CVS commit: pkgsrc/comms/asterisk

["John Nemeth" <jnemeth%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Sun Dec 11 00:50:15 UTC 2016

Modified Files:
        pkgsrc/comms/asterisk: Makefile distinfo

Log Message:
Update to Asterisk 11.25.1:  this fixes AST-2016-009.

             Asterisk Project Security Advisory - ASTERISK-2016-009

         Product        Asterisk
         Summary
    Nature of Advisory  Authentication Bypass
      Susceptibility    Remote unauthenticated sessions
         Severity       Minor
      Exploits Known    No
       Reported On      October 3, 2016
       Reported By      Walter Doekes
        Posted On
     Last Updated On    December 8, 2016
     Advisory Contact   Mmichelson AT digium DOT com
         CVE Name

    Description  The chan_sip channel driver has a liberal definition for
                 whitespace when attempting to strip the content between a
                 SIP header name and a colon character. Rather than
                 following RFC 3261 and stripping only spaces and horizontal
                 tabs, Asterisk treats any non-printable ASCII character as
                 if it were whitespace. This means that headers such as

                 Contact\x01:

                 will be seen as a valid Contact header.

                 This mostly does not pose a problem until Asterisk is
                 placed in tandem with an authenticating SIP proxy. In such
                 a case, a crafty combination of valid and invalid To
                 headers can cause a proxy to allow an INVITE request into
                 Asterisk without authentication since it believes the
                 request is an in-dialog request. However, because of the
                 bug described above, the request will look like an
                 out-of-dialog request to Asterisk. Asterisk will then
                 process the request as a new call. The result is that
                 Asterisk can process calls from unvetted sources without
                 any authentication.

                 If you do not use a proxy for authentication, then this
                 issue does not affect you.

                 If your proxy is dialog-aware (meaning that the proxy keeps
                 track of what dialogs are currently valid), then this issue
                 does not affect you.

                 If you use chan_pjsip instead of chan_sip, then this issue
l
                 does not affect you.

    Resolution  chan_sip has been patched to only treat spaces and
                horizontal tabs as whitespace following a header name. This
                allows for Asterisk and authenticating proxies to view
                requests the same way

                               Affected Versions
                         Product                       Release
                                                       Series
                  Asterisk Open Source                  11.x    All Releases
                  Asterisk Open Source                  13.x    All Releases
                  Asterisk Open Source                  14.x    All Releases
                   Certified Asterisk                   13.8    All Releases

                                  Corrected In
          Product                              Release
    Asterisk Open Source               11.25.1, 13.13.1, 14.2.1
     Certified Asterisk                11.6-cert16, 13.8-cert4

                                    Patches
                 SVN URL                              Revision

           Links

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/ASTERISK-2016-009.pdf and
    http://downloads.digium.com/pub/security/ASTERISK-2016-009.html

                                Revision History
                     Date                        Editor      Revisions Made
    November 28, 2016                        Mark Michelson  Initial writeup

             Asterisk Project Security Advisory - ASTERISK-2016-009
              Copyright (c) 2016 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


To generate a diff of this commit:
cvs rdiff -u -r1.147 -r1.148 pkgsrc/comms/asterisk/Makefile
cvs rdiff -u -r1.83 -r1.84 pkgsrc/comms/asterisk/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/comms/asterisk/Makefile
diff -u pkgsrc/comms/asterisk/Makefile:1.147 pkgsrc/comms/asterisk/Makefile:1.148
--- pkgsrc/comms/asterisk/Makefile:1.147        Sun Dec  4 05:17:19 2016
+++ pkgsrc/comms/asterisk/Makefile      Sun Dec 11 00:50:15 2016
@@ -1,11 +1,10 @@
-# $NetBSD: Makefile,v 1.147 2016/12/04 05:17:19 ryoon Exp $
+# $NetBSD: Makefile,v 1.148 2016/12/11 00:50:15 jnemeth Exp $
 #
 # NOTE: when updating this package, there are two places that sound
 #       tarballs need to be checked; look win ${WRKSRC}/sounds/Makefile
 #       to find out the current sound file versions
 
