
new method, clear_all_headers
Upstream changes:
7.11 2016-11-30
- Added EXPERIMENTAL close_idle_connections method to Mojo::Server::Daemon.
- Improved one_tick method in Mojo::IOLoop to protect from recursion, similar
to the start method.
- Improved log attribute in Mojolicious to make it easier to override default
settings. (jberger)
- Fixed bug in Mojo::Server::Prefork where workers would accept keep-alive
requests after a graceful shutdown had already been initiated.
- Fixed bugs in Mojo::Util and Mojo::Asset::File where incomplete writes would
not be recognized as errors. (bobkare, sri)
Upstream changes:
1.31 2016-11-25 09:33:47 -0500
- Migrated from Module::Install to Dist::Zilla and ExtUtils::MakeMaker
- Fixed meta for repository which was pointing to the wrong URL
1.30 23 Nov 2016
- Moving to prod release
1.29_02 23 Nov 2016
- Update metadata to point to github repository.
Plus some other minor dist meta tweaks.
- Note: planning on doing a migration from Module::Install
to ExtUtils::MakeMaker shortly AFTER the next production
release.
1.29_01 22 Nov 2016
- Fix Makefile.PL to work with Perls without '.' in @INC
- Fix for the installed method when used with a PAR archive (rt#42846)
- Minor documentation fixes (grammar, spelling: rt#74481, rt#85356)
Upstream changes:
2016-09-08 Gisle Aas <gisle@ActiveState.com>
Release 2.10
Applied patch from Michael Joyce that is required to make the
test pass for perl-5.24
- use standard headers
- don't use perror, don't use sprintf
- fix time handling issues
- compile in paths so the data can be installed (from patch-ab)
- fix name conflict with libc
- avoid undefined behavior
- avoid implicit int for clang
- declare own functions, sprinkle const and static, and fix
signedness to get a clean build (except for one remaining issue
where it's not clear what to do)
- remove unused elements detected by gcc
- fix some problems detected by gcc
- fix a startup crash
- modernize the makefile
Also, don't install the raw image bitmap data and the scripts to digest
it; install only the digested form, as that's all that's used at runtime.
Asterisk Project Security Advisory - ASTERISK-2016-009
Product Asterisk
Summary
Nature of Advisory Authentication Bypass
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known No
Reported On October 3, 2016
Reported By Walter Doekes
Posted On
Last Updated On December 8, 2016
Advisory Contact Mmichelson AT digium DOT com
CVE Name
Description The chan_sip channel driver has a liberal definition for
whitespace when attempting to strip the content between a
SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character as
if it were whitespace. This means that headers such as
Contact\x01:
will be seen as a valid Contact header.
This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In such
a case, a crafty combination of valid and invalid To
headers can cause a proxy to allow an INVITE request into
Asterisk without authentication since it believes the
request is an in-dialog request. However, because of the
bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.
If you do not use a proxy for authentication, then this
issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy keeps
track of what dialogs are currently valid), then this issue
does not affect you.
If you use chan_pjsip instead of chan_sip, then this issue
l
does not affect you.
Resolution chan_sip has been patched to only treat spaces and
horizontal tabs as whitespace following a header name. This
allows for Asterisk and authenticating proxies to view
requests the same way
Affected Versions
Product Release
Series
Asterisk Open Source 11.x All Releases
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Certified Asterisk 13.8 All Releases
Corrected In
Product Release
Asterisk Open Source 11.25.1, 13.13.1, 14.2.1
Certified Asterisk 11.6-cert16, 13.8-cert4
Patches
SVN URL Revision
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/ASTERISK-2016-009.pdf and
http://downloads.digium.com/pub/security/ASTERISK-2016-009.html
Revision History
Date Editor Revisions Made
November 28, 2016 Mark Michelson Initial writeup
Asterisk Project Security Advisory - ASTERISK-2016-009
Copyright (c) 2016 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Upstream changes:
2.003000 - 2016-12-09
- fix create_class_with_roles being used multiple times with the same packages
- fix edge case with @ISA assignment on perl 5.10.0
- minor test adjustments
- fix handles on oddly named attributes
- make has options linkable in documentation
- Sub::Quote and Sub::Defer have been split into a separate dist
===========================
Bugfixes:
---------
- Double free when failed to apply zone journal
- Zone bootstrap retry interval not preserved upon zone reload
- DNSSEC related records not flushed if not signed
- False semantic checks warning about incorrect type in NSEC bitmap
- Memory leak in kzonecheck
Improvements:
-------------
- All zone names are fully-qualified in log
Features:
---------
- New kjournalprint utility
Knot DNS 2.3.2 (2016-11-04)
===========================
Bugfixes:
---------
- Incorrect %s expansion for the root zone
- Failed to refresh not existing slave zone after restart
- Immediate zone refresh upon restart if refresh already scheduled
- Early zone transfer after restart if transfer already scheduled
- Not ignoring empty non-terminal parents during delegation lookup
- CD bit preservation in responses
- Compilation error on GNU/kFreeBSD
- Server crash after double zone-commit if journal error
Improvements:
-------------
- Speed-up of knotc if control operation and known socket
- Zone purge operation purges also zone timers
Features:
---------
- Simple modules don't require empty configuration section
- New zone journal path configuration option
- New timeout configuration option for module dnsproxy
Upstream relnotes:
Changes for 4.3.27
==================
Fixes for CGI acknowledgements and NK/criticalview web redirects.
