head 1.19; access; symbols pkgsrc-2023Q4:1.19.0.8 pkgsrc-2023Q4-base:1.19 pkgsrc-2023Q3:1.19.0.6 pkgsrc-2023Q3-base:1.19 pkgsrc-2023Q2:1.19.0.4 pkgsrc-2023Q2-base:1.19 pkgsrc-2023Q1:1.19.0.2 pkgsrc-2023Q1-base:1.19 pkgsrc-2022Q4:1.18.0.18 pkgsrc-2022Q4-base:1.18 pkgsrc-2022Q3:1.18.0.16 pkgsrc-2022Q3-base:1.18 pkgsrc-2022Q2:1.18.0.14 pkgsrc-2022Q2-base:1.18 pkgsrc-2022Q1:1.18.0.12 pkgsrc-2022Q1-base:1.18 pkgsrc-2021Q4:1.18.0.10 pkgsrc-2021Q4-base:1.18 pkgsrc-2021Q3:1.18.0.8 pkgsrc-2021Q3-base:1.18 pkgsrc-2021Q2:1.18.0.6 pkgsrc-2021Q2-base:1.18 pkgsrc-2021Q1:1.18.0.4 pkgsrc-2021Q1-base:1.18 pkgsrc-2020Q4:1.18.0.2 pkgsrc-2020Q4-base:1.18 pkgsrc-2020Q3:1.17.0.4 pkgsrc-2020Q3-base:1.17 pkgsrc-2020Q2:1.17.0.2 pkgsrc-2020Q2-base:1.17 pkgsrc-2020Q1:1.16.0.2 pkgsrc-2020Q1-base:1.16 pkgsrc-2019Q4:1.15.0.6 pkgsrc-2019Q4-base:1.15 pkgsrc-2019Q3:1.15.0.2 pkgsrc-2019Q3-base:1.15 pkgsrc-2013Q2:1.14.0.4 pkgsrc-2013Q2-base:1.14 pkgsrc-2012Q4:1.14.0.2 pkgsrc-2012Q4-base:1.14 pkgsrc-2012Q2:1.13.0.4 pkgsrc-2012Q2-base:1.13 pkgsrc-2012Q1:1.13.0.2 pkgsrc-2012Q1-base:1.13 pkgsrc-2011Q4:1.12.0.2 pkgsrc-2011Q4-base:1.12 pkgsrc-2011Q3:1.9.0.10 pkgsrc-2011Q3-base:1.9 pkgsrc-2011Q2:1.9.0.8 pkgsrc-2011Q2-base:1.9 pkgsrc-2011Q1:1.9.0.6 pkgsrc-2011Q1-base:1.9 pkgsrc-2010Q4:1.9.0.4 pkgsrc-2010Q4-base:1.9 pkgsrc-2010Q3:1.9.0.2 pkgsrc-2010Q3-base:1.9 pkgsrc-2010Q2:1.7.0.2 pkgsrc-2010Q2-base:1.7 pkgsrc-2010Q1:1.4.0.2 pkgsrc-2010Q1-base:1.4 pkgsrc-2009Q4:1.3.0.2 pkgsrc-2009Q4-base:1.3 pkgsrc-2009Q3:1.1.1.1.0.4 pkgsrc-2009Q3-base:1.1.1.1 pkgsrc-2009Q2:1.1.1.1.0.2 pkgsrc-2009Q2-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.19 date 2023.01.03.16.53.17; author ryoon; state Exp; branches; next 1.18; commitid d5difSUJEltNi78E; 1.18 date 2020.12.31.11.07.01; author nia; state Exp; branches; next 1.17; commitid 376xTHI8iaURWSBC; 1.17 date 2020.05.31.14.39.32; author rillig; state Exp; branches; next 1.16; commitid HQsV8MLqy1mp0paC; 1.16 date 2020.01.11.08.36.13; author ryoon; state Exp; branches; next 1.15; commitid uJEndhKPn1VNwfSB; 1.15 date 2019.08.20.13.47.42; author ryoon; state Exp; branches; next 1.14; commitid WMmdTIUqUPcFSLzB; 1.14 date 2012.09.14.02.41.05; author jnemeth; state dead; branches; next 1.13; 1.13 date 2012.01.17.02.12.52; author jnemeth; state Exp; branches; next 1.12; 1.12 date 2011.12.12.05.05.34; author jnemeth; state Exp; branches; next 1.11; 1.11 date 2011.10.11.03.15.50; author jnemeth; state Exp; branches; next 1.10; 1.10 date 2011.10.08.13.49.09; author shattered; state Exp; branches; next 1.9; 1.9 date 2010.10.06.22.39.41; author jnemeth; state Exp; branches; next 1.8; 1.8 date 2010.09.23.23.30.38; author jnemeth; state Exp; branches; next 1.7; 1.7 date 2010.05.07.23.57.56; author jnemeth; state Exp; branches; next 1.6; 1.6 date 2010.05.07.03.49.07; author jnemeth; state Exp; branches; next 1.5; 1.5 date 2010.05.06.20.10.17; author jnemeth; state Exp; branches; next 1.4; 1.4 date 2010.03.01.07.06.48; author jnemeth; state Exp; branches; next 1.3; 1.3 date 2010.01.13.20.10.09; author jnemeth; state Exp; branches; next 1.2; 1.2 date 2010.01.02.00.36.54; author jnemeth; state Exp; branches; next 1.1; 1.1 date 2009.06.12.09.04.56; author jnemeth; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2009.06.12.09.04.56; author jnemeth; state Exp; branches; next ; desc @@ 1.19 log @asterisk16: Update to 16.29.1 * Use bash for configure script. It uses bash-specific syntax. * Use menuselect command to adjust options instead of manually crafted makeopts file. Manually crafted file does not work properly for me and 16.29.1 now. * I have no idea about x11 option's status. It seems that gtk2 config UI is not available in this release at least, if I understand correctly. Changelog: 16.29.1 Bugs fixed in this release: [ASTERISK-30103] chan_ooh323 vulnerability in calling/called party IE (Reported By: Michael Bradeen) [ASTERISK-30176] GetConfig can read files outside of Asterisk (Reported By: shawty) [ASTERISK-30244] Occasional crash when TCP/TLS connection terminated and subscription persistence is removed (Reported By: nappsoft) [ASTERISK-30338] Backport 2.13 security fixes from pjproject 16.29.0 New Features made in this release: * [ASTERISK-30037] Add test support to calling external processes (Reported by Philip Prindeville) * [ASTERISK-30161] locks: add AMI event for deadlock (Reported by N A) * [ASTERISK-30211] app_confbridge: Add end_marked_any option (Reported by N A) * [ASTERISK-30186] res_pjsip: Add support for reloading TLS certificate and key information (Reported by Joshua C. Colp) * [ASTERISK-29899] features: Add advanced transfer initiation options (Reported by N A) Bugs fixed in this release: * [ASTERISK-30235] res_crypto and tests: Memory issues and and uninitialized variable error (Reported by George Joseph) * [ASTERISK-30234] res_geolocation: may be used uninitialized error in geoloc_config.c (Reported by George Joseph) * [ASTERISK-30215] Inbound SIP INVITE with Geo Location causing a Segmentation Fault (Reported by Dan Cropp) * [ASTERISK-30135] [res_musiconhold] Allows the moh only for the answered call (Reported by sungtae kim) * [ASTERISK-26894] pjsip should support tel uri scheme (Reported by Gergely D?ms?di) * [ASTERISK-30210] func_frame_trace: Channel masquerade triggers assertion (Reported by N A) * [ASTERISK-30190] res_geolocation: GEOLOC_PROFILE isn t returning correct values on incoming channel (Reported by George Joseph) * [ASTERISK-29185] chan_pjsip: Endpoint: allow = all is broken. (Reported by Alexander Traud) * [ASTERISK-30192] res_tonedetect: fix typo for frametype (Reported by N A) * [ASTERISK-29453] alembic: incoming_call_offer_pref and outgoing_call_offer_pref missing in ps_endpoints table (Reported by Daniel Th men) * [ASTERISK-26826] testsuite: Add support for Python 3 (Reported by Joshua C. Colp) * [ASTERISK-30167] res_geolocation: Refactor for issues found by users (Reported by George Joseph) * [ASTERISK-28422] Memory Leak in Confbridge menu (Reported by Ted G) * [ASTERISK-29917] ami: FilterList action doesn t exist (Reported by N A) * [ASTERISK-30020] ConfbridgeListRooms Event Not Documented (Reported by Michael Cargile) * [ASTERISK-30018] app_meetme: MeetmeList AMI event not documented (Reported by Michael Cargile) * [ASTERISK-30151] Documentation doesn t include info about field , a 3rd required parameter. (Reported by Chris Young) Improvements made in this release: * [ASTERISK-30241] res_pjsip_gelocation: Downgrade some NOTICE scope trace debugs to DEBUG level (Reported by N A) * [ASTERISK-30178] extend user_eq_phone behavior to local uri s (Reported by Michael Bradeen) * [ASTERISK-30046] Reimplement res/res_crypto.c internals with EVP_PKEY interface to Openssl API s (Reported by Philip Prindeville) * [ASTERISK-30045] Add test coverage to res/res_crypto.c functionality (Reported by Philip Prindeville) * [ASTERISK-30185] res_geolocation: Allow location parameters to be specified in profiles (Reported by George Joseph) * [ASTERISK-30177] res_geolocation: Add option to suppress empty elements (Reported by George Joseph) * [ASTERISK-30182] res_geolocation: Add built-in profiles to use in fully dynamic configurations (Reported by George Joseph) * [ASTERISK-29906] update RLS to reflect the changes to the lists (Reported by Alexei Gradinari) * [ASTERISK-30163] general: fix minor formatting issues (Reported by N A) * [ASTERISK-30164] chan_iax2: Add missing option documentation (Reported by N A) * [ASTERISK-30160] cdr.conf: Remove obsolete app_mysql reference (Reported by N A) * [ASTERISK-30159] general: Remove obsolete SVN references (Reported by N A) * [ASTERISK-30153] logger: Improve log levels (Reported by N A) 16.28.0 The following issues are resolved in this release: Improvements made in this release: * [ASTERISK-30128] Create PJSIP interface module for Geolocation (Reported by George Joseph) * [ASTERISK-30127] Create core Geolocation capability for Asterisk (Reported by George Joseph) * [ASTERISK-30089] general: fix typos (Reported by N A) * [ASTERISK-30050] Upgrade Asterisk to bundled pjproject 2.12.1 (Reported by Stanislav Abramenkov) Bugs fixed in this release: * [ASTERISK-30167] res_geolocation: Refactor for issues found by users (Reported by George Joseph) * [ASTERISK-29966] pbx_variables: ast_str_strlen can be wrong (Reported by N A) * [ASTERISK-29905] OSX: bininstall launchd issue on cross-platfrom build (Reported by Sergey V. Lobanov) * [ASTERISK-30137] manager: Global disabled event filtered is incomplete (Reported by N A) * [ASTERISK-30109] res_pjsip: no contact-status AMI event on register of prune-on-boot contact that uses the same URI as before Asterisk restart (Reported by Michael Neuhauser) * [ASTERISK-30126] Spelling mistake in configs/samples/queues.conf. sample (Reported by Sam