CVS commit: pkgsrc/comms/asterisk18

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/comms/asterisk18
From: "John Nemeth" <jnemeth%netbsd.org@localhost>
Date: Tue, 5 Jul 2011 08:42:57 +0000

Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Tue Jul  5 08:42:57 UTC 2011

Modified Files:
        pkgsrc/comms/asterisk18: Makefile PLIST distinfo

Log Message:
Update to Asterisk 1.8.4.4 (fixes AST-2011-011):

               Asterisk Project Security Advisory - AST-2011-011

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Possible enumeration of SIP users due to          |
   |                    | differing authentication responses                |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized data disclosure                      |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2011-2536                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Asterisk may respond differently to SIP requests from an |
   |             | invalid SIP user than it does to a user configured on    |
   |             | the system, even when the alwaysauthreject option is set |
   |             | in the configuration. This can leak information about    |
   |             | what SIP users are valid on the Asterisk system.         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Respond to SIP requests from invalid and valid SIP users  |
   |            | in the same way. Asterisk 1.4 and 1.6.2 do not respond    |
   |            | identically by default due to backward-compatibility      |
   |            | reasons, and must have alwaysauthreject=yes set in        |
   |            | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes.  |
   |            |                                                           |
   |            | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4    |
   |            | and 1.6.2 set alwaysauthreject=yes in the general section |
   |            | of sip.conf.                                              |
   +------------------------------------------------------------------------+


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 pkgsrc/comms/asterisk18/Makefile
cvs rdiff -u -r1.4 -r1.5 pkgsrc/comms/asterisk18/PLIST
cvs rdiff -u -r1.10 -r1.11 pkgsrc/comms/asterisk18/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/comms/asterisk16
Next by Date: CVS commit: pkgsrc/net/rabbitmq
Previous by Thread: CVS commit: pkgsrc/comms/asterisk16
Next by Thread: CVS commit: pkgsrc/net/rabbitmq
Indexes:

Home | Main Index | Thread Index | Old Index