pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/comms/asterisk



Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Fri Dec 18 14:39:26 UTC 2009

Modified Files:
        pkgsrc/comms/asterisk: Makefile distinfo

Log Message:
     Update to 1.2.37.  This update is to fix two security issues.
1.2.36 fixed AST-2009-008, and 1.2.37 fixed AST-2009-010.  The
problem in AST-2009-008 is:

-----

It is possible to determine if a peer with a specific name is
configured in Asterisk by sending a specially crafted REGISTER
message twice. The username that is to be checked is put in the
user portion of the URI in the To header. A bogus non-matching
value is put into the username portion of the Digest in the
Authorization header. If the peer does exist the second REGISTER
will receive a response of "403 Authentication user name does not
match account name". If the peer does not exist the response will
be "404 Not Found" if alwaysauthreject is disabled and "401
Unauthorized" if alwaysauthreject is enabled.

-----

And, the problem in AST-2009-010 is:

-----

An attacker sending a valid RTP comfort noise payload containing
a data length of 24 bytes or greater can remotely crash Asterisk.

-----


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.69 pkgsrc/comms/asterisk/Makefile
cvs rdiff -u -r1.44 -r1.45 pkgsrc/comms/asterisk/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.



Home | Main Index | Thread Index | Old Index