db145aa624
it fixes AST-2017-005, AST-2017-006, AST-2017-006, AST-2017-008, AST-2017-009, AST-2017-010, AST-2017-011, AST-2017-012, AST-2017-013, and AST-2017-014. Note that several of these are related to PJSIP which pkgsrc doesn't use. ----- 14.7.5 ----- The Asterisk Development Team would like to announce security releases for Asterisk 13, 14 and 15, and Certified Asterisk 13.18. The available releases are released as versions 13.18.5, 14.7.5, 15.1.5 and 13.18-cert2. The following security vulnerabilities were resolved in these versions: * AST-2017-014: Crash in PJSIP resource when missing a contact header A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and using the PJSIP channel driver, it would cause Asterisk to crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled a user would have to first be authorized before reaching the crash point. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.7.5 The security advisory is available at: https://downloads.asterisk.org/pub/security/AST-2017-014.pdf Thank you for your continued support of Asterisk! ----- 14.7.4 ----- The Asterisk Development Team has announced security releases for Certified Asterisk 13.13 and Asterisk 13, 14 and 15. The available security releases are released as versions 13.13-cert9, 13.18.4, 14.7.4 and 15.1.4. The release of these versions resolves the following security vulnerabilities: * AST-2017-012: Remote Crash Vulnerability in RTCP Stack If a compound RTCP packet is received containing more than one report (for example a Receiver Report and a Sender Report) the RTCP stack will incorrectly store report information outside of allocated memory potentially causing a crash. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.7.4 The security advisories are available at: http://downloads.asterisk.org/pub/security/AST-2017-012.html http://downloads.asterisk.org/pub/security/AST-2017-012.pdf Thank you for your continued support of Asterisk! ----- 14.7.3 ----- The Asterisk Development Team has announced security releases for Certified Asterisk 13.13 and Asterisk 13, 14 and 15. The available security releases are released as versions 13.13-cert8, 13.18.3, 14.7.3 and 15.1.3. The release of these versions resolves the following security vulnerabilities: * AST-2017-013: DOS Vulnerability in Asterisk chan_skinny If the chan_skinny (AKA SCCP protocol) channel driver is flooded with certain requests it can cause the asterisk process to use excessive amounts of virtual memory eventually causing asterisk to stop processing requests of any kind. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog=14.7.3 The security advisories are available at: http://downloads.asterisk.org/pub/security/AST-2017-013.pdf Thank you for your continued support of Asterisk! ----- 14.7.2 ----- The Asterisk Development Team would like to announce the release of Asterisk 14.7.2. The release of Asterisk 14.7.2 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following issues are resolved in this release: Bugs fixed in this release: ----------------------------------- * ASTERISK-27387 - Regression: pjsip 13.18.0 - from_user - "+" character isn't allowed any more (Reported by Michael Maier) * ASTERISK-27391 - Regression: Deadlock between AOR named lock and pjproject grp lock (Reported by shaurya jain) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-14.7.2 Thank you for your continued support of Asterisk! ----- 14.7.0 ----- The Asterisk Development Team would like to announce the release of Asterisk 14.7.0. The release of Asterisk 14.7.