Xymon should now properly check for lack of SSLv3 (or v2) support at compile-
time and exclude the openssl options as needed.
Completely empty directories (on Windows) are no longer considered errors.
Changes for 4.3.26
==================
This is mostly a bug fix release for javascript issues on the info and
trends pages, along with the enable / disable CGI. Several browsers had
difficulty with the new CSP rules introduced in 4.3.25.
XYMWEBREFRESH is now used as the default refresh interval for dynamic
status pages and various other xymongen destinations. Non-svcstatus
pages can be overridden by altering the appropriate *_header template
files, but svcstatus refresh interval uses this value. (default: 60s)
Set in xymonserver.cfg(5).
Incoming test names are now restricted to alphanumeric characters, colons
dashes, underscores, and slashes. Slashes and colons may be restricted in
a future release.
Unconfigured (ghost) host names are now restricted to alphanumerics, colons,
commas, periods, dashes, and underscores. It is strongly recommended to use only
valid hostnames and DNS components in servers names.
Files matched multiple times by logfetch in the client config retrieved
from config-local.cfg (such as a file matching multiple globs) will now only
be scanned once and only use the ignore/trigger rules from its first entry.
(Note: A future version of Xymon may combine all matching rules for a file together.)
CLASS groupings in analysis.cfg and alerts.cfg will now reliably work for
hosts with a CLASS override in hosts.cfg. Previous, this class was not used
in favor of the class type sent in on any specific client message.
Changelog from release notes:
Bug Fixes in Qore:
* fixed a reference bug in the Queue class introduced in the last release
(issue 1309)
* fixed a bug where database types could not be correctly aligned if they had
dependencies (issue 1314); entailed updates in the following modules:
SqlUtil
FreetdsSqlUtil
MysqlSqlUtil
OracleSqlUtil
PgsqlSqlUtil
Schema
* fixed a bug in trunc_str() where an infinite loop could be triggered with
certain arguments and multi-byte character encodings (issue 1327)
* improved prompt collection performance with larger graphs of objects by
eliminating unnecessary graph scans made during object method calls
(issue 1363)
* fixed bugs in date(string) and date(string, string) where invalid input data
was ignored and invalid dates were returned (issue 1369)
* CsvUtil.qm module:
fixed a bug in AbstractCsvIterator::identifyTypeImpl() generating an
error message (issue 1355)
* MailMessage.qm module:
fixed a bug using the default encoding in Message::attach()
(issue issue 1352)
* SqlUtil.qm module:
* fixed the ignored character_semantics column option in schema alignmed
(issue 1379)
* implemented the cop_length() column function (issue 1395)
* OracleSqlUtil.qm module:
OraclePackage attribute body_src is now public to access package bodies
* Qorize.qm module:
Qorize module: new qorize_val() set of functions; qorize_named()
introduced; qorize tests
* TableMapper.qm module:
* fixed runtime option propagation to
TableMapper::SqlStatementMapperIterator from
TableMapper::AbstractSqlStatementOutboundMapper::iterator()
(issue 1418)
* fixed SqlStatementMapperIterator::getCount() (issue 1417)
* added the following methods:
TableMapper::AbstractSqlStatementOutboundMapper::getRowIterator()
TableMapper::InboundTableMapper::iterator()
TableMapper::InboundTableMapperIterator::getRuntime()
TableMapper::InboundTableMapperIterator::replaceRuntime()
TableMapper::InboundTableMapperIterator::setRuntime()
TableMapper::SqlStatementMapperIterator::getRuntime()
TableMapper::SqlStatementMapperIterator::replaceRuntime()
TableMapper::SqlStatementMapperIterator::setRuntime()
* QUnit.qm module:
fixed showing the assertion location when there are test modules on
top of QUnit.qm (issue 1046)
* fixed inconsistency between list splice operator and splice function
(issue 1380)
* fixed the documentation (and DB modules) where
SQLStatement::fetchColumns() was inconsistent; now it will return a
empty hash when no more rows are available to fetch (issue 1241)
* added I/O timeout support to the FtpClient class (issue 1252)
* fixed bugs in Socket::recv() and Socket::recvBinary() with size = 0
where NOTHING could be returned which is invalid according to the
methods' declared return types (issue 1260)
* fixed a bug where FtpClient:get() would fail with an exception when
retrieving an empty file (issue 1255)
* fixed a bug where executing a call reference to a deleted object
method would cause a crash (issue 1268)
* fixed a bug where Qore would allow methods to be called on already
deleted objects under certain conditions (issue 1270)
* fixed a bug where calling exit() in a multithreaded program could
result in a segmentation fault (issue 1215)
* fixed a bug where HttpServer::addListener() could not accept a bind on
port 0 to mean any random port (issue 1284)
