Upstream changes:
* Release 3.35
2016-11-29 Karl Williamson <khw@cpan.org>
Needed to 'make manifest' before uploading to CPAN. No changes beyond
version bump
* Release 3.35
2016-11-29 Karl Williamson <khw@cpan.org>
Stabilize t/search50.t. Thanks to rurban for the patch!
Turn off utf8 warnings when trying to see if a file is UTF-8 or not.
* Release 3.33
No changes since 3.32.
Upstream changes:
0.18 2016-10-03T04:36:04Z
- Use a better tempdir, fix some documentation, and make json test more readable #4 (Thank you karenetheridge)
Add missing DEPENDS
Upstream changes:
0.19 2016-11-08 08:08:16 Europe/Copenhagen
- The standard is not clear on this, and some servers don't allow them, but it seems that DELETE can take a request body.
- Added serializer_options so it's possible to instantiate the serializer w/ parameters
- Fixed "Use of uninitialized value in concatenation (.) or string" warning when $self->server is not initialized
- Changes for rt #118413. Thanks to abraxxa
http_headers return a combined hashref of http_headers and persistent_headers
new method, clear_all_headers
Upstream changes:
7.11 2016-11-30
- Added EXPERIMENTAL close_idle_connections method to Mojo::Server::Daemon.
- Improved one_tick method in Mojo::IOLoop to protect from recursion, similar
to the start method.
- Improved log attribute in Mojolicious to make it easier to override default
settings. (jberger)
- Fixed bug in Mojo::Server::Prefork where workers would accept keep-alive
requests after a graceful shutdown had already been initiated.
- Fixed bugs in Mojo::Util and Mojo::Asset::File where incomplete writes would
not be recognized as errors. (bobkare, sri)
Upstream changes:
1.31 2016-11-25 09:33:47 -0500
- Migrated from Module::Install to Dist::Zilla and ExtUtils::MakeMaker
- Fixed meta for repository which was pointing to the wrong URL
1.30 23 Nov 2016
- Moving to prod release
1.29_02 23 Nov 2016
- Update metadata to point to github repository.
Plus some other minor dist meta tweaks.
- Note: planning on doing a migration from Module::Install
to ExtUtils::MakeMaker shortly AFTER the next production
release.
1.29_01 22 Nov 2016
- Fix Makefile.PL to work with Perls without '.' in @INC
- Fix for the installed method when used with a PAR archive (rt#42846)
- Minor documentation fixes (grammar, spelling: rt#74481, rt#85356)
Upstream changes:
2016-09-08 Gisle Aas <gisle@ActiveState.com>
Release 2.10
Applied patch from Michael Joyce that is required to make the
test pass for perl-5.24
- use standard headers
- don't use perror, don't use sprintf
- fix time handling issues
- compile in paths so the data can be installed (from patch-ab)
- fix name conflict with libc
- avoid undefined behavior
- avoid implicit int for clang
- declare own functions, sprinkle const and static, and fix
signedness to get a clean build (except for one remaining issue
where it's not clear what to do)
- remove unused elements detected by gcc
- fix some problems detected by gcc
- fix a startup crash
- modernize the makefile
Also, don't install the raw image bitmap data and the scripts to digest
it; install only the digested form, as that's all that's used at runtime.
Asterisk Project Security Advisory - ASTERISK-2016-009
Product Asterisk
Summary
Nature of Advisory Authentication Bypass
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known No
Reported On October 3, 2016
Reported By Walter Doekes
Posted On
Last Updated On December 8, 2016
Advisory Contact Mmichelson AT digium DOT com
CVE Name
Description The chan_sip channel driver has a liberal definition for
whitespace when attempting to strip the content between a
SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character as
if it were whitespace. This means that headers such as
Contact\x01:
will be seen as a valid Contact header.
This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In such
a case, a crafty combination of valid and invalid To
headers can cause a proxy to allow an INVITE request into
Asterisk without authentication since it believes the
request is an in-dialog request. However, because of the
bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.
If you do not use a proxy for authentication, then this
issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy keeps
track of what dialogs are currently valid), then this issue
does not affect you.
If you use chan_pjsip instead of chan_sip, then this issue
l
does not affect you.
Resolution chan_sip has been patched to only treat spaces and
horizontal tabs as whitespace following a header name. This
allows for Asterisk and authenticating proxies to view
requests the same way
Affected Versions
Product Release
Series
Asterisk Open Source 11.x All Releases
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Certified Asterisk 13.8 All Releases
Corrected In
Product Release
Asterisk Open Source 11.25.1, 13.13.1, 14.2.1
Certified Asterisk 11.6-cert16, 13.8-cert4
Patches
SVN URL Revision
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/ASTERISK-2016-009.pdf and
http://downloads.digium.com/pub/security/ASTERISK-2016-009.html
Revision History
Date Editor Revisions Made
November 28, 2016 Mark Michelson Initial writeup
Asterisk Project Security Advisory - ASTERISK-2016-009
Copyright (c) 2016 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Upstream changes:
2.003000 - 2016-12-09
- fix create_class_with_roles being used multiple times with the same packages
- fix edge case with @ISA assignment on perl 5.10.0
- minor test adjustments
- fix handles on oddly named attributes
- make has options linkable in documentation
- Sub::Quote and Sub::Defer have been split into a separate dist
===========================
Bugfixes:
---------
- Double free when failed to apply zone journal
- Zone bootstrap retry interval not preserved upon zone reload
- DNSSEC related records not flushed if not signed
- False semantic checks warning about incorrect type in NSEC bitmap
- Memory leak in kzonecheck
Improvements:
-------------
- All zone names are fully-qualified in log
Features:
---------
- New kjournalprint utility
Knot DNS 2.3.2 (2016-11-04)
===========================
Bugfixes:
---------
- Incorrect %s expansion for the root zone
- Failed to refresh not existing slave zone after restart
- Immediate zone refresh upon restart if refresh already scheduled
- Early zone transfer after restart if transfer already scheduled
- Not ignoring empty non-terminal parents during delegation lookup
- CD bit preservation in responses
- Compilation error on GNU/kFreeBSD
- Server crash after double zone-commit if journal error
Improvements:
-------------
- Speed-up of knotc if control operation and known socket
- Zone purge operation purges also zone timers
Features:
---------
- Simple modules don't require empty configuration section
- New zone journal path configuration option
- New timeout configuration option for module dnsproxy