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following issues are resolved in this release: Improvements made in this release: ----------------------------------- * ASTERISK-27278 - [patch] chan_sip: Provide access to read the full SIP Request-URI from INVITE (Reported by David J. Pryke) * ASTERISK-27255 - alembic: Add support for Microsoft SQL server (Reported by Florian Floimair) * ASTERISK-27253 - [patch] libsrtp-2.1.x support (Reported by Alexander Traud) * ASTERISK-27220 - Enable CHANNEL function to get from and to tag from SIP Headers (Reported by Andre Nazario) * ASTERISK-27169 - Google OAuth 2.0 support for XMPP / Motif (Reported by Andrey) * ASTERISK-27173 - Support for GMIME 3.0 (Reported by Tzafrir Cohen) * ASTERISK-27092 - [patch] app_queue: Add Priority to AMI QueueStatus (Reported by Niklas Larsson) * ASTERISK-27085 - [patch] chan_pjsip: Port SIPDtmfMode to chan_pjsip (Reported by Torrey Searle) Bugs fixed in this release: ----------------------------------- * ASTERISK-27346 - res_xmpp: Crash if OAuth 2.0 is used before curl is loaded (Reported by Ronald Raikes) * ASTERISK-27372 - ARI: Node ARI client broken in latest versions of 13 and 14 (Reported by Benjamin Keith Ford) * ASTERISK-27047 - res_pjsip: user=phone added to Anonymous caller-id when it shouldn't be. (Reported by dtryba) * ASTERISK-27270 - cdr_mysql: various crashes at second module reload if cdr_mysql.conf is configured (Reported by Tzafrir Cohen) * ASTERISK-25266 - Application Originate returns SUCCESS to ORIGINATE_STATUS upon failure to originate (Reported by Allen Ford) * ASTERISK-27192 - res_pjsip: Loss of SIP registrations causing unavailable endpoints (Reported by Richard Mudgett) * ASTERISK-27305 - res_ari: Memory leaks in ARI when using Content-Type: application/json (Reported by David Hajek) * ASTERISK-26922 - chan_sip: tcpbind uses wrong source address (Reported by Ksenia) * ASTERISK-27324 - [patch] Dual-Stack server cannot be used as IPv4 client via TCP/TLS (Reported by Alexander Traud) * ASTERISK-27317 - vector: multiple evaluation of elem in AST_VECTOR_ADD_SORTED. (Reported by Corey Farrell) * ASTERISK-27318 - res_pjsip_mwi: uninitialized value from ast_strings_match (Reported by Corey Farrell) * ASTERISK-27284 - Status of RFC 3323 and PJSIP (Reported by dtryba) * ASTERISK-27296 - [patch] False positive busy checks when icalendar's recurrence-id mechanism is involved (Reported by Benoît Dereck-Tricot) * ASTERISK-27216 - app_queue: does its check-makeannouncement-logic twice each head-caller-loop (Reported by Stefan Engström) * ASTERISK-27298 - Problem with expires on pjsip / outbound-publish (Reported by Cyrille Demaret) * ASTERISK-27295 - Contact is improperly translated after d178f497 (Reported by Sean Bright) * ASTERISK-27292 - Multiple RTP Stream Created Breaking RFC2833 (SSRC Changes) (Reported by Ross Beer) * ASTERISK-27289 - A codeblock that maintains a bug,but maybe the codeblock will never run (Reported by Huangyx) * ASTERISK-27283 - Realtime config fail with PostgreSQL version before 9.1 (Reported by Rodrigo Ramirez Norambuena) * ASTERISK-27257 - bridge_native_rtp: half-way direct media when using early bridging (Reported by Jean Aunis - Prescom) * ASTERISK-27279 - Crash in pubsub_on_rx_request NULL pointer - Possible PJSIP Vulnerability (Reported by Ross Beer) * ASTERISK-26606 - tcptls: Incorrect OpenSSL function call leads to misleading error report (Reported by Bob Ham) * ASTERISK-16898 - SRTP unprotect: authentication failure when RTP sequence number switches from 65535 -> 0 (Reported by Marcello Ceschia) * ASTERISK-27274 - RTCP needs better packet validation to resist port scans. (Reported by Richard Mudgett) * ASTERISK-27252 - RTP: One way audio with direct