* fixed a race condition in prompt collection that could lead to a crash
(issue 1084)
* fixed a bug clearing Socket event queues when the Socket goes out of
scope that could lead to a crash (issue 1292)
* fixed a bug with FtpClient::setWarningQueue() that could cause a crash
(issue 1293)
* fixed a bug where Qore::FtpClient::pwd() returned invalid directory
names (issue 1295)
* fixed bugs in handling websocket close status codes in the
WebSocketUtil, WebSocketClient, and WebSocketHandler modules
(issue 1216)
* TableMapper module fixes:
* fixed a bug with the SqlStatementOutboundMapper::iterator() method;
corrected the iterator object return value which was causing
AbstractMapperIterator::mapBulk() to fail (issue 979)
* fixed a bug with SqlStatementOutboundMapper; it would throw an error
if the required "table" or "sh" options were used and only worked
with subclasses that declared these options (issue 981)
* fixed a bug where AbstractSqlStatementOutboundMapper::iterator()
failed to use options when creating the new Mapper object
(issue 1088)
* fixed a bug where optional arguments were not handled correctly in
some rare cases (issue 974)
* fixed a bug causing a crash when parse_base64_string_to_string() was
called with an empty string (issue 996)
* fixed a bug resolving base class method calls during parse
initialization (issue 1075)
* fixed thread memory handling bug with some operator expressions and
the background operator (issue 1096)
* fixed a race condition in the prompt collection of closure-bound local
variables in the garbage collector (issue 1103)
* fixed a bug where HTTPClient class method variants such as
HTTPClient::get() without a callback would fail to return the message
body when the server sent a reply with chunked transfer encoding
(issue 1117)
* fixed a bug in CsvUtil where backward compatibility was broken for
single-row-type format (issue 1124)
* fixed bugs where declared public functions were missing from the
library ABI (issue 1126)
* fixed bugs where Qore::format_number() and <float>::format() gave
incorrect results when rounding to the significant decimals given in
the format string (issue 1149)
* fixed a bug referencing self in base class constructor arguments
(issue 1169)
* fixed a bug where the incorrect class destructor was called in the
openldap module (issue 1174)
* fixed a bug where declaring a copy() method as synchronized would
result in a crash when the method was called (issue 1188)
* fixed bugs in <string>::getEncoded() and <string>::getDecoded()
regarding CE_XML and CE_NONASCII (issue 1193)
* fixed bugs where Qore::call_object_method() and
Qore::call_object_method_args() allowed private methods to be called
from outside the class (issue 1194)
* fixed a bug where "Deprecated" Functions methods were being internally
registered as RUNTIME_NOOP (issue 1197)
* fixed bugs where the Datasource class would open a connection to the
server in the constructor before options were set and where a server
connection was required to call Datasource::getOption() or
Datasource::setOption() (issue 1201)
* fixed memory errors in the Queue class where spurious exceptions could
be raised (issue 1202)
* fixed a memory leak with static class member initializers (issue 1206)
Changes:
20161023 - 1.37.91
[!] * Changed version of the shared library.
[-] * Improved support for ZTE MF100.
[-] * Ignore unsolicited +CLCC: reply.
[-] * Correctly report when some SMSD SQL backend is not compiled in.
[-] * Fix build of MySQL backend on Linux.
20161018 - 1.37.90
[-] * Improved support Huawei K3770.
[!] * API changes in some parameter types.
[-] * Fixed various Windows compilation issues.
[-] * Fixed several resource leaks.
[-] * Create outbox SMS atomically in FILES backend.
[!] * Removed getlocation command as we no longer fit into their usage policy.
[-] * Fixed call diverts on TP-LINK MA260.
[+] * Initial support for Oracle database.
[!] * Removed unused daemons, pbk and pbk_groups tables from the SMSD schema.
[+] * SMSD outbox entries now can have priority set in the database.
[+] * Added SIM IMSI to the SMSD status table.
[+] * Added CheckNetwork directive.
[+] * SMSD attempts to power on radio if disabled.
[-] * Fixed processing of AT unsolicited responses in some cases.
[-] * Fixed parsing USSD responses from some devices.
20160816 - 1.37.4
[-] * Improved support for Huawei E3131.
[-] * Fixed SMS support for MULTIBAND 900E.
[-] * Fixed SMS created in text mode.
20160524 - 1.37.3
[-] * Improved support for Huawei E398.
[-] * Improved support for Huawei/Vodafone K4505.
[-] * Fixed possible crash if SMSD used in library.
[-] * Improved support for Huawei E180.
20160413 - 1.37.2
[-] * Fixed compilation of SMSD.
20160413 - 1.37.1
[-] * Properly report errors in HEX encoded strings from SMSD SQL backends.
[-] * Configurable SMSD table names.
[-] * Improved support for Huawei E303.
[-] * Improved support for Vodafone K4511.
[-] * Improved support for Telit M2M modules.