Banks) * [ASTERISK-29991] chan_dahdi, callerid: Caller ID does not honor presentation (Reported by N A) * [ASTERISK-29907] res_pjsip, app_confbridge: Video call through ConfBridge with normal endpoints causes infinite loop/crash (Reported by N A) * [ASTERISK-30029] build: Git security vulnerability fix is sad with our accessing git as root during make install (Reported by Joshua C. Colp) * [ASTERISK-30138] Compile failure in res_geolocation/geoloc_ eprofile.c when optimization is enabled (Reported by George Joseph) * [ASTERISK-30096] cel_odbc: Column type 9 (field cdr:cel:eventtime ) is unsupported at this time (Reported by Morvai Szabolcs) * [ASTERISK-30083] chan_iax2: Optional dependency on openssl/ res_crypto is now mandatory (Reported by Dmitry Melekhov) * [ASTERISK-30123] features: Update automixmon documentation to reflect reality (Reported by Trevor Peirce) * [ASTERISK-30117] pbx_lua: Remove compiler warnings (Reported by Boris P. Korzun) * [ASTERISK-30001] db: Removing nonexistent entries shows Database entry removed (Reported by N A) * [ASTERISK-29822] cli: Typing \? freezes the CLI permanently with remote console (Reported by N A) * [ASTERISK-30106] res_calendar_icalendar: Microsoft online ICS calendars no longer work (Reported by N A) * [ASTERISK-30115] app_dial: Allow hook flashes to propogate on outbound dials (Reported by N A) * [ASTERISK-29989] app_dial, chan_dahdi: DIALSTATUS is inconsistent for busy (Reported by N A) * [ASTERISK-30072] res_pjsip: allow TLS verification of wildcard cert-bearing servers (Reported by Kevin Harwell) * [ASTERISK-30075] say: Abort if channel hangs up during playback (Reported by N A) New Features made in this release: * [ASTERISK-30136] db: Add AMI action to retrieve all keys beginning with a prefix (Reported by N A) * [ASTERISK-30000] chan_dahdi: Add POLARITY function (Reported by N A) * [ASTERISK-30062] cli: Add CLI command to execute a dialplan app (Reported by N A) * [ASTERISK-29999] pjsip: Get information from 200 OK INVITE reply headers (Reported by Jos Lopes) * [ASTERISK-30061] pbx: Add pbx helper application (Reported by N A) 16.27.0 Improvements made in this release: * [ASTERISK-30090] xmldocs: Use example tags for examples (Reported by N A) * [ASTERISK-29906] update RLS to reflect the changes to the lists (Reported by Alexei Gradinari) * [ASTERISK-29891] provide a display name for RLS subscriptions (Reported by Alexei Gradinari) * [ASTERISK-30086] res_parking: Warn when invalid parking space requested (Reported by N A) * [ASTERISK-30058] Evaluate dialplan functions and variables in agi exec (Reported by Shloime Rosenblum) * [ASTERISK-30027] ari: expose channel driver s unique id (i.e. Call-ID for chan_sip/chan_pjsip) in ARI channel resource (Reported by Moritz Fain) * [ASTERISK-29845] res_pjsip_outbound_registration: Show time remaining until registration lapses (Reported by N A) Bugs fixed in this release: * [ASTERISK-30097] console: Recent documentation changes for connecting to remote console are inconsistent (Reported by Matthias Hensler) * [ASTERISK-30043] Wrong party is disconnected when hook-flashing on 3-way bridge (Reported by Josh Alberts) * [ASTERISK-29603] res_pjsip: UPDATE/re-INVITE not sent when timers =always is specified in pjsip.conf (Reported by Ray Crumrine) * [ASTERISK-30092] DateTime application: wrong inflection for one o clock in German (Reported by Christof Efkemann) * [ASTERISK-30064] pbx: iax2 switch causes crash due to deadlock and assertion (Reported by N A) * [ASTERISK-29981] res_calendar: Asterisk crashes when starting, and will not run (Reported by N A) * [ASTERISK-30039] cli: Targeted debug on startup deadlocks and creates unstable system (Reported by N A) * [ASTERISK-30051] res_pjsip: No video after un-hold with moh_passthrough=yes (Reported by Maximilian Fridrich) * [ASTERISK-24601] Missing RFC4235 tags and attributes in PJSIP NOTIFY event: dialog XML body (Reported by Marco Paland) * [ASTERISK-30060] loader: format warnings in dev mode (Reported by N A) * [ASTERISK-30059] menuselect: libxml include fails under Gentoo (Reported by waltermoeller) * [ASTERISK-30065] pjsip: Open Websocket connection is not reused for outgoing requests (Reported by LA) * [ASTERISK-30042] res_pjsip_transport_websocket: Registration over websocket returns a rewritten contact (Reported by Thomas Guebels) * [ASTERISK-29993] chan_dahdi: Operator control option borks both lines involved on callee disconnect (Reported by N A) * [ASTERISK-30044] GCC 12 issues (Reported by George Joseph) New Features made in this release: * [ASTERISK-30063] app_voicemail: Add option to prevent deletion of messages (Reported by N A) * [ASTERISK-30087] res_parking: Add music on hold override option (Reported by N A) * [ASTERISK-29965] res_pjsip_outbound_registration: Make max registration delay configurable (Reported by N A) * [ASTERISK-30036] app_confbridge: Add CONFBRIDGE_CHANNELS function (Reported by N A) 16.26.1 Bugs fixed in this release: * [ASTERISK-30065] pjsip: Open Websocket connection is not reused for outgoing requests (Reported by LA) 16.26.0 Security bugs fixed in this release: * [ASTERISK-29476] res_stir_shaken: Blind SSRF vulnerabilities (Reported by Clint Ruoho) * [ASTERISK-29838] ${SQL_ESC()} not correctly escaping a terminating \ (Reported by Leandro Dardini) * [ASTERISK-29872] res_stir_shaken: Resource exhaustion with large files (Reported by Benjamin Keith Ford) New Features made in this release: * [ASTERISK-29931] Option to allow a user to not hear the join sound on enter but everyone else can (Reported by Michael Cargile) * [ASTERISK-29968] func_db: Add a function to return cardinality of keys at prefix (Reported by N A) * [ASTERISK-29486] Hint-like extension value lookup function without device state (Reported by N A) * [ASTERISK-29941] chan_pjsip: Add ability to send flash events (Reported by N A) * [ASTERISK-29820] cli: Add command to evaluate a function (Reported by N A) * [ASTERISK-29876] app_queue: Add music on hold option (Reported by N A) Bugs fixed in this release: * [ASTERISK-28518] chan_dahdi: Caller ID FSK Erroneously Sent when Picking Up Dahdi Call On Hold (Reported by Josh Alberts) * [ASTERISK-29990] chan_dahdi: adding ring cadences is not idempotent on dahdi restart (Reported by N A) * [ASTERISK-30007] chan_iax2: Prevent crashes due to attempted encryption with missing secrets (Reported by N A) * [ASTERISK-29728] menuselect: Disabled by default modules that are enabled are always recompiled (Reported by N A) * [ASTERISK-30002] app_meetme: Don t erroneously set global variables when channel is NULL (Reported by N A) * [ASTERISK-29994] chan_dahdi: Round robin array size is too small for max number of groups (Reported by N A) * [ASTERISK-22246] Asterisk s T flag is ignored when used with r or R flags. (documentation bug) (Reported by Rusty Newton) * [ASTERISK-26582] Asterisk seems to ignore the n parameter for disable console colorization (Reported by Sebastian Gutierrez) * [ASTERISK-29843] Session timers get removed on UPDATE (Reported by Mark Petersen) * [ASTERISK-29943] file.c: seeking to negative file offset is not prevented (Reported by N A) * [ASTERISK-29955] chan_sip: SIP route header is missing on UPDATE (Reported by Mark Petersen) * [ASTERISK-29842] Do not change 180 Ringing to 183 Progress even if early_media already enabled (Reported by Mark Petersen) * [ASTERISK-29948] iostream: Infinite TCP timeout writing data (Reported by N A) * [ASTERISK-29253] Incorrect bridging on transfer (Reported by Yury Kirsanov) * [ASTERISK-30024] Failed to sign STIR/SHAKEN payload with functionality not enabled (Reported by Claude Diderich) * [ASTERISK-30006] res_pjsip: UDP transport does not work when async_operations is greater than 1 (Reported by Ross Beer) * [ASTERISK-29655] res_pjsip_session: No video to caller if no camera available (Reported by Michael Auracher) * [ASTERISK-29638] res_pjsip_session: No video after early media (Reported by Michael Auracher) * [ASTERISK-30015] pjsip / WebRTC: Chrome creating large number of SDP attributes (Reported by Josh Hogan) * [ASTERISK-30021] ast_variable_list_replace_variable uses variable with new keyword (Reported by Jasper Hafkenscheid) * [ASTERISK-30023] cdr_adaptive_odbc: does not support DATETIME database columns (Reported by Gregory Massel) * [ASTERISK-29411] Crash in pjsip_msg_find_hdr_by_name (Reported by LA) * [ASTERISK-29535] Segmentation fault in libasteriskpj.so.2 (Reported by Daniel Bonazzi) * [ASTERISK-26719] pbx: Only up to 127 includes in a dialplan context (AST_PBX_MAX_STACK 1) (Reported by Tzafrir Cohen) * [ASTERISK-29988] REGRESSION: The build process is requiring xmllint or xmlstarlet ro be installed when it shouldn t (Reported by George Joseph) * [ASTERISK-29986] build: Asterisk 18.11.0 doesn