CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2011/06/03 10:10:21
Modified files:
telephony/asterisk: Tag: OPENBSD_4_9 Makefile distinfo
telephony/asterisk/files: Tag: OPENBSD_4_9 sip.conf.sample
telephony/asterisk/patches: Tag: OPENBSD_4_9
patch-configs_asterisk_conf_sample
patch-configure_ac
patch-sounds_Makefile
telephony/asterisk/pkg: Tag: OPENBSD_4_9 PLIST-main
Added files:
telephony/asterisk/files: Tag: OPENBSD_4_9 cdr.conf.sample
telephony/asterisk/pkg: Tag: OPENBSD_4_9 README-main
Removed files:
telephony/asterisk/patches: Tag: OPENBSD_4_9
patch-main_strcompat_c
telephony/asterisk/pkg: Tag: OPENBSD_4_9 MESSAGE-main
Log message:
Merge Asterisk from current to -stable (mostly; we still have to
use autoconf 2.64 as 2.65 needs newer m4 than 4.9-release has).
Too many important fixes to cherrypick them, including the security
fixes below, plus some others which aren't directly security-related.
AST-2011-007 (CVE-2011-2216): Null pointer deref in SIP if
malformed Contact headers are present. Remote crash can be triggered
by anyone who can send you a SIP call.
AST-2011-006: shell access via remote authenticated manager
sessions (logged-in manager users can execute shell commands via
the manager interface without having the "system" privilege that
should be required)
AST-2011-005: DoS with remote unauthenticated sessions (add limits
to prevent unauthenticated users from tying up all available FDs for
the manager interface, SIP-over-TCP, Skinny and the built in HTTP
server).
AST-2011-003 and AST-2011-004: unchecked return codes (fdopen, fwrite)
causing null pointer deref / resource exhaustion.
AST-2011-002: buffer overflow.
