ports/114906: [PATCH] update net/asterisk to 1.4.9
Phillip N.
pneumann at gmail.com
Wed Jul 25 17:50:04 UTC 2007
>Number: 114906
>Category: ports
>Synopsis: [PATCH] update net/asterisk to 1.4.9
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 25 17:50:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Phillip N.
>Release: FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD 6.2-STABLE #2: Sun May 13 16:51:10 CLT 2007
root at negro.transtel.cl:/usr/obj/usr/src/sys/Negro
>Description:
The motivation of the update is this:
http://ftp.digium.com/pub/asa/ASA-2007-018.pdf
"Exhaustion vulnerability in IAX2 channel driver"
the vulxml contains two thing i cannot figure out.
These are:
- vid (how is the id generated?)
- bid (what is it?)
Thanks!
>How-To-Repeat:
>Fix:
--- iax-vul.patch begins here ---
diff -ruN vuxml.orig/vuln.xml vuxml/vuln.xml
--- vuxml.orig/vuln.xml Tue Jul 24 10:31:49 2007
+++ vuxml/vuln.xml Wed Jul 25 09:47:43 2007
@@ -34,6 +34,41 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="?????">
+ <topic>asterisk -- Resource Exhaustion vulnerability in IAX2 channel driver</topic>
+ <affects>
+ <package>
+ <name>asterisk</name>
+ <range><gt>1.4.5</gt><lt>1.4.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk Project reports:</p>
+ <blockquote cite="http://tomcat.apache.org/security-5.html">
+ <p>The IAX2 channel driver in Asterisk is vulnerable to a
+ Denial of Service attack when configured to allow
+ unauthenticated calls. An attacker can send a flood of NEW
+ packets for valid extensions to the server to initiate
+ calls as the unauthenticated user. This will cause resources
+ on the Asterisk system to get allocated that will never go
+ away. Furthermore, the IAX2 channel driver will be stuck
+ trying to reschedule retransmissions for each of these fake
+ calls forever. This can very quickly bring down a system and
+ the only way to recover is to restart Asterisk.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>ASA-2007-018</cvename>
+ <bid>???</bid>
+ </references>
+ <dates>
+ <discovery>2007-07-19</discovery>
+ <entry>2007-07-23</entry>
+ </dates>
+ </vuln>
+
<vuln vid="ab2575d6-39f0-11dc-b8cc-000fea449b8a">
<topic>tomcat -- XSS vulnerability in sample applications</topic>
<affects>
--- iax-vul.patch ends here ---
--- asterisk-1.4.9.diff begins here ---
diff -ruN asterisk.orig/Makefile asterisk/Makefile
--- asterisk.orig/Makefile Mon Jul 23 05:36:14 2007
+++ asterisk/Makefile Wed Jul 25 12:38:49 2007
@@ -6,7 +6,7 @@
#
PORTNAME= asterisk
-PORTVERSION= 1.4.8
+PORTVERSION= 1.4.9
CATEGORIES= net
MASTER_SITES= http://ftp.digium.com/pub/asterisk/ \
http://ftp.digium.com/pub/asterisk/old-releases/
@@ -145,6 +145,6 @@
.endif
post-patch:
- ${REINPLACE_CMD} -e 's|/var/lib|${PREFIX}/share|g' ${WRKSRC}/configs/musiconhold.conf.sample
+ @${REINPLACE_CMD} -e 's|/var/lib|${PREFIX}/share|g' ${WRKSRC}/configs/musiconhold.conf.sample
.include <bsd.port.post.mk>
diff -ruN asterisk.orig/distinfo asterisk/distinfo
--- asterisk.orig/distinfo Sun Jul 22 06:40:35 2007
+++ asterisk/distinfo Wed Jul 25 12:26:16 2007
@@ -1,3 +1,3 @@
-MD5 (asterisk-1.4.8.tar.gz) = 7263ff56ad93cbb5efb971a536ee6a51
-SHA256 (asterisk-1.4.8.tar.gz) = 3eabdf2c52d366abe7dd1e303b982fa7aad12945b1ac32ee97dc4b652041a43f
-SIZE (asterisk-1.4.8.tar.gz) = 11171190
+MD5 (asterisk-1.4.9.tar.gz) = e47f5b3cb5323318dc8c6fb7311b767e
+SHA256 (asterisk-1.4.9.tar.gz) = c1b41503a0c29fd1f5172c834a60a3c5aacf472fd60a1272f743672af36602a6
+SIZE (asterisk-1.4.9.tar.gz) = 11182148
diff -ruN asterisk.orig/files/patch-channels::chan_skinny.c asterisk/files/patch-channels::chan_skinny.c
--- asterisk.orig/files/patch-channels::chan_skinny.c Mon May 22 22:47:04 2006
+++ asterisk/files/patch-channels::chan_skinny.c Wed Jul 25 12:30:05 2007
@@ -1,14 +1,11 @@
-
-$FreeBSD: ports/net/asterisk/files/patch-channels::chan_skinny.c,v 1.1 2006/05/23 02:47:04 sobomax Exp $
-
---- channels/chan_skinny.c.orig
-+++ channels/chan_skinny.c
-@@ -99,7 +99,7 @@
+--- channels/chan_skinny.c.orig Wed Jul 25 12:29:14 2007
++++ channels/chan_skinny.c Wed Jul 25 12:29:34 2007
+@@ -107,7 +107,7 @@
#define htolel(x) (x)
#define htoles(x) (x)
#else
--#if defined(SOLARIS) || defined(__Darwin__) || defined(__NetBSD__)
-+#if defined(SOLARIS) || defined(__Darwin__) || defined(__NetBSD__) || defined(__FreeBSD__)
+-#if defined(SOLARIS) || defined(__Darwin__) || defined(__NetBSD__) || defined(__OpenBSD__)
++#if defined(SOLARIS) || defined(__Darwin__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
#define __bswap_16(x) \
- ((((x) & 0xff00) >> 8) | \
- (((x) & 0x00ff) << 8))
+ ((((x) & 0xff00) >> 8) | \
+ (((x) & 0x00ff) << 8))
--- asterisk-1.4.9.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list