t compile when wget isn t available (Reported by Stefan Ruijsenaars) * [ASTERISK-29895] chan_iax2: Fix misaligned spacing in iax2 show netstats printout (Reported by N A) * [ASTERISK-29939] agi: Fix xmldoc bug with set music (Reported by N A) * [ASTERISK-28891] documentation: AGICommand_set+music documentation arguments displayed incorreclty (Reported by Jonathan Harris) * [ASTERISK-29048] chan_iax2: iax2 show registry shows host for perceived (Reported by David Herselman) * [ASTERISK-26689] res_pjsip_sdp_rtp: 183 Session in Progress. Disconnecting channel for lack of RTP activity (Reported by Dmitriy Serov) * [ASTERISK-29929] res_pjsip_sdp_rtp: Disconnecting channel for lack of RTP activity in one way sessions (Reported by Boris P. Korzun) * [ASTERISK-29674] Adjust for 64bit time_t (Reported by Andre Heider) * [ASTERISK-29961] RLS: domain part of uri list attribute mismatch with SUBSCRIBE request (Reported by Alexei Gradinari) * [ASTERISK-29950] SayNumber can handle 01 to 07 , but not 08 or 09 (Reported by Jim Van Meggelen) * [ASTERISK-29928] logging messages truncated when using MUSL runtime (Reported by Philip Prindeville) * [ASTERISK-29960] ari: Retrieving stored recording can returns wrong file (Reported by Arix) Improvements made in this release: * [ASTERISK-24827] Missing documentation for chan_dahdi dial string ring cadences (Reported by Scott Griepentrog) * [ASTERISK-29940] general: Add since tags to xmldocs (Reported by N A) * [ASTERISK-29951] app_mf, app_sf: Return -1 on hangup (Reported by N A) * [ASTERISK-29954] app_meetme: Emit warning if conference not found (Reported by N A) * [ASTERISK-29351] Qualify pjproject 2.12 for Asterisk (Reported by George Joseph) * [ASTERISK-29877] app_mf: Allow reading a maximum number of digits (Reported by N A) * [ASTERISK-29976] Should Readme include information about install_prereq script? (Reported by Marcel Wagner) * [ASTERISK-29970] Use pkg-config to find libxml2 headers and libraries (Reported by Hugh McMaster) * [ASTERISK-25716] Documentation: Document explanations and examples for possible values of DIALSTATUS (Reported by Rusty Newton) * [ASTERISK-29980] build: External binary modules don t use https (Reported by INVADE International Ltd.) * [ASTERISK-29967] pbx_builtins: Add missing documentation (Reported by N A) 16.25.3 Bugs fixed in this release: * [ASTERISK-30024] Failed to sign STIR/SHAKEN payload with functionality not enabled (Reported by Claude Diderich) 16.25.2 The following security vulnerabilities were resolved in 16.25.2: * AST-2022-001: res_stir_shaken: resource exhaustion with large files When using STIR/SHAKEN, it's possible to download files that are not certificates. These files could be much larger than what you would expect to download. * AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header When using STIR/SHAKEN, it's possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header. * AST-2022-003: func_odbc: Possible SQL Injection Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail. 16.25.1 Bugs fixed in this release: * [ASTERISK-29988] REGRESSION: The build process is requiring xmllint or xmlstarlet ro be installed when it shouldn??t (Reported by George Joseph) * [ASTERISK-29986] build: Asterisk 18.11.0 doesn??t compile when wget isn??t available (Reported by Stefan Ruijsenaars) 15.25.0 Security bugs fixed in this release: * [ASTERISK-29945] pjproject: Security fixes for things (Reported by Kevin Harwell) New Features made in this release: * [ASTERISK-29853] ami: Allow events to be globally disabled (Reported by N A) * [ASTERISK-29840] func_channel: Add LASTCONTEXT and LASTEXTEN fields (Reported by N A) Bugs fixed in this release: * [ASTERISK-29924] res_config_pgsql: omit unsupported column type text' error (Reported by Boris P. Korzun) * [ASTERISK-29923] docs, LICENSE: pbx.digium.com no longer exists (Reported by N A) * [ASTERISK-29904] RLS: Batched Notifications stop working (Reported by Alexei Gradinari) * [ASTERISK-29365] taskprocessor: Can cause assert at shutdown (Reported by Joshua C. Colp) * [ASTERISK-29873] Queue Realtime load (Reported by Alexei Gradinari) * [ASTERISK-18416] Realtime queue agents unavailable via AMI before a call event. (Reported by kwk) * [ASTERISK-27597] AMI Queuestatus not working (with realtime queue) (Reported by cagdas kopuz) * [ASTERISK-29886] Asterisk AMI sends not-valid XML (Reported by Napadailo Yaroslav) Improvements made in this release: * [ASTERISK-29906] update RLS to reflect the changes to the lists (Reported by Alexei Gradinari) * [ASTERISK-29909] app_queue: Add support for withdrawing a call (Reported by Kfir Itzhak) * [ASTERISK-29353] Qualify jansson 2.14 for asterisk (Reported by George Joseph) * [ASTERISK-29897] channels: Increase core debug levels for chatty debugs (Reported by N A) * [ASTERISK-29896] xmldocs: Add since tag (Reported by N A) * [ASTERISK-29861] asterisk.h: add macro for curl user agent (Reported by N A) * [ASTERISK-29920] app_voicemail: Warn if trying to manage nonexistent mailbox (Reported by N A) * [ASTERISK-29925] func_db: Warn about malformed key names (Reported by N A) * [ASTERISK-29809] curl, stir_shaken: refactor curl code (Reported by N A) * [ASTERISK-29891] provide a display name for RLS subscriptions (Reported by Alexei Gradinari) * [ASTERISK-29866] cli: add core dump information to core show settings (Reported by N A) * [ASTERISK-29898] documentation: Add default attributes to documentation (Reported by N A) * [ASTERISK-29900] app_mp3: Document and warn about https incompatibility (Reported by N A) 16.24.1 The following security vulnerabilities were resolved in 16.24.1: * AST-2022-004: pjproject: integer underflow on STUN message The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party. * AST-2022-005: pjproject: undefined behavior after freeing a dialog set When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc??) after a dialog set is prematurely freed. * AST-2022-006: pjproject: unconstrained malformed multipart SIP message If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, it??s currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.[cleardot] @ text @# $NetBSD: options.mk,v 1.18 2020/12/31 11:07:01 nia Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.asterisk PKG_SUPPORTED_OPTIONS= x11 unixodbc webvmail ldap spandsp PKG_SUPPORTED_OPTIONS+= jabber speex snmp pgsql asterisk-config PKG_OPTIONS_LEGACY_OPTS+= gtk:x11 PKG_SUGGESTED_OPTIONS= speex asterisk-config spandsp .include "../../mk/bsd.options.mk" PLIST_VARS+= x11 unixodbc webvmail ldap spandsp jabber PLIST_VARS+= speex snmp pgsql # Asterisk now uses DAHDI, not zaptel; not implemented yet... #.if !empty(PKG_OPTIONS:Mzaptel) ## zaptel only supported under NetBSD at the moment #. include "../../comms/zaptel-netbsd/buildlink3.mk" #PLIST.zaptel= yes #.else #MAKE_FLAGS+= WITHOUT_ZAPTEL=1 #.endif # gtkconsole depends on GTK 2.x .if !empty(PKG_OPTIONS:Mx11) . include "../../x11/gtk2/buildlink3.mk" . include "../../devel/SDL/buildlink3.mk" CONFIGURE_ARGS+= --with-sdl CONFIGURE_ARGS+= --with-gtk2 PLIST.x11= yes .else CONFIGURE_ARGS+= --without-sdl CONFIGURE_ARGS+= --without-gtk2 .endif .if !empty(PKG_OPTIONS:Munixodbc) . include "../../databases/unixodbc/buildlink3.mk" . include "../../devel/libltdl/buildlink3.mk" CONFIGURE_ARGS+= --with-unixodbc PLIST.unixodbc= yes .else CONFIGURE_ARGS+= --without-unixodbc .endif .if !empty(PKG_OPTIONS:Mspandsp) . include "../../comms/spandsp/buildlink3.mk" CONFIGURE_ARGS+= --with-spandsp PLIST.spandsp= yes .else CONFIGURE_ARGS+= --without-spandsp .endif .if !empty(PKG_OPTIONS:Mjabber) . include "../../textproc/iksemel/buildlink3.mk" CONFIGURE_ARGS+= --with-iksemel=${PREFIX} PLIST.jabber= yes .else CONFIGURE_ARGS+= --without-iksemel .endif post-configure: cd ${WRKSRC} && \ env ${MAKE_ENV} && \ ${MAKE_PROGRAM} menuselect.makeopts .if !empty(PKG_OPTIONS:Mx11) # I have no idea about x11 option's fate. #${ECHO} "MENUSELECT_PBX=-pbx_gtkconsole" >> ${WRKSRC}/pkgsrc.makeopts .endif .if !empty(PKG_OPTIONS:Munixodbc) cd ${WRKSRC} && \ ./menuselect/menuselect --enable ODBC_STORAGE menuselect.makeopts .endif .if defined(PLIST.mgcp) cd ${WRKSRC} && \ ./menuselect/menuselect --enable res_pktccops menuselect.makeopts cd ${WRKSRC} && \ ./menuselect/menuselect --enable chan_mgcp menuselect.makeopts .else cd ${WRKSRC} && \ ./menuselect/menuselect --disable res_pktccops menuselect.makeopts cd ${WRKSRC} && \ ./menuselect/menuselect --disable chan_mgcp menuselect.makeopts .endif cd ${WRKSRC} && \ ./menuselect/menuselect --enable agi-test.agi menuselect.makeopts cd ${WRKSRC} && \ ./menuselect/menuselect --enable eagi-test menuselect.makeopts cd ${WRKSRC} && \ ./menuselect/menuselect --enable eagi-sphinx-test menuselect.makeopts cd ${WRKSRC} && \ ./menuselect/menuselect --enable