Author: kharwell Revision: 428331 Modified property: svn:log Modified: svn:log at Thu Nov 20 09:39:15 2014 ------------------------------------------------------------------------------ --- svn:log (original) +++ svn:log Thu Nov 20 09:39:15 2014 @@ -1,16 +1,11 @@ -AST-2014-017 - app_confbridge: permission escalation/ class authorization. +AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI. -Confbridge dialplan function permission escalation via AMI and inappropriate -class authorization on the ConfbridgeStartRecord action. The CONFBRIDGE dialplan -function when executed from an external protocol (for instance AMI), could -result in a privilege escalation. Also, the AMI action “ConfbridgeStartRecord” -could also be used to execute arbitrary system commands without first checking -for system access. +The DB dialplan function when executed from an external protocol (for instance +AMI), could result in a privilege escalation. -Asterisk now inhibits the CONFBRIDGE function from being executed from an -external interface if the live_dangerously option is set to no. Also, the -“ConfbridgeStartRecord” AMI action is now only allowed to execute under a -user with system level access. +Asterisk now inhibits the DB function from being executed from an external +interface if the live_dangerously option is set to no. -ASTERISK-24490 +ASTERISK-24534 Reported by: Gareth Palmer +patches: submitted by Gareth Palmer (license 5169)
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