media and strictrtp=yes. (Reported by Richard Mudgett) * ASTERISK-25524 - module reload res_calendar.so does not reload everything in calendar.conf (Reported by Jesper) * ASTERISK-24588 - res_calendar does not process CalDAV from Owncloud [fix included] (Reported by Stefan Gofferje) * ASTERISK-25523 - res_calendar: Warning about invalid channel value (for notification) occurs even when event has no notification configured. (Reported by Jesper) * ASTERISK-21399 - RTP Multicast of L16 (type 10): Asterisk and wireshark disagree (Reported by Tzafrir Cohen) * ASTERISK-27248 - [patch]external_media_address and external_signaling_address don't always honor localnet (Reported by Walter Doekes) * ASTERISK-27217 - chan_sip: Asterisk crashing when subscription doesn't get set (Reported by Bryan Walters) * ASTERISK-24066 - res_smdi: convert to astobj2 (Reported by Corey Farrell) * ASTERISK-17540 - SDP origin attribute modified when issuing re-INVITE because of directmedia=yes (Reported by saghul) * ASTERISK-27254 - alembic: prune_on_boot fix erroneous (Reported by Florian Floimair) * ASTERISK-27232 - When in queue on g722 with interruptions, music on hold can get stuck and no longer play (Reported by Jens T.) * ASTERISK-27024 - nat/external_media settings ignored in 14.4.1 (Reported by Christopher van de Sande) * ASTERISK-26879 - PJSIP external_media_address ignored if no local_net options are provided (Reported by Matt Jordan) * ASTERISK-27165 - CDR: CDR(start,u) function won't work in cdr_custom config (Reported by Jacek Konieczny) * ASTERISK-27236 - Segfault ast_channel_name (chan=0x0) at channel_internal_api.c:478 during T.38 Fax Receive (Reported by Ross Beer) * ASTERISK-27225 - Crash when freeing dtls_cfg->cafile (Reported by Richard Kenner) * ASTERISK-27177 - ooh323c: misleading indentation in addons/ooh323c/src/ooSocket.c (Reported by Tzafrir Cohen) * ASTERISK-27241 - libc segfault upon entry into app_directory (Reported by David Moore) * ASTERISK-27152 - Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash (Reported by Ross Beer) * ASTERISK-27103 - core: ast_safe_system command injection possible. (Reported by Corey Farrell) * ASTERISK-27013 - res_rtp_asterisk: Media can be hijacked even with strict RTP enabled (Reported by Joshua Colp) * ASTERISK-26994 - Confbridge: CBAnn channels intermittently become stuck when caller hangs up before recording name (Reported by James Terhune) * ASTERISK-20858 - app_minivm fails to clean up mkstemp files (Reported by Walter Doekes) * ASTERISK-16777 - several filename bugs in Record() application (Reported by klaus3000) * ASTERISK-27209 - Incorrect SDP in 200 OK when PJSIP_DTMF_MODE is used (Reported by Torrey Searle) * ASTERISK-27168 - alembic: PJSIP scripts are missing column dtls_fingerprint in ps_endpoints table (Reported by Florian Floimair) * ASTERISK-19103 - When using realtime queues, function QUEUE_MEMBER_LIST() will return an error if no other app/function has loaded the queues first. This problem does not exist if queues.conf is used. (Reported by Jim Van Meggelen) * ASTERISK-21241 - When using voicemail as announce only (maxmsg=0), the star dtmf to enter the voicemail is not honored (Reported by Eelco Brolman) * ASTERISK-27204 - [patch] app_queue: Wrong queue stat calculation (Reported by sungtae kim) * ASTERISK-27207 - XMPP OAuth not working due to inverted logic (Reported by Michael Kuron) * ASTERISK-27174 - res_calendar_icalendar: Recurring events not being loaded from Google calendar using ical (Reported by Mark Thompson) * ASTERISK-27202 - If wget is not installed and "or" is not available, external components (excluding pjsip) are