jukebox.agi menuselect.makeopts .if !empty(PKG_OPTIONS:Mwebvmail) DEPENDS+= p5-DBI-[0-9]*:../../databases/p5-DBI SUBST_CLASSES+= webvmail SUBST_STAGE.webvmail= post-patch SUBST_FILES.webvmail= contrib/scripts/vmail.cgi SUBST_VARS.webvmail= ASTETCDIR SUBST_VARS.webvmail+= ASTSPOOLDIR INSTALLATION_DIRS+= ${PREFIX}/libexec/cgi-bin ${PREFIX}/share/httpd/htdocs SPECIAL_PERMS+= ${PREFIX}/libexec/cgi-bin/vmail ${ASTERISK_USER} ${ASTERISK_GROUP} 04555 INSTALL_TARGET+= webvmail PLIST.webvmail= yes .endif .if !empty(PKG_OPTIONS:Mldap) .include "../../databases/openldap-client/buildlink3.mk" PLIST.ldap= yes .else CONFIGURE_ARGS+= --without-ldap .endif .if !empty(PKG_OPTIONS:Mspeex) .include "../../audio/speex/buildlink3.mk" .include "../../audio/speexdsp/buildlink3.mk" CONFIGURE_ARGS+= --with-speex CONFIGURE_ARGS+= --with-speexdsp PLIST.speex= yes .else CONFIGURE_ARGS+= --without-speex CONFIGURE_ARGS+= --without-speexdsp .endif .if !empty(PKG_OPTIONS:Msnmp) .include "../../net/net-snmp/buildlink3.mk" CONFIGURE_ARGS+= --with-netsnmp PLIST.snmp= yes .else CONFIGURE_ARGS+= --without-netsnmp .endif .if !empty(PKG_OPTIONS:Mpgsql) .include "../../mk/pgsql.buildlink3.mk" CONFIGURE_ARGS+= --with-postgres PLIST.pgsql= yes .else CONFIGURE_ARGS+= --without-postgres .endif @ 1.18 log @asterisk16: Avoid using -march=native, it breaks binary packages. Also avoid passing crazy optimization and debug flags in general, just honor the user's CFLAGS. @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.17 2020/05/31 14:39:32 rillig Exp $ a59 1 MAKE_FLAGS+= GLOBAL_MAKEOPTS=${WRKSRC}/pkgsrc.makeopts d61 3 d65 2 a66 1 ${ECHO} "MENUSELECT_PBX=-pbx_gtkconsole" >> ${WRKSRC}/pkgsrc.makeopts d69 2 a70 1 ${ECHO} "MENUSELECT_OPTS_app_voicemail=ODBC_STORAGE" >> ${WRKSRC}/pkgsrc.makeopts d73 18 a90 7 ${ECHO} "MENUSELECT_RES=-res_pktccops" >> ${WRKSRC}/pkgsrc.makeopts ${ECHO} "MENUSELECT_CHANNELS=-chan_mgcp" >> ${WRKSRC}/pkgsrc.makeopts .endif ${ECHO} "MENUSELECT_AGIS=agi-test.agi eagi-test eagi-sphinx-test jukebox.agi" >> ${WRKSRC}/pkgsrc.makeopts ${ECHO} "MENUSELECT_CFLAGS=-BUILD_NATIVE" >> ${WRKSRC}/pkgsrc.makeopts # this is a hack to work around a bug in menuselect cd ${WRKSRC} && make ${MAKE_FLAGS} menuselect.makeopts @ 1.17 log @comms/asterisk16: remove unknow configure option @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.16 2020/01/11 08:36:13 ryoon Exp $ d73 1 @ 1.16 log @asterisk16: Update to 16.7.0 Changelog: 16.7.0 Security bugs fixed in this release: ----------------------------------- [ASTERISK-28589] - chan_sip: Depending on configuration an INVITE can alter Addr of a peer (Reported by Andrey V. T.) [ASTERISK-28580] - Bypass SYSTEM write permission in manager action allows system commands execution (Reported by Eliel Sardañons) Improvements made in this release: ----------------------------------- [ASTERISK-28602] - res_pjsip_outbound_registration: Maximum retries reached (Reported by Daniel) [ASTERISK-28586] - Typo in README-SERIOUSLY.bestpractices.md (Reported by Sam Banks) [ASTERISK-22192] - [patch] Allow voicemail forwards with ODBC backend when format differs from attachfmt column (Reported by cmaj) [ASTERISK-28567] - Problem with ASTERISK-20207: Asterisk should clear out any .lock files in the voice mail directory on startup. (Reported by Michael) [ASTERISK-28542] - [patch] add the ability for asterisk to generate on-hold re-invites (Reported by Torrey Searle) [ASTERISK-28512] - Add pass-through support for H.265 (HEVC) codec (Reported by Florian Floimair) Bugs fixed in this release: ----------------------------------- [ASTERISK-28609] - Memory Leak in res_rtp_asterisk.c (Reported by Ted G) [ASTERISK-28604] - app_meetme, chan_ooh323 and cdr_mysql don't build on 17.0.0 (Reported by George Joseph) [ASTERISK-28659] - res_pjsip_sdp_rtp: Bundle includes non-existent media stream if codecs create additional streams and offer does not have them (Reported by nappsoft) [ASTERISK-28641] - res_pjsip Segfaults when realtime configuration to an AOR points to a not existent AOR (Reported by Ross Beer) [ASTERISK-28644] - Stale comment in app_queue about ring_entry exception (Reported by Walter Doekes) [ASTERISK-28445] - res_pjsip_session: ast_json_vpack: Invalid UTF-8 string on hangup when TEST_FRAMEWORK enabled (Reported by Bernhard Schmidt) [ASTERISK-28637] - chan_sip+native_bridge_rtp: directmedia compatibility check failure when negociated ptime is not default ptime. (Reported by Frederic LE FOLL) [ASTERISK-28631] - res_parking: Doesn't park when parkee and parker are the same (Reported by Ross Beer) [ASTERISK-28621] - Enforce T.38 error correction mode at 200 ok received (Reported by Salah Ahmed) [ASTERISK-28624] - res_pjsip_outbound_registration: add SRV failover (Reported by Kevin Harwell) [ASTERISK-28608] - app_amd: Use time calculation to calculate timeout (Reported by Michael Cargile) [ASTERISK-28615] - chan_dahdi: PRI span status may stay "Down, Active" after a short alarm (Reported by Frederic LE FOLL) [ASTERISK-28576] - res_rtp_asterisk: ICE Completion Crash when sent packet length doesn't match (Reported by Joshua Elson) [ASTERISK-26481] - FILE function grabs garbage along with read data when target line has no newline (Reported by Jonathan Harris) [ASTERISK-28618] - bridge_softmix: hold not cleared when joining a softmix bridge (Reported by Kevin Harwell) [ASTERISK-28616] - parking: Deadlock when multi call parking (Reported by Joshua C. Colp) [ASTERISK-28423] - ARI causes STASIS Deadlock (Reported by Ross Beer) [ASTERISK-28572] - Memory leaks in res_calendar_exchange and res_calendar_icalendar (Reported by Yoooooo Ha) [ASTERISK-28585] - ari/resource_events: Crash in event session cleanup (Reported by Kevin Harwell) [ASTERISK-28590] - utils.c throws repeated warnings; "pthread_attr_setstacksize: Invalid argument" (Reported by Speed Dial Dave) [ASTERISK-28578] - race condition on pjsip channelstats command (Reported by Salah Ahmed) [ASTERISK-28571] - cdr_pgsql: accesses obsolete (and finally removed) column (Reported by Christoph Moench-Tegeder) [ASTERISK-28575] - MWI Send Notify Crash on 16.6 (Reported by Joshua Elson) [ASTERISK-28574] - pjproject fails to build on 16.6.0, works on 16.5 (Reported by Niklas Larsson) [ASTERISK-28561] - Asterisk Deadlocks (Reported by Aheliotech) [ASTERISK-28552] - res_pjsip_mwi: Frack during unload on unsolicited_mwi container (Reported by Kevin Harwell) [ASTERISK-28566] - CDR backend unload problem during active call(s) (Reported by Marian Piater) [ASTERISK-28553] - stasis.c: Crash during unload (Reported by Kevin Harwell) [ASTERISK-28086] - chan_pjsip: Crash when initiating PlayDTMF over AMI (Reported by Jeremiah Gadd) [ASTERISK-28544] - Wrong contact representation in ipv6 mode (Reported by Jørgen H) [ASTERISK-28534] - Segmentation fault when there is no priority for an extension (Reported by Timothy Vanderaerden) [ASTERISK-28463] - res_pjsip_path: Crash when invalid contact is configured (Reported by Juan Martin) [ASTERISK-28521] - pjsip: Memory Leak (Reported by Mark) [ASTERISK-28523] - Asterisk 16.5.0 Memory leak (Reported by Cyril Ramière) [ASTERISK-28538] - chan_pjsip: Deadlock on fax detection (Reported by Joshua C. Colp) [ASTERISK-28536] - Asterisk release candidates fail to build on FreeBSD (Reported by Guido Falsi) [ASTERISK-23756] - setvar directive when used in template and a child of said template, results in duplicate variable names (Reported by Michael Goryainov) New Features made in this release: ----------------------------------- [ASTERISK-28614] - app_senddtmf: Allow "receiving" DTMF with PlayDTMF instead of only "sending" (Reported by lvl) [ASTERISK-28613] - func_curl: CURLOPT cannot set Content-Type header (Reported by Martin Tomec) [ASTERISK-28553] - stasis.c: Crash during unload (Reported by Kevin Harwell) [ASTERISK-28086] - chan_pjsip: Crash when initiating PlayDTMF over AMI (Reported by Jeremiah Gadd) [ASTERISK-28544] - Wrong contact representation in ipv6 mode (Reported by Jørgen H) [ASTERISK-28534] - Segmentation fault when there is no priority for an extension (Reported by Timothy Vanderaerden) [ASTERISK-28463] - res_pjsip_path: Crash when invalid contact is configured (Reported by Juan Martin) [ASTERISK-28521] - pjsip: Memory Leak (Reported by Mark) [ASTERISK-28523] - Asterisk 16.5.0 Memory leak (Reported by Cyril Ramière) [ASTERISK-28538] - chan_pjsip: Deadlock on fax detection (Reported by Joshua C. Colp) [ASTERISK-28536] - Asterisk release candidates fail to build on FreeBSD (Reported by Guido Falsi) [ASTERISK-23756] - setvar directive when used in template and a child of said template, results in duplicate variable names (Reported by Michael Goryainov) New Features made in this release: ----------------------------------- [ASTERISK-28614] - app_senddtmf: Allow "receiving" DTMF