projects / pkgsrcv2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f8fed89) | patch
Update to Asterisk 1.8.4.4 (fixes AST-2011-011):
authorjnemeth <jnemeth>
Tue, 5 Jul 2011 08:42:56 +0000 (08:42 +0000)
committerjnemeth <jnemeth>
Tue, 5 Jul 2011 08:42:56 +0000 (08:42 +0000)
commit5fc4bd69a1d2a796f0fd3b97a2d0e3c00de3c79f
tree9b8df6835fa0acc86af5744601f34775018dae71tree | snapshot
parentf8fed89c0b17fbd9ab9f76cd8435a94fb368b68ecommit | diff
Update to Asterisk 1.8.4.4 (fixes AST-2011-011):

               Asterisk Project Security Advisory - AST-2011-011

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Possible enumeration of SIP users due to          |
   |                    | differing authentication responses                |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Unauthorized data disclosure                      |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2011-2536                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Asterisk may respond differently to SIP requests from an |
   |             | invalid SIP user than it does to a user configured on    |
   |             | the system, even when the alwaysauthreject option is set |
   |             | in the configuration. This can leak information about    |
   |             | what SIP users are valid on the Asterisk system.         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Respond to SIP requests from invalid and valid SIP users  |
   |            | in the same way. Asterisk 1.4 and 1.6.2 do not respond    |
   |            | identically by default due to backward-compatibility      |
   |            | reasons, and must have alwaysauthreject=yes set in        |
   |            | sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes.  |
   |            |                                                           |
   |            | IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4    |
   |            | and 1.6.2 set alwaysauthreject=yes in the general section |
   |            | of sip.conf.                                              |
   +------------------------------------------------------------------------+
comms/asterisk18/Makefile diff | blob | blame | history
comms/asterisk18/PLIST diff | blob | blame | history
comms/asterisk18/distinfo diff | blob | blame | history
Unofficial gitization of NetBSD-CVS pkgsrc, not synchronized w/NetBSD git.