not installed (Reported by Seán C. McCord) * ASTERISK-27147 - Either asterisk or pjproject isn't re-using tcp connections (again) (Reported by George Joseph) * ASTERISK-27193 - IPv6 receive address in message doesn't include brackets (Reported by Scott Griepentrog) * ASTERISK-26745 - Asymmetric codecs when asymmetric_rtp_codec=no (Reported by Jesse Ross) * ASTERISK-27158 - [patch] res_rtp_asterisk: RTCP statistics are not available when native bridge is used (Reported by Torrey Searle) * ASTERISK-27110 - RTP session is not fully destroyed on channel hangup (Reported by Matt Jordan) * ASTERISK-27171 - Asterisk 15.0.0-Beta1 does not compile (Reported by Ira Emus) * ASTERISK-26659 - res_pjsip: PJSIP presence - missing braces around the status element in XML (Reported by Abraham Liebsch) * ASTERISK-27156 - Asterisk won't compile on Fedora 26 with devmode enabled. (Reported by Corey Farrell) * ASTERISK-27130 - Applications ARI: Unsubscribe action for deviceStates does not remove old subscriptions properly (Reported by Sergej Kasumovic) * ASTERISK-25810 - say.c calls for sounds in the subdir "digits" that don't exist (in Core). SayUnixTime or other Say... apps will fail out when they call these sounds. (Reported by Nicolas Riendeau) * ASTERISK-27142 - sounds: Conflict between files in asterisk-sounds-core-1.6 and asterisk-sounds-extra-1.5 (Reported by Corey Farrell) * ASTERISK-27133 - res_rtp_asterisk: RTCP does not use ICE when RTCP-MUX in use (Reported by Joshua Colp) * ASTERISK-27123 - confbridge: Name recordings are left on filesystem (Reported by Sergej Kasumovic) * ASTERISK-27122 - chan_iax2: On reload MWI taskprocessors keep adding up (Reported by Sergej Kasumovic) * ASTERISK-26807 - sounds: New 3-D Binaural audio features require new sound prompts (Reported by Rusty Newton) * ASTERISK-25816 - French conf-adminmenu, conf-usermenu prompts differ in content from the English files (Reported by Benoit Duverger) * ASTERISK-26274 - Resolve open sounds issues and then create a new sounds release (1.5.1? or 1.6?) (Reported by Rusty Newton) * ASTERISK-27128 - [patch]res_stasis_snoop: When recording a snoop channel (using ARI) where no media is being received, no recording happens when theres no media (Reported by Dan Jenkins) * ASTERISK-27124 - app_playback.c:say_date_generic use timezonename parameter (Reported by Holger Hans Peter Freyther) * ASTERISK-27127 - configs: Erroneous load directive in sample configuration results in "Error loading module 'res_pjsip_multihomed.so'" (Reported by HZMI8gkCvPpom0tM) * ASTERISK-27105 - [patch]core: when setting 'maxfiles' in asterisk.conf, a message is printed, even in rasterisk -x (Reported by Tzafrir Cohen) * ASTERISK-27036 - res_pjsip: Asterisk crashes when an extension tries to use PJSIP trunk with from_user containing '@' (Reported by Maxim Vasilev) * ASTERISK-27023 - res_rtp_asterisk: Deadlock when TURN session in use (Reported by Jatin Jain) * ASTERISK-27093 - ODBC deadlocks when app_directory tries to play back non-existent voicemail greeting (Reported by James Terhune) New Features made in this release: ----------------------------------- * ASTERISK-27215 - [patch]AMI : Add CancelAtxfer Action (Reported by Thomas Sevestre) * ASTERISK-27117 - core: Add support for timelen parsing to ast_parse_arg and ACO. (Reported by Corey Farrell) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-14.7.0 Thank you for your continued support of Asterisk! ----- 14.6.0 ----- The Asterisk Development Team would like to announce the release of Asterisk 14.6.0. The release of Asterisk 14.6.