jcollie pushed to asterisk (el6). "1.8.32.3"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 9 20:13:06 UTC 2015
>From 9d588dae21fafa95c28ead48cf8993ed878e2dff Mon Sep 17 00:00:00 2001
From: "Jeffrey C. Ollie" <jeff at ocjtech.us>
Date: Thu, 9 Apr 2015 15:12:57 -0500
Subject: 1.8.32.3
diff --git a/asterisk.spec b/asterisk.spec
index c29858f..b4674de 100644
--- a/asterisk.spec
+++ b/asterisk.spec
@@ -17,7 +17,7 @@
Summary: The Open Source PBX
Name: asterisk
-Version: 1.8.32.1
+Version: 1.8.32.3
Release: 1%{?_rc:.rc%{_rc}}%{?_beta:.beta%{_beta}}%{?dist}
License: GPLv2
Group: Applications/Internet
@@ -1265,6 +1265,99 @@ fi
%{_libdir}/asterisk/modules/app_voicemail_plain.so
%changelog
+* Thu Apr 9 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.32.3-1:
+- The Asterisk Development Team has announced security releases for Certified
+- Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available
+- security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,
+- 11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.
+-
+- These releases are available for immediate download at
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases
+-
+- The release of these versions resolves the following security vulnerability:
+-
+- * AST-2015-003: TLS Certificate Common name NULL byte exploit
+-
+- When Asterisk registers to a SIP TLS device and and verifies the server,
+- Asterisk will accept signed certificates that match a common name other than
+- the one Asterisk is expecting if the signed certificate has a common name
+- containing a null byte after the portion of the common name that Asterisk
+- expected. This potentially allows for a man in the middle attack.
+-
+- For more information about the details of this vulnerability, please read
+- security advisory AST-2015-003, which was released at the same time as this
+- announcement.
+-
+- For a full list of changes in the current releases, please see the ChangeLogs:
+-
+- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert5
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3
+- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert11
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.2
+- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.1-cert2
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.3.2
+-
+- The security advisory is available at:
+-
+- * http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
+
+* Thu Apr 9 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.32.2-1:
+- The Asterisk Development Team has announced security releases for Certified
+- Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
+- security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,
+- 11.15.1, 12.8.1, and 13.1.1.
+-
+- These releases are available for immediate download at
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases
+-
+- The release of these versions resolves the following security vulnerabilities:
+-
+- * AST-2015-001: File descriptor leak when incompatible codecs are offered
+-
+- Asterisk may be configured to only allow specific audio or
+- video codecs to be used when communicating with a
+- particular endpoint. When an endpoint sends an SDP offer
+- that only lists codecs not allowed by Asterisk, the offer
+- is rejected. However, in this case, RTP ports that are
+- allocated in the process are not reclaimed.
+-
+- This issue only affects the PJSIP channel driver in
+- Asterisk. Users of the chan_sip channel driver are not
+- affected.
+-
+- * AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
+-
+- CVE-2014-8150 reported an HTTP request injection
+- vulnerability in libcURL. Asterisk uses libcURL in its
+- func_curl.so module (the CURL() dialplan function), as well
+- as its res_config_curl.so (cURL realtime backend) modules.
+-
+- Since Asterisk may be configured to allow for user-supplied
+- URLs to be passed to libcURL, it is possible that an
+- attacker could use Asterisk as an attack vector to inject
+- unauthorized HTTP requests if the version of libcURL
+- installed on the Asterisk server is affected by
+- CVE-2014-8150.
+-
+- For more information about the details of these vulnerabilities, please read
+- security advisory AST-2015-001 and AST-2015-002, which were released at the same
+- time as this announcement.
+-
+- For a full list of changes in the current releases, please see the ChangeLogs:
+-
+- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2
+- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1
+- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1
+-
+- The security advisories are available at:
+-
+- * http://downloads.asterisk.org/pub/security/AST-2015-001.pdf
+- * http://downloads.asterisk.org/pub/security/AST-2015-002.pdf
+
* Fri Nov 21 2014 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.8.32.1-1:
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
diff --git a/sources b/sources
index 76f1a9d..cec83f6 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-3616c4fe038f242d2f9fce66dc571aa0 asterisk-1.8.32.1.tar.gz
-21c6f5c913c687e5e8e84842010ca19b asterisk-1.8.32.1.tar.gz.asc
+f13f126e7730710223f2fbbc8832966f asterisk-1.8.32.3.tar.gz
+8e5d0fc64edce0f8ed7eb63d1ee0e834 asterisk-1.8.32.3.tar.gz.asc
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/asterisk.git/commit/?h=el6&id=9d588dae21fafa95c28ead48cf8993ed878e2dff
More information about the scm-commits
mailing list