ports/117270: [UPDATE] net/asterisk-addons to 1.4.4

Vladimir Korkodinov viper at perm.raid.ru
Wed Oct 17 12:40:01 UTC 2007 

>Number:         117270
>Category:       ports
>Synopsis:       [UPDATE] net/asterisk-addons to 1.4.4
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 17 12:40:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Vladimir Korkodinov
>Release:        6.2-STABLE
>Organization:
>Environment:
FreeBSD monitor4 6.2-STABLE FreeBSD 6.2-STABLE #3: Mon Oct 15 16:34:50 YEKST 2007     root at monitor4:/usr/obj/usr/src/sys/viper2  i386

>Description:
Here a patch to update net/asterisk-addons to 1.4.4 
It corrects the bug(http://downloads.digium.com/pub/asa/AST-2007-023.pdf)
"Asterisk Project Security Advisory - AST-2007-023
Susceptibility   | Remote Unauthenticated Sessions
Description 
The source and destination numbers for a given call are  
not correctly escaped by the cdr_addon_mysql module when 
inserting a record. Therefore, a carefully crafted       
destination number sent to an Asterisk system running    
cdr_addon_mysql could escape out of a SQL data field and 
create another query. This vulnerability is made all the 
more severe if a user were using realtime data, since    
the data may exist in the same database as the inserted  
call detail record, thus creating all sorts of possible  
data corruption and invalidation issues."

>How-To-Repeat:

>Fix:
Apply patch

Patch attached with submission follows:

diff -ruN asterisk-addons.old/Makefile asterisk-addons/Makefile
--- asterisk-addons.old/Makefile	2007-07-28 15:16:08.000000000 +0600
+++ asterisk-addons/Makefile	2007-10-17 17:36:19.000000000 +0600
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	asterisk-addons
-PORTVERSION=	1.4.2
+PORTVERSION=	1.4.4
 CATEGORIES=	net
 MASTER_SITES=	http://ftp.digium.com/pub/asterisk/releases/
 
diff -ruN asterisk-addons.old/distinfo asterisk-addons/distinfo
--- asterisk-addons.old/distinfo	2007-07-06 08:24:25.000000000 +0600
+++ asterisk-addons/distinfo	2007-10-17 17:36:26.000000000 +0600
@@ -1,3 +1,3 @@
-MD5 (asterisk-addons-1.4.2.tar.gz) = c080b02e6ddc81dab6a64691af890805
-SHA256 (asterisk-addons-1.4.2.tar.gz) = 6d12a1a73cfe0cb14c960e422d0d3c261740857d2a86785f08cf89d44574cc82
-SIZE (asterisk-addons-1.4.2.tar.gz) = 1000286
+MD5 (asterisk-addons-1.4.4.tar.gz) = a25f4908ea122eeee4df7e0697fe5dfb
+SHA256 (asterisk-addons-1.4.4.tar.gz) = 888fe9ac84862b887e78f8ec4a83bc891897702ab123f05309ff117e55b6645b
+SIZE (asterisk-addons-1.4.4.tar.gz) = 1002173


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list