with PlayDTMF instead of only "sending" (Reported by lvl) [ASTERISK-28613] - func_curl: CURLOPT cannot set Content-Type header (Reported by Martin Tomec) [ASTERISK-28533] - func_jitterbuffer: Add support for video synchronization (Reported by Joshua C. Colp) 16.6.0 Security bugs fixed in this release: ----------------------------------- [ASTERISK-28495] - res_pjsip_t38: 200 OK with SDP answer with declined stream causes crash (Reported by Alexei Gradinari) Bugs fixed in this release: ----------------------------------- [ASTERISK-28521] - pjsip: Memory Leak (Reported by Mark) [ASTERISK-28523] - Asterisk 16.5.0 Memory leak (Reported by Cyril Ramière) [ASTERISK-28538] - chan_pjsip: Deadlock on fax detection (Reported by Joshua C. Colp) [ASTERISK-28536] - Asterisk release candidates fail to build on FreeBSD (Reported by Guido Falsi) [ASTERISK-28511] - codec_resample: Bad sound quality when up sampling from SLIN16 to SLIN32 (Reported by Ruddy G) [ASTERISK-28525] - chan_dahdi: set CHANNEL(hangupsource) when a PRI channel hangs up (Reported by Frederic LE FOLL) [ASTERISK-28527] - ChanIsAvail() creates a CDR if unanswered=yes is set in cdr.conf (Reported by Frederic LE FOLL) [ASTERISK-28499] - translate: Crash when frame does not have a "src" field set (Reported by Gregory Massel) [ASTERISK-25592] - chan_unistim: Clang Warning: variable sized type not at end of a struct (Reported by Alexander Traud) [ASTERISK-28488] - pjsip mwi: n+1 sip notify's sent on re-register (Reported by Chris Savinovich) [ASTERISK-28509] - PJSIP cnonce generated on Linux contains 36 characters, NEC only supports up to 32 characters (Reported by Dan Cropp) [ASTERISK-28505] - app_voicemail/IMAP: segfault in leave_voicemail because not checking mailstream (Reported by Alexei Gradinari) [ASTERISK-28487] - compile menuselect on gentoo (Reported by Kilburn) [ASTERISK-28472] - Asterisk occasionally passes a NULL as srtp->session to srtp_protect/unprotect causing SEGV (Reported by Jonas Swiatek) [ASTERISK-28498] - cel / cdr: Event times may be incorrect (Reported by Joshua C. Colp) [ASTERISK-28480] - json integer overflow in ssrc and timestamp (Reported by Salah Ahmed) [ASTERISK-28228] - res_pjsip: pjsip show contacts prints double entries (Reported by Ian Jones) [ASTERISK-28483] - packet lost on UDPTL wrap around (Reported by Torrey Searle) [ASTERISK-28477] - Crash when not specifying "dbfile" in res_config_sqlite3.conf (Reported by Dennis) [ASTERISK-28478] - Crash performing "core reload" with modified res_config_sqlite3.conf (Reported by Dennis) [ASTERISK-26968] - chan_pjsip: Transfer() does not result in TRANSFERSTATUS reflecting SIP response to transfer (Reported by Dan Cropp) [ASTERISK-28282] - AST_SCHED_REPLACE_UNREF causes wait-on-self deadlocks (in chan_sip) (Reported by Walter Doekes) New Features made in this release: ----------------------------------- [ASTERISK-17808] - [patch] Unregister a realtime moh class (Reported by Byron Clark) [ASTERISK-28489] - Channel variable SIPFROMDOMAIN for chan_pjsip to setup From header URI domain (Reported by Stas Kobzar) @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.15 2019/08/20 13:47:42 ryoon Exp $ a37 1 CONFIGURE_ARGS+= --with-ltdl a40 1 CONFIGURE_ARGS+= --without-ltdl @ 1.15 log @comms/asterisk16: import asterisk-16.5.0 Asterisk is a complete PBX in software. It provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in three protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. Asterisk provides Voicemail services with Directory, Call Conferencing, Interactive Voice Response, Call Queuing. It has support for three-way calling, caller ID services, ADSI, SIP and H.323 (as both client and gateway). @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.2 2019/05/23 19:22:56 rillig Exp $ d76 1 a76 1 cd ${WRKSRC} && make menuselect.makeopts @ 1.14 log @Remove Asterisk 1.6. This version series went end-of-line on April 21st, 2012. It most likely has multiple security issues. By this point, all users of this package should have migrated to comms/asterisk18 or comms/asterisk10 as this version has been marked as being deprecated for some time now. Note that this directory is likely to re-appear in late 2017 when Asterisk 16 comes out, assuming the current schedule is followed. However that will be a vastly different version as Asterisk 11 is only in the RC stage now (i.e. it will be five major versions after the one that is expected to be released later this year). @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.13 2012/01/17 02:12:52 jnemeth Exp $ d4 2 a5 1 PKG_SUPPORTED_OPTIONS= zaptel x11 unixodbc ilbc webvmail ldap speex d7 1 a7 1 PKG_SUGGESTED_OPTIONS= ldap speex d11 2 a12 1 PLIST_VARS+= zaptel x11 unixodbc ilbc webvmail ldap speex d23 1 a23 1 # gtkconsole depends on GTK 1.x d25 1 a25 1 . include "../../x11/gtk/buildlink3.mk" d28 1 a28 1 CONFIGURE_ARGS+= --with-gtk d32 1 a32 1 CONFIGURE_ARGS+= --without-gtk d43 1 a43 1 CONFIGURE_ARGS+= --without-odbc d46 14 a59 7 .if !empty(PKG_OPTIONS:Milbc) DISTFILES+= rfc3951.txt SITES.rfc3951.txt= http://www.ietf.org/rfc/ DISTFILES+= extract-cfile.txt SITES.extract-cfile.txt= http://www.ilbcfreeware.org/documentation/ USE_TOOLS+= awk tr PLIST.ilbc= yes a61 2 .if !empty(PKG_OPTIONS:Mx11) || !empty(PKG_OPTIONS:Munixodbc) || !empty(PKG_OPTIONS:Milbc) RUN_MENUSELECT= # empty a62 1 .endif d70 3 a72 2 .if !empty(PKG_OPTIONS:Milbc) ${ECHO} "MENUSELECT_CODECS=-codec_ilbc" >> ${WRKSRC}/pkgsrc.makeopts d74 1 a74 1 .if defined(RUN_MENUSELECT) a76 8 .endif post-extract: .if !empty(PKG_OPTIONS:Milbc) cp ${DISTDIR}/${DIST_SUBDIR}/rfc3951.txt ${WRKSRC}/codecs/ilbc cp ${DISTDIR}/${DIST_SUBDIR}/extract-cfile.txt ${WRKSRC}/codecs/ilbc cd ${WRKSRC}/codecs/ilbc && ${TR} -d '\r' < extract-cfile.txt | ${AWK} -f - rfc3951.txt .endif d83 2 a84 2 SUBST_SED.webvmail+= -e 's|@@ASTETCDIR@@|${ASTETCDIR}|' SUBST_SED.webvmail+= -e "s|@@ASTSPOOLDIR@@|${ASTSPOOLDIR}|" d100 1 d108 16 @ 1.13 log @PR/35369 -- David Wetzel -- add support for speex codec (enabled by default) @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.12 2011/12/12 05:05:34 jnemeth Exp $ @ 1.12 log @This update fixes AST-2011-013 and AST-2011-014. It also adapts to changes in the iLBC codec files. __________________________________________________________________ Asterisk Project Security Advisory - AST-2011-013 Product Asterisk Summary Possible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure Susceptibility Remote unauthenticated sessions Severity Minor Exploits Known Yes Reported On 2011-07-18 Reported By Ben Williams Posted On Last Updated On December 7, 2011 Advisory Contact Terry Wilson CVE Name Description It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia. Resolution Handling NAT for SIP over UDP requires the differing behavior introduced by these options. To lessen the frequency of unintended username disclosure, the default NAT setting was changed to always respond to the port from which we received the request-the most commonly used option. Warnings were added on startup to inform administrators of the risks of having a SIP peer configured with a different setting than that of the general setting. The documentation now strongly suggests that peers are no longer configured for NAT individually, but through the global setting in the "general" context. Affected Versions Product Release Series Asterisk Open Source All All versions Corrected In As this is more of an issue with SIP over UDP in general, there is no fix supplied other than documentation on how to avoid the problem. The default NAT setting has been changed to what we believe the most commonly used setting for the respective version in Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2. Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-013.pdf and http://downloads.digium.com/pub/security/AST-2011-013.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-013 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. __________________________________________________________________ Asterisk Project Security Advisory - AST-2011-014 Product Asterisk Summary Remote crash possibility with SIP and the "automon" feature enabled Nature of Advisory Remote crash vulnerability in a feature that is disabled by default Susceptibility Remote unauthenticated sessions Severity Moderate Exploits Known Yes Reported On November 2, 2011 Reported By Kristijan Vrban Posted On 2011-11-03 Last Updated On December 7, 2011 Advisory Contact Terry Wilson CVE Name Description When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash. Resolution Applying the referenced patches that check that the pointer is not NULL before accessing it will resolve the issue. The "automon" feature can be disabled in features.conf as a workaround. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.21, 1.8.7.2 Patches Download URL Revision http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20 http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-014.pdf and http://downloads.digium.com/pub/security/AST-2011-014.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-014 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.11 2011/10/11 03:15:50 jnemeth Exp $ d4 1 a4 1 PKG_SUPPORTED_OPTIONS= zaptel x11 unixodbc ilbc webvmail ldap d6 1 a6 1 PKG_SUGGESTED_OPTIONS= ldap d10 1 a10 1 PLIST_VARS+= zaptel x11 unixodbc ilbc webvmail ldap d98 10 @ 1.11 log @Revert previous. This package was marked OWNER= for a reason! @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.9 2010/10/06 22:39:41 jnemeth Exp $ d47 3 a49 3 DISTFILES+= extract-cfile.awk SITES.extract-cfile.awk= http://www.ilbcfreeware.org/documentation/ USE_TOOLS+= awk d75 2 a76 2 cp ${DISTDIR}/${DIST_SUBDIR}/extract-cfile.awk ${WRKSRC}/codecs/ilbc cd ${WRKSRC}/codecs/ilbc && ${AWK} -f extract-cfile.awk < rfc3951.txt @ 1.10 log @Remove zaptel option everywhere (zaptel-netbsd package was removed) @ text @d4 1 a4 1 PKG_SUPPORTED_OPTIONS= x11 unixodbc ilbc webvmail ldap d10 10 a19 1 PLIST_VARS+= x11 unixodbc ilbc webvmail ldap @ 1.9 log @DISTFILES is now initialized in Makefile, don't re-initialize it here. @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.8 2010/09/23 23:30:38 jnemeth Exp $ d4 1 a4 1 PKG_SUPPORTED_OPTIONS= zaptel x11 unixodbc ilbc webvmail ldap d10 1 a10 10 PLIST_VARS+= zaptel x11 unixodbc ilbc webvmail ldap # Asterisk now uses DAHDI, not zaptel; not implemented yet... #.if !empty(PKG_OPTIONS:Mzaptel) ## zaptel only supported under NetBSD at the moment #. include "../../comms/zaptel-netbsd/buildlink3.mk" #PLIST.zaptel= yes #.else #MAKE_FLAGS+= WITHOUT_ZAPTEL=1 #.endif @ 1.8 log @ Update to the 1.6.2 series (specifically 1.6.2.13). This is a feature update, so users that are upgrading should read UPDATE.txt. pkgsrc changes: - update to 1.6.2.13 - bury the asterisk-sounds-extra inside this one to keep it in sync - handle sound tarballs directly (upstream had changed this to do a download during the install phase and dump files in $HOME) - add new documentation files: - asterisk.txt - building_queues.txt - database_transactions.txt - followme.txt ======== 1.6.2.13 ======== This release resolves an issue where the .version and ChangeLog files were not updated for 1.6.2.12. Asterisk 1.6.2.13 has no additional changes from 1.6.2.12 other than the .version, ChangeLog and summary files. For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.13 ======== 1.6.2.12 ======== The release of Asterisk 1.6.2.12 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following is a sample of the issues resolved in this release: * Fix issue where DNID does not get cleared on a new call when using immediate=yes with ISDN signaling. (Closes issue #17568. Reported by wuwu. Patched by rmudgett) * Several updates to res_config_ldap. (Closes issue #13573. Reported by navkumar. Patched by navkumar, bencer. Tested by suretec) * Prevent loss of Caller ID information set on local channel after masquerade. (Closes issue #17138. Reported by kobaz, patched by jpeeler) * Fix SIP peers memory leak. (Closes issue #17774. Reported, patched by kkm) * Add Danish support to say.conf.sample (Closes issue #17836. Reported, patched by RoadKill) * Ensure SSRC is changed when media source is changed to resolve audio delay. (Closes issue #17404. Reported, tested by sdolloff. Patched by jpeeler) * Only do magic pickup when notifycid is enabled. A new way of doing BLF pickup was introduced into 1.6.2. This feature adds a call-id value into the XML of a SIP_NOTIFY message sent to alert a subscriber that a device is ringing. This option should only be enabled when the new 'notifycid' option is set, but this was not the case. Instead the call-id value was included for every RINGING Notify message, which caused a regression for people who used other methods for call pickup. (Closes issue #17633. Reported, patched by urosh. Patched by dvossel. Tested by: dvossel, urosh, okrief, alecdavis) For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.12 ======== 1.6.2.11 ======== The release of Asterisk 1.6.2.11 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following are a few of the issues resolved by community developers: * Send DialPlanComplete as a response, not as a separate event. Otherwise, it goes to all manager sessions and may exclude the current session, if the Events mask excludes it. (Closes issue #17504. Reported, patched by rrb3942) * Allow the "useragent" value to be restored into memory from the realtime backend. This value is purely informational. It does not alter configuration at all. (Closes issue #16029. Reported, patched by Guggemand) * Fix rt(c)p set debug ip taking wrong argument Also clean up some coding errors. (Closes issue #17469. Reported, patched by wdoekes) * Ensure channel placed in meetme in ringing state is properly hung up. An outgoing channel placed in meetme while still ringing which was then hung up would not exit meetme and the channel was not properly destroyed. (Closes issue #15871. Reported, patched by Ivan) * Correct how 100, 200, 300, etc. is said. Also add the crazy British numbers. (Closes issue #16102. Reported, patched by Delvar) * cdr_pgsql does not detect when a table is found. This change adds an ERROR message to let you know when a failure exists to get the columns from the pgsql database, which typically means that the table does not exist. (Closes issue #17478. Reported, patched by kobaz) * Avoid crashing when installing a duplicate translation path with a lower cost. (Closes issue #17092. Reported, patched by moy) * Add missing handling for ringing state for use with queue empty options. (Closes issue #17471. Reported, patched by jazzy) * Fix reporting estimated queue hold time. Just say the number of seconds (after minutes) rather than doing some incorrect calculation with respect to minutes. (Closes issue #17498. Reported, patched by corruptor) For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.11 ======== 1.6.2.10 ======== The release of Asterisk 1.6.2.10 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following are a few of the issues resolved by community developers: * Allow users to specify a port for DUNDI peers. (Closes issue #17056. Reported, patched by klaus3000) * Decrease the module ref count in sip_hangup when SIP_DEFER_BYE_ON_TRANSFER is set. (Closes issue #16815. Reported, patched by rain) * If there is realtime configuration, it does not get re-read on reload unless the config file also changes. (Closes issue #16982. Reported, patched by dmitri) * Send AgentComplete manager event for attended transfers. (Closes issue #16819. Reported, patched by elbriga) * Correct manager variable 'EventList' case. (Closes issue #17520. Reported, patched by kobaz) In addition, changes to res_timing_pthread that should make it more stable have also been implemented. For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.10 ======= 1.6.2.9 ======= The release of Asterisk 1.6.2.9 resolves several issues reported by the community, and would have not been possible without your participation. Thank you! The following are a few of the issues resolved by community developers: * Fix the PickupChan() application (Closes issue #16863. Reported, patched by schern. Patched by cjacobsen. Tested by Graber, cjacobsen, lathama, rickead2000, dvossel) * Improve logging by displaying line number (Closes issue #16303. Reported by dant. Patched by pabelanger. Tested by dant, pabelanger, lmadsen) * Notify CLI when modules are loaded/unloaded (Closes issue #17308. Reported, patched by pabelanger. Tested by russell) * Make the Makefile logic more explicit and move the Snow Leopard logic down to where it's not executed on non-Darwin systems (Closes issue #17028. Reported by pabelanger. Patched by seanbright, tilghman. Tested by pabelanger) * Manager cookies are not compatible with RFC2109. Make that no longer true. (Closes issue #17231. Reported, patched by ecarruda) * With IMAP backend, messages in INBOX were counted twice for MWI (Closes issue #17135. Reported by edhorton. Patched by ebroad, tilghman) * Fix possible segfault when logging (Closes issue #17331. Reported, patched by under. Patched by dvossel) * Fix memory hogging behavior of app_queue (Closes issue #17081. Reported by wliegel. Patched by mmichelson) * Allow type=user SIP endpoints to be loaded properly from realtime (Closes issue #16021. Reported, patched by Guggemand) Additionally, the following issue may be of interest: * Fix transcode_via_sln option with SIP calls and improve PLC usage (Review: https://reviewboard.asterisk.org/r/622/) For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.9 ======= 1.6.2.8 ======= The release of Asterisk 1.6.2.8 resolves several issues reported by the community, and would have not been possible without your participation. Thank you! The following are a few of the issues resolved by community developers: * Enable auto complete for CLI command 'logger set level'. (Closes issue #17152. Reported, patched by pabelanger) * Make the mixmonitor thread process audio frames faster. (Closes issue #17078. Reported, tested by geoff2010. Patched by dhubbard) * Add missing 'useragent' field to sip-friends.sql file. (Closes issue #17171. Reported, patched by thehar) * Add example dialplan for dialing ISN numbers (http://www.freenum.org) (Closes issue #17058. Reported, patched by pprindeville) * Fix issue with double "sip:" in header field. (Closes issue #15847. Reported, patched by ebroad) * Add ability to generate ASCII documentation from the TeX files by running 'make asterisk.txt'. (Closes issue #17220. Reported by lmadsen. Tested, patched by pabelanger) * When StopMonitor() is called, ensure that it will not be restarted by a channel event. (Closes issue #16590. Reported, patched by kkm) * Small error in the T.140 RTP port verbose log. (Closes issue #16998. Reported, patched by frawd. Tested by russell) For a full list of changes in the current release, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.8 ======= 1.6.2.7 ======= The release of Asterisk 1.6.2.7 resolves several issues reported by the community, and would have not been possible without your participation. Thank you! The following are a few of the issues resolved by community developers: * Fix building CDR and CEL SQLite3 modules. (Closes issue #17017. Reported by alephlg. Patched by seanbright) * Resolve crash in SLAtrunk when the specified trunk doesn't exist. (Reported in #asterisk-dev by philipp64. Patched by seanbright) * Include an extra newline after "Aliased CLI command" to get back the prompt. (Issue #16978. Reported by jw-asterisk. Tested, patched by seanbright) * Prevent segfault if bad magic number is encountered. (Issue #17037. Reported, patched by alecdavis) * Update code to reflect that handle_speechset has 4 arguments. (Closes issue #17093. Reported, patched by gpatri. Tested by pabelanger, mmichelson) * Resolve a deadlock in chan_local. (Closes issue #16840. Reported, patched by bzing2, russell. Tested by bzing2) For a full list of changes in this releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.7 ======= 1.6.2.6 ======= The release of Asterisk 1.6.2.6 resolves several issues reported by the community, and would have not been possible without your participation. Thank you! The following are a few of the issues resolved by community developers: * Make sure to clear red alarm after polarity reversal. (Closes issue #14163. Reported, patched by jedi98. Tested by mattbrown, Chainsaw, mikeeccleston) * Fix problem with duplicate TXREQ packets in chan_iax2 (Closes issue #16904. Reported, patched by rain. Tested by rain, dvossel) * Fix crash in app_voicemail related to message counting. (Closes issue #16921. Reported, tested by whardier. Patched by seanbright) * Overlap receiving: Automatically send CALL PROCEEDING when dialplan starts (Reported, Patched, and Tested by alecdavis) * For T.38 reINVITEs treat a 606 the same as a 488. (Closes issue #16792. Reported, patched by vrban) * Fix ConfBridge crash when no timing module is loaded. (Closes issue #16471. Reported, tested by kjotte. Patched, tested by junky) For a full list of changes in this releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.6 ======= 1.6.2.5 ======= The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.6.2.5 The releases of Asterisk 1.6.0.25, 1.6.1.17, and 1.6.2.5 resolve an issue with invalid parsing of ACL (Access Control List) rules leading to a possible compromise in security. The issue and resolution are described in the AST-2010-003 security advisory. For more information about the details of this vulnerability, please read the security advisory AST-2010-003, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.5 Security advisory AST-2010-003 is available at: http://downloads.asterisk.org/pub/security/AST-2010-003.pdf ======= 1.6.2.4 ======= The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.6.2.4 The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 include documention describing a possible dialplan string injection with common usage of the ${EXTEN} (and other expansion variables). The issue and resolution are described in the AST-2010-002 security advisory. If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer. Please note that this is not limited to an specific protocol or the Dial() application. The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug - that is the entire point of string expansion. However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan. With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked. This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers. For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4 Security advisory AST-2010-002 is available at: http://downloads.asterisk.org/pub/security/AST-2010-002.pdf The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from 1.2 and up. http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt ======= 1.6.2.3 ======= Was never released. ======= 1.6.2.2 ======= The Asterisk Development Team has announced security releases for Asterisk as the following versions: * 1.6.2.2 The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix described in security advisory AST-2010-001. The issue is that an attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash will occur when the FaxMaxDatagram field is omitted from the SDP, as well. For more information about the details of this vulnerability, please read the security advisory AST-2009-009, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.2 Security advisory AST-2010-001 is available at: http://downloads.asterisk.org/pub/security/AST-2010-001.pdf ======= 1.6.2.1 ======= The release of Asterisk 1.6.2.1 resolved several issues reported by the community, and would have not been possible without your participation. Thank you! * CLI 'queue show' formatting fix. (Closes issue #16078. Reported by RoadKill. Tested by dvossel. Patched by ppyy.) * Fix misreverting from 177158. (Closes issue #15725. Reported, Tested by shanermn. Patched by dimas.) * Fixes subscriptions being lost after 'module reload'. (Closes issue #16093. Reported by jlaroff. Patched by dvossel.) * app_queue segfaults if realtime field uniqueid is NULL (Closes issue #16385. Reported, Tested, Patched by haakon.) * Fix to Monitor which previously assumed the file to write to did not contain pathing. (Closes issue #16377, #16376. Reported by bcnit. Patched by dant. A summary of changes in this release can be found in the release summary: http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.2.1-summary.txt For a full list of changes in this releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.1 ======= 1.6.2.0 ======= The release of Asterisk 1.6.2.0 is the first feature release since Asterisk 1.6.1.0, which was released April 27, 2009. Many new features have been included in this release. For a complete list of changes, please see the CHANGES file. For those upgrading from a previous release, please see UPGRADE.txt It should be explicitly stated that Asterisk 1.6.2.0 is a major upgrade over any previous release, and special care should be taken when upgrading existing systems. Please see the UPGRADE.txt file for more information, available at: http://svn.asterisk.org/svn/asterisk/tags/1.6.2.0/UPGRADE.txt A detailed overview to the new features available in Asterisk 1.6.2.0 are forthcoming within the next few days. Please watch http://blogs.asterisk.org for further information! Below is a summary of several new features available in this release: * chan_dahdi now supports MFC/R2 signaling when Asterisk is compiled with support for LibOpenR2. http://www.libopenr2.org/ * Added a new 'faxdetect=yes|no' configuration option to sip.conf. When this option is enabled, Asterisk will watch for a CNG tone in the incoming audio for a received call. If it is detected, the channel will jump to the 'fax' extension in the dialplan. * A new application, Originate, has been introduced, that allows asynchronous call origination from the dialplan. * Added ConfBridge dialplan application which does conference bridges without DAHDI. For information on its use, please see the output of "core show application ConfBridge" from the CLI. * extensions.conf now allows you to use keyword "same" to define an extension without actually specifying an extension. It uses exactly the same pattern as