Change logs for asterisk source package in Lucid

  • asterisk (1:1.6.2.5-0ubuntu1.4) lucid-security; urgency=low
    
      * SECURITY UPDATE: denial of service and possible code exection via
        crafted UDPTL packet
        - debian/patches/AST-2011-002-1.6.2.diff: properly calculate lengths in
          main/udptl.c.
        - CVE-2011-1147
      * SECURITY UPDATE: denial of service via manager session with invalid
        data
        - debian/patches/AST-2011-003-1.6.2.diff: check for errors in
          main/manager.c.
        - CVE-2011-1174
      * SECURITY UPDATE: denial of service via many short TLS sessions
        - debian/patches/AST-2011-004-1.6.2.diff: gracefully handle failures
          in main/tcptls.c.
        - CVE-2011-1175
      * SECURITY UPDATE: denial of service via a series of TCP connections
        - debian/patches/AST-2011-005-1.6.2.diff: add timeouts and session
          limits to main/manager.c, configs/manager.conf.sample,
          channels/chan_sip.c, channels/chan_skinny.c, main/http.c,
          configs/{skinny,sip,http}.conf.sample.
        - CVE-2011-1507
      * SECURITY UPDATE: remote command execution via incomplete system
        privilege check
        - debian/patches/AST-2011-006-1.6.2.diff: correctly check privileges in
          main/manager.c.
        - CVE-2011-1599
      * SECURITY UPDATE: denial of service via crafted packet and SIP channel
        driver
        - debian/patches/AST-2011-008.diff: set proper length in
          channels/chan_sip.c.
        - CVE-2011-2529
      * SECURITY UPDATE: denial of service and possible code execution via
        IAX2 channel driver crafted frame
        - debian/patches/AST-2011-010-1.6.2.diff: validate options in
          channels/chan_iax2.c, main/features.c.
        - CVE-2011-2535
      * SECURITY UPDATE: account name enumeration
        - debian/patches/AST-2011-011-1.6.2.diff: adjust responses in
          channels/chan_sip.c.
        - CVE-2011-2536
     -- Marc Deslauriers <email address hidden>   Tue, 12 Jul 2011 15:49:26 -0400
  • asterisk (1:1.6.2.5-0ubuntu1.3) lucid-security; urgency=low
    
      * SECURITY UPDATE: Stack buffer overflow in SIP channel driver. (LP: #705014)
        - debian/patches/AST-2011-001-1.6.2: The size of the output buffer passed
          to the ast_uri_encode function is now properly respected in main/utils.c.
          Patch courtesy of upstream.
        - CVE-2011-0495
     -- Dave Walker (Daviey) <email address hidden>   Thu, 20 Jan 2011 23:31:55 +0000
  • asterisk (1:1.6.2.5-0ubuntu1.2) lucid-proposed; urgency=low
    
      * debian/patches/unattended_fix: Fix attended transfer call in 1.2.6.5
        Patch based on Asterisk project's upstream patch (between 1.2.6.5 and
        1.2.6.6 where issue is declared to be fixed see issue 16816 on Asterisk
        bug tracker). (LP: #686625)
     -- Lionel Porcheron <email address hidden>   Mon, 06 Dec 2010 16:56:12 +0100
  • asterisk (1:1.6.2.5-0ubuntu1.1) lucid-proposed; urgency=low
    
      * debian/patches/dnsmgr-A-SRV-handling: Resolve handling of A and SRV
        record changes and problem with multiple A/SRV records returned.
        Patch based on Asterisk project's upstream patch.  (LP: #605358)
     -- Dave Walker (Daviey) <email address hidden>   Wed, 14 Jul 2010 11:40:55 +0100
  • asterisk (1:1.6.2.5-0ubuntu1) lucid; urgency=low
    
      * New upstream bugfix release (1.6.2.5)
       * Security Fixes:
        - AST-2010-003: Invalid parsing of ACL rules can compromise security
        - AST-2010-002: Dialplan injection vulnerability
    
      * Remaining Ubuntu-specific changes:
        - debian/control: Build-depend on hardening-wrapper
        - debian/rules: Make use of hardening-wrapper
        - debian/control: Change Maintainer
        - debian/control: Removed Uploaders field.
        - debian/control: Removed Debian Vcs-Svn entry and replaced with
            ubuntu-voip Vcs-Bzr, to reflect divergence in packages.
        - debian/asterisk.init : chown /dev/dahdi
        - debian/backports/hardy : add file
        - debian/backports/asterisk.init.hardy : add file
     -- Jean-Michel Dault <email address hidden>   Tue, 13 Apr 2010 16:27:27 -0400
  • asterisk (1:1.6.2.2-1ubuntu2) lucid; urgency=low
    
      * debian/{control,rules}: re-enable hardened options to gain PIE build
        (Debian bug 542741, LP: #527538)
     -- Steve Beattie <email address hidden>   Tue, 02 Mar 2010 10:00:03 -0800
  • asterisk (1:1.6.2.2-1ubuntu1) lucid; urgency=high
    
      * Merge from Debian: security update
        * Changes:
        - debian/control: Change Maintainer
        - debian/control: Removed Uploaders field.
        - debian/control: Removed Debian Vcs-Svn entry and replaced with
            ubuntu-voip Vcs-Bzr, to reflect divergence in packages.
        - debian/asterisk.init : chown /dev/dahdi
        - debian/backports/hardy : add file
        - debian/backports/asterisk.init.hardy : add file
     -- Jean-Michel Dault <email address hidden>   Tue, 16 Feb 2010 14:08:54 -0500
  • asterisk (1:1.6.2.0~rc2-0ubuntu3) lucid; urgency=low
    
      * debian/control: remove libreadline5-dev from Depends field.
     -- Devid Antonio Filoni <email address hidden>   Wed, 30 Dec 2009 15:32:48 +0100
  • asterisk (1:1.6.2.0~rc2-0ubuntu2) lucid; urgency=low
    
      [ Dave Walker (Daviey) ]
      * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
        - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
          check ACL for handling SIP INVITEs.  This blocks calls on networks
          intended to be prohibited, by configuration. Based on upstream patch.
        - AST-2009-007
        - CVE-2009-3723
      * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
        - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
          to stop a specially crafted series of requests returning valid usernames.
          Based on upstream patch.
        - AST-2009-008
        - CVE-2009-3727
      * SECURITY UPDATE:  RTP Remote Crash Vulnerability (LP: #493555).
        - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
          comfort noise payload containing 24 bytes or greater is recieved.
        - AST-2009-010
        - CVE-2009-4055
    
      [ Roberto D'Auria ]
      * debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
        heavy traffic on iax2 channel, editing channels/chan_iax2.c.
        Based on upstream patch. (LP: #501116)
     -- Roberto D'Auria <email address hidden>   Wed, 30 Dec 2009 14:49:24 +0100
  • asterisk (1:1.6.2.0~rc2-0ubuntu1) karmic; urgency=low
    
      * New upstream version, upstream is now DFSG compliant.
        - ilibc has been removed upstream.
        - Music on Hold is now cc-by-sa.
        - binary firmware iaxy.bin has been removed upstream.
      * debian/rules: Santitised UPSTREAM variable for compatiability
        with Ubuntu and other variants.
      * debian/control: Removed Debian Vcs-Svn entry and replaced
        with ubuntu-voip Vcs-Bzr, to reflect divergence in packages.
      * patches/makefile_appdocs_dtd: Removed, merged upstream.
      * patches/