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following issues are resolved in this release: Bugs fixed in this release: ----------------------------------- * ASTERISK-27108 - Crash using 'data get' CLI command (Reported by Sean Bright) * ASTERISK-27106 - [patch] autodomain (SIP Domain Support): Add only really different domain with TLS. (Reported by Alexander Traud) * ASTERISK-27100 - channel: ast_waitfordigit_full fails to clear flag in an error branch. (Reported by Corey Farrell) * ASTERISK-27090 - PJSIP: Deadlock using TCP transport (Reported by Richard Mudgett) * ASTERISK-25665 - Duplicate logging in queue log for EXITEMPTY events (Reported by Ove Aursand) * ASTERISK-27065 - call hangup after leaving app_queue (Reported by Marek Cervenka) * ASTERISK-26978 - rtp: Crash in ast_rtp_codecs_payload_code() (Reported by Ross Beer) * ASTERISK-24052 - app_voicemail reloads result in leaked IMAP sockets. (Reported by Louis Jocelyn Paquet) * ASTERISK-27074 - core_local: local channel data not being properly unref'ed and unlocked (Reported by Kevin Harwell) * ASTERISK-27075 - bridge: stuck channel(s) after failed attended transfer (Reported by Kevin Harwell) * ASTERISK-27060 - Comment typo format_g729.c (Reported by Matthew Fredrickson) * ASTERISK-27041 - Core/PBX: [patch] Deadlock between dialplan execution and application unregistration (Reported by Frederic LE FOLL) * ASTERISK-27026 - res_ari: Crash when no ari.conf configuration file exists (Reported by Ronald Raikes) * ASTERISK-27057 - Seg Fault in ast_sorcery_object_get_id at sorcery.c (Reported by Ryan Smith) * ASTERISK-27024 - nat/external_media settings ignored in 14.4.1 (Reported by Christopher van de Sande) * ASTERISK-27046 - res_pjsip_transport_websocket: segfault in get_write_timeout (Reported by Jørgen H) * ASTERISK-27022 - res_rtp_asterisk: Incorrect SSRC change for RTCP component (Reported by Michael Walton) * ASTERISK-26923 - bridging: T.38 request is lost when channels are added to bridge (Reported by Torrey Searle) * ASTERISK-27053 - res_pjsip_refer/session: Calls dropped during transfer (Reported by Kevin Harwell) * ASTERISK-27052 - Asterisk build process fails with flag --with-pjproject-bundled with curl download command and slow network (Reported by alex) * ASTERISK-27039 - chan_pjsip: Device state is idle when channel from endpoint is in early media (Reported by Joshua Colp) * ASTERISK-26996 - chan_pjsip: Flipping between codecs (Reported by Michael Maier) * ASTERISK-26281 - chan_pjsip would send INVITE to 'Unreachable' endpoints (Reported by Jacek Konieczny) * ASTERISK-26973 - bridge: Crash when freeing frame and snooping (Reported by Michel R. Vaillancourt) * ASTERISK-19291 - Background in realtime (Reported by Andrew Nowrot) * ASTERISK-27025 - channel / meetme: Fix missing parentheses (Reported by Joshua Colp) * ASTERISK-27021 - GET /recordings/stored returns 500 Internal Server Error (Reported by Tim Morgan) * ASTERISK-24858 - [patch]Asterisk 13 PJSIP sends RTP packets in wrong byte order on Intel platform when using slin codec (Reported by Frankie Chin) * ASTERISK-23951 - Asterisk attempts and fails to build format_mp3 even if mp3lib was not downloaded (Reported by Tzafrir Cohen) * ASTERISK-25294 - srtp's crypto_get_random deprecated (Reported by Tzafrir Cohen) * ASTERISK-23839 - AGI - RECORD FILE - documentation doesn't describe BEEP argument (Reported by Rusty Newton) * ASTERISK-22432 - Async AGI crashes Asterisk when issuing "set variable" command without args (Reported by Antoine Pitrou) * ASTERISK-25662 - Malformed AGI 520 Usage response (Reported by Tony Mountifield) * ASTERISK-27008 - res_format_attr_h264: SDP parse fails if fmtp optional parameters have a space (Reported by John Harris) * ASTERISK-26399 - app_queue: Agent not called when caller is parked (Reported by wushumasters) * ASTERISK-26400 - app_queue: Queue member stops being called after AMI "Redirect" action for queues with wrapuptime (Reported by Etienne Lessard) * ASTERISK-26715 - app_queue: Member will not receive any new calls after doing a transfer if wrapuptime = greater than 0 and using Local channel (Reported by David Brillert) * ASTERISK-26975 - app_queue: Non-zero wrapup time can cause agents not to receive queue calls after transfer queue call (Reported by Lorne Gaetz) * ASTERISK-27012 - app_confbridge: ConfBridge sometimes does not play user name recording while leaving (Reported by Robert Mordec) * ASTERISK-26979 - res_rtp_asterisk: SRTP unprotect failed with authentication failure 10 or 110 (Reported by Javier Riveros) * ASTERISK-26982 - chan_sip: rtcp_mux setting may cause ice completion failure/delay if client offers rtcp-mux as negotiable (Reported by Stefan Engström) * ASTERISK-26964 - res_pjsip_session: Wrong From on reinvite when request and To URI differ (Reported by Yasin CANER) * ASTERISK-26789 - Audit manipulation of channel flags without locks (Reported by Joshua Colp) * ASTERISK-26333 - Problems with Blind Transfer, PJSIP (Aastra 6869i) (Reported by Matthias Binder) Improvements made in this release: ----------------------------------- * ASTERISK-26230 - [patch] res_pjsip_mwi: unsolicited mwi could block PJSIP taskprocessor on startup (Reported by Alexei Gradinari) * ASTERISK-27043 - Core/BuildSystem: Add defines to fix build with LibreSSL (Reported by Guido Falsi) * ASTERISK-27042 - Unpatched asterisk sources fail to build on FreeBSD due to missing crypt.h file (Reported by Guido Falsi) * ASTERISK-26419 - audiohooks: Remove redundant codec translations when using audiohooks (Reported by Michael Walton) * ASTERISK-26976 - libsrtp-2.x.x support (Reported by Alex) * ASTERISK-26124 - res_agi: Set audio format for EAGI audio stream (Reported by John Fawcett) For a full list of changes in this release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-14.6.0 Thank you for your continued support of Asterisk! |
||
---|---|---|
.. | ||
patch-addons_chan__ooh323.c | ||
patch-apps_app__dumpchan.c | ||
patch-apps_app__followme.c | ||
patch-apps_app__queue.c | ||
patch-apps_app__sms.c | ||
patch-apps_app__voicemail.c | ||
patch-build__tools_mkpkgconfig | ||
patch-cdr_cdr__pgsql.c | ||
patch-cel_cel__pgsql.c | ||
patch-channels_chan__oss.c | ||
patch-channels_chan__sip.c | ||
patch-configure | ||
patch-configure.ac | ||
patch-contrib_scripts_vmail.cgi | ||
patch-funcs_func__env.c | ||
patch-include_asterisk_autoconfig.h.in | ||
patch-include_asterisk_endian.h | ||
patch-include_asterisk_lock.h | ||
patch-include_asterisk_sha1.h | ||
patch-include_asterisk_strings.h | ||
patch-main_acl.c | ||
patch-main_asterisk.c | ||
patch-main_astmm.c | ||
patch-main_cdr.c | ||
patch-main_cel.c | ||
patch-main_http.c | ||
patch-main_logger.c | ||
patch-main_Makefile | ||
patch-main_manager.c | ||
patch-main_netsock.c | ||
patch-main_pbx.c | ||
patch-main_pbx__builtins.c | ||
patch-main_sched.c | ||
patch-main_stdtime_localtime.c | ||
patch-main_test.c | ||
patch-main_utils.c | ||
patch-Makefile | ||
patch-pbx_pbx__dundi.c | ||
patch-res_res__calendar.c | ||
patch-res_res__calendar__caldav.c | ||
patch-res_res__calendar__icalendar.c | ||
patch-sounds_Makefile | ||
patch-tests_test__locale.c | ||
patch-tests_test__voicemail__api.c | ||
patch-utils_db1-ast_include_db.h | ||
patch-utils_extconf.c | ||
patch-utils_Makefile | ||
patch-utils_smsq.c | ||
patch-utils_streamplayer.c |