previously used on the last "exten" line. For example: exten => 123,1,NoOp(something) same => n,SomethingElse() * Asterisk now provides the ability to define custom CLI aliases. For example, if you would like to define short form aliases for frequently used commands, such as "sh ch" for "core show channels", that is now possible. See the cli_aliases.conf configuration file for more information. * Asterisk now has support for subscribing to the state of remote voice mailboxes via SIP. * Asterisk now includes expanded HD codec support. G.722.1 and G.722.1C (Siren7/Siren14) passthrough, recording, and playback is now supported. Transcoding will be made available via add-on modules soon for this version of Asterisk. This is just a subset of the changes available in this release. Please see the CHANGES file for additional information, available at: http://svn.asterisk.org/svn/asterisk/tags/1.6.2.0/CHANGES A summary of changes in this release can be found in the release summary: http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.2.0-summary.txt For a full list of changes in this releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.0 @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.7 2010/05/07 23:57:56 jnemeth Exp $ a44 1 DISTFILES= ${DEFAULT_DISTFILES} @ 1.7 log @Add an "ldap" option which defaults to enabled, since most modern systems come with LDAP support built-in. This has no effect on such systems. However, on older systems, it will pull in openldap-client. But, a builder may still disable the option if they wish. This fixes: PR pkg/41987 - Robert Elz -- comms/asterisk16 PLIST problem @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.6 2010/05/07 03:49:07 jnemeth Exp $ d37 1 a37 1 CONFIGURE_ARGS+= --with-odbc @ 1.6 log @Add a dependency on p5-DBI for the webvmail option. Don't bother with a PKGREVISION bump since this doesn't affect the installed "binaries" and there have already been two bumps today. @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.5 2010/05/06 20:10:17 jnemeth Exp $ d4 1 a4 1 PKG_SUPPORTED_OPTIONS= zaptel x11 unixodbc ilbc webvmail d6 1 d10 1 a10 1 PLIST_VARS+= zaptel x11 unixodbc ilbc webvmail d92 7 @ 1.5 log @Add a webvmail option which installs the vmail.cgi script accessing voicemail using a browser. @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.4 2010/03/01 07:06:48 jnemeth Exp $ d80 1 @ 1.4 log @ Update to Asterisk 1.6.1.17. This fixes AST-2010-001 and AST-2010-003. AST-2010-002 was just a warning about dialplan scripting errors that could lead to security issues. Asterisk 1.6.1.13: general bug fixes Asterisk 1.6.1.14: fix AST-2010-001 Asterisk 1.6.1.15: not released, skipped for security releases Asterisk 1.6.1.16: fix AST-2010-002 Asterisk 1.6.1.17: fix AST-2010-003 Note that the only change in Asterisk 1.6.1.16 was the addtion of a README file. However, the package doesn't install random docs. That is planned for a future update seperate from the upstream updates. ----- Asterisk 1.6.1.13: The release of Asterisk 1.6.1.13 resolved several issues reported by the community, and would have not been possible without your participation. Thank you! * Restarts busydetector (if enabled) when DTMF is received after call is bridged (Closes issue #16389. Reported, Tested, Patched by alecdavis.) * Send parking lot announcement to the channel which parked the call, not the park-ee. (Closes issue #16234. Reported, Tested by yeshuawatso. Patched by tilghman.) * When the field is blank, don't warn about the field being unable to be coerced just skip the column. (Closes http://lists.digium.com/pipermail/asterisk-dev/2009-December/041362.html) Reported by Nic Colledge on the -dev list.) * Don't queue frames to channels that have no means to process them. (Closes issue #15609. Reported, Tested by aragon. Patched by tilghman.) * Fixes holdtime playback issue in app_queue. (Closes issue #16168. Reported, Patched by nickilo. Tested by wonderg, nickilo.) A summary of changes in this release can be found in the release summary: http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.1.13-summary.t xt For a full list of changes in this releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.13 ----- Asterisk 1.6.1.14: The releases of Asterisk 1.6.0.22, 1.6.1.14, and 1.6.2.2 include the fix described in security advisory AST-2010-001. The issue is that an attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash will occur when the FaxMaxDatagram field is omitted from the SDP, as well. For more information about the details of this vulnerability, please read the security advisory AST-2009-009, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.14 Security advisory AST-2010-001 is available at: http://downloads.asterisk.org/pub/security/AST-2010-001.pdf ----- Asterisk 1.6.1.16: The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4 include documention describing a possible dialplan string injection with common usage of the ${EXTEN} (and other expansion variables). The issue and resolution are described in the AST-2010-002 security advisory. If you have a channel technology which can accept characters other than numbers and letters (such as SIP) it may be possible to craft an INVITE which sends data such as 300&Zap/g1/4165551212 which would create an additional outgoing channel leg that was not originally intended by the dialplan programmer. Please note that this is not limited to an specific protocol or the Dial() application. The expansion of variables into programmatically-interpreted strings is a common behavior in many script or script-like languages, Asterisk included. The ability for a variable to directly replace components of a command is a feature, not a bug - that is the entire point of string expansion. However, it is often the case due to expediency or design misunderstanding that a developer will not examine and filter string data from external sources before passing it into potentially harmful areas of their dialplan. With the flexibility of the design of Asterisk come these risks if the dialplan designer is not suitably cautious as to how foreign data is allowed to enter the system unchecked. This security release is intended to raise awareness of how it is possible to insert malicious strings into dialplans, and to advise developers to read the best practices documents so that they may easily avoid these dangers. For more information about the details of this vulnerability, please read the security advisory AST-2010-002, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16 Security advisory AST-2010-002 is available at: http://downloads.asterisk.org/pub/security/AST-2010-002.pdf The README-SERIOUSLY.bestpractices.txt document is available in the top-level directory of your Asterisk sources, or available in all Asterisk branches from 1.2 and up. http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt ----- Asterisk 1.6.1.17: The releases of Asterisk 1.6.0.25, 1.6.1.17, and 1.6.2.5 resolve an issue with invalid parsing of ACL (Access Control List) rules leading to a possible compromise in security. The issue and resolution are described in the AST-2010-003 security advisory. For more information about the details of this vulnerability, please read the security advisory AST-2010-003, which was released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.17 Security advisory AST-2010-003 is available at: http://downloads.asterisk.org/pub/security/AST-2010-003.pdf ----- @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.3 2010/01/13 20:10:09 jnemeth Exp $ d4 1 a4 1 PKG_SUPPORTED_OPTIONS= zaptel x11 unixodbc ilbc d9 1 a9 1 PLIST_VARS+= zaptel x11 unixodbc ilbc d78 12 @ 1.3 log @PR/42612 - Dima Veselov -- build problem when no options specified @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.2 2010/01/02 00:36:54 jnemeth Exp $ d54 1 a54 1 RUN_MENUSELECT= # defined d67 1 a67 1 .ifdef RUN_MENUSELECT @ 1.2 log @ Fix build problem when no options are selected. Thanks to wiz@@ for noticing the problem and seb@@ for help with the Makefile contortions. @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.1.1.1 2009/06/12 09:04:56 jnemeth Exp $ d55 1 @ 1.1 log @Initial revision @ text @d1 1 a1 1 # $NetBSD: options.mk,v 1.3 2008/04/12 22:42:58 jlam Exp $ d53 3 d66 2 a67 1 # this is a hack to work around a bug in menuselect d69 1 @ 1.1.1.1 log @Add Asterisk 1.6.0.10. At the moment, this version doesn't have any hardware support, so it can't replace comms/asterisk. However, apparently there is demand for this version, so wiz@@ suggested it be imported here into comms/asterisk16. The latest version is 1.6.1.1, but I won't have time to update all the patches before the freeze. I'll update to that version sometime after the freeze when I get a chance. @ text @@