-DISTNAME=      asterisk-11.25.0
-PKGREVISION=   1
+DISTNAME=      asterisk-11.25.1
 CATEGORIES=    comms net audio
 MASTER_SITES=  http://downloads.asterisk.org/pub/telephony/asterisk/ \
                http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ \

Index: pkgsrc/comms/asterisk/distinfo
diff -u pkgsrc/comms/asterisk/distinfo:1.83 pkgsrc/comms/asterisk/distinfo:1.84
--- pkgsrc/comms/asterisk/distinfo:1.83 Sun Nov 27 04:42:26 2016
+++ pkgsrc/comms/asterisk/distinfo      Sun Dec 11 00:50:15 2016
@@ -1,13 +1,13 @@
-$NetBSD: distinfo,v 1.83 2016/11/27 04:42:26 jnemeth Exp $
+$NetBSD: distinfo,v 1.84 2016/12/11 00:50:15 jnemeth Exp $
 
-SHA1 (asterisk-11.25.0/asterisk-11.25.0.tar.gz) = 9e9e79c7e03d4e6262d66f157e9d5c1181275a7c
-RMD160 (asterisk-11.25.0/asterisk-11.25.0.tar.gz) = b54d32c5cb3a0e040411a8de2d55007e48cbd853
-SHA512 (asterisk-11.25.0/asterisk-11.25.0.tar.gz) = a545352180612b9008ab92c7c24e416835cbf12ba3fd93c8a6ceee9b7a930b197b5ee3eb0de949605a800f0f57257393bee7deab2a1d933beed3d81ce28ec0c2
-Size (asterisk-11.25.0/asterisk-11.25.0.tar.gz) = 35125167 bytes
-SHA1 (asterisk-11.25.0/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = 831ae6442e23cbef1e7d1c84798778ad0b0524d1
-RMD160 (asterisk-11.25.0/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = d52df795201c53fc4cd7d99ed41516e312f6f0f3
-SHA512 (asterisk-11.25.0/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = c7d3c3fd2c854e6776801312d34bf69bbed78a443c16121637f508c5275f18b1d415cbb6e4f6f8c5aa3769cbbfa1a11485b9972053777f3ac39256c2c81729f1
-Size (asterisk-11.25.0/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = 4256538 bytes
+SHA1 (asterisk-11.25.1/asterisk-11.25.1.tar.gz) = 7bd4603284639d71da9097d93920b28a705dc012
+RMD160 (asterisk-11.25.1/asterisk-11.25.1.tar.gz) = 8f29571cccd93a20ad6faf67dec2efc0734f781f
+SHA512 (asterisk-11.25.1/asterisk-11.25.1.tar.gz) = 37144b7296f929bdb707853690a12d4c1403741221c943becc88c18fe20587ba2381425574e97647c10efa9f98200336ddae7e3433740e5a509a837ed28ca02c
+Size (asterisk-11.25.1/asterisk-11.25.1.tar.gz) = 35125897 bytes
+SHA1 (asterisk-11.25.1/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = 831ae6442e23cbef1e7d1c84798778ad0b0524d1
+RMD160 (asterisk-11.25.1/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = d52df795201c53fc4cd7d99ed41516e312f6f0f3
+SHA512 (asterisk-11.25.1/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = c7d3c3fd2c854e6776801312d34bf69bbed78a443c16121637f508c5275f18b1d415cbb6e4f6f8c5aa3769cbbfa1a11485b9972053777f3ac39256c2c81729f1
+Size (asterisk-11.25.1/asterisk-extra-sounds-en-gsm-1.5.tar.gz) = 4256538 bytes
 SHA1 (patch-Makefile) = 5fd774779d3c8d85936beca8a3407dd3011af2dc
 SHA1 (patch-addons_chan__ooh323.c) = 57f61a2edf0f9f022e03837230ee572ec9cf47b4
 SHA1 (patch-apps_app__confbridge.c) = c815905994355a19c32e8e3e2eb5dc9f1679eb29