CVSROOT: /cvs Module name: ports Changes by: st...@cvs.openbsd.org 2011/06/03 10:10:21
Modified files: telephony/asterisk: Tag: OPENBSD_4_9 Makefile distinfo telephony/asterisk/files: Tag: OPENBSD_4_9 sip.conf.sample telephony/asterisk/patches: Tag: OPENBSD_4_9 patch-configs_asterisk_conf_sample patch-configure_ac patch-sounds_Makefile telephony/asterisk/pkg: Tag: OPENBSD_4_9 PLIST-main Added files: telephony/asterisk/files: Tag: OPENBSD_4_9 cdr.conf.sample telephony/asterisk/pkg: Tag: OPENBSD_4_9 README-main Removed files: telephony/asterisk/patches: Tag: OPENBSD_4_9 patch-main_strcompat_c telephony/asterisk/pkg: Tag: OPENBSD_4_9 MESSAGE-main Log message: Merge Asterisk from current to -stable (mostly; we still have to use autoconf 2.64 as 2.65 needs newer m4 than 4.9-release has). Too many important fixes to cherrypick them, including the security fixes below, plus some others which aren't directly security-related. AST-2011-007 (CVE-2011-2216): Null pointer deref in SIP if malformed Contact headers are present. Remote crash can be triggered by anyone who can send you a SIP call. AST-2011-006: shell access via remote authenticated manager sessions (logged-in manager users can execute shell commands via the manager interface without having the "system" privilege that should be required) AST-2011-005: DoS with remote unauthenticated sessions (add limits to prevent unauthenticated users from tying up all available FDs for the manager interface, SIP-over-TCP, Skinny and the built in HTTP server). AST-2011-003 and AST-2011-004: unchecked return codes (fdopen, fwrite) causing null pointer deref / resource exhaustion. AST-2011-002: buffer overflow.