pkgsrc/comms/asterisk16
jnemeth 2e4af05973 This update fixes AST-2011-013 and AST-2011-014. It also adapts to changes
in the iLBC codec files.

     __________________________________________________________________

               Asterisk Project Security Advisory - AST-2011-013

         Product        Asterisk
         Summary        Possible remote enumeration of SIP endpoints with
                        differing NAT settings
    Nature of Advisory  Unauthorized data disclosure
      Susceptibility    Remote unauthenticated sessions
         Severity       Minor
      Exploits Known    Yes
       Reported On      2011-07-18
       Reported By      Ben Williams
        Posted On
     Last Updated On    December 7, 2011
     Advisory Contact   Terry Wilson <twilson at digium.com>

         CVE Name

    Description  It is possible to enumerate SIP usernames when the general
                 and user/peer NAT settings differ in whether to respond to
                 the port a request is sent from or the port listed for
                 responses in the Via header. In 1.4 and 1.6.2, this would
                 mean if one setting was nat=yes or nat=route and the other
                 was either nat=no or nat=never. In 1.8 and 10, this would
                 mean when one was nat=force_rport or nat=yes and the other
                 was nat=no or nat=comedia.

    Resolution  Handling NAT for SIP over UDP requires the differing
                behavior introduced by these options.

                To lessen the frequency of unintended username disclosure,
                the default NAT setting was changed to always respond to the
                port from which we received the request-the most commonly
                used option.

                Warnings were added on startup to inform administrators of
                the risks of having a SIP peer configured with a different
                setting than that of the general setting. The documentation
                now strongly suggests that peers are no longer configured
                for NAT individually, but through the global setting in the
                "general" context.

                               Affected Versions
                Product              Release Series
         Asterisk Open Source             All        All versions

                                  Corrected In
     As this is more of an issue with SIP over UDP in general, there is no
     fix supplied other than documentation on how to avoid the problem. The
        default NAT setting has been changed to what we believe the most
      commonly used setting for the respective version in Asterisk 1.4.43,
                             1.6.2.21, and 1.8.7.2.

            Links

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2011-013.pdf and
    http://downloads.digium.com/pub/security/AST-2011-013.html

                                Revision History
           Date                 Editor                 Revisions Made

               Asterisk Project Security Advisory - AST-2011-013
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

     __________________________________________________________________

               Asterisk Project Security Advisory - AST-2011-014

         Product        Asterisk
         Summary        Remote crash possibility with SIP and the "automon"
                        feature enabled
    Nature of Advisory  Remote crash vulnerability in a feature that is
                        disabled by default
      Susceptibility    Remote unauthenticated sessions
         Severity       Moderate
      Exploits Known    Yes
       Reported On      November 2, 2011
       Reported By      Kristijan Vrban
        Posted On       2011-11-03
     Last Updated On    December 7, 2011
     Advisory Contact   Terry Wilson <twilson at digium.com>

         CVE Name

    Description  When the "automon" feature is enabled in features.conf, it
                 is possible to send a sequence of SIP requests that cause
                 Asterisk to dereference a NULL pointer and crash.

    Resolution  Applying the referenced patches that check that the pointer
                is not NULL before accessing it will resolve the issue. The
                "automon" feature can be disabled in features.conf as a
                workaround.

                               Affected Versions
                Product              Release Series
         Asterisk Open Source           1.6.2.x      All versions
         Asterisk Open Source            1.8.x       All versions

                                  Corrected In
                   Product                              Release
            Asterisk Open Source                   1.6.2.21, 1.8.7.2

                                     Patches
                              Download URL                            Revision
   http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
   http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff   1.8.7.1

            Links

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2011-014.pdf and
    http://downloads.digium.com/pub/security/AST-2011-014.html

                                Revision History
           Date                 Editor                 Revisions Made

               Asterisk Project Security Advisory - AST-2011-014
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
2011-12-12 05:05:33 +00:00
..
files The stop and reload commands require the core prefix now. 2010-11-29 04:20:32 +00:00
patches Update to 1.6.2.19 (fixes several security issues): 2011-07-05 08:34:47 +00:00
DESCR
distinfo This update fixes AST-2011-013 and AST-2011-014. It also adapts to changes 2011-12-12 05:05:33 +00:00
Makefile This update fixes AST-2011-013 and AST-2011-014. It also adapts to changes 2011-12-12 05:05:33 +00:00
MESSAGE
options.mk This update fixes AST-2011-013 and AST-2011-014. It also adapts to changes 2011-12-12 05:05:33 +00:00
PLIST Now that -current has sqlite3 included in base, enable it here. 2011-12-05 04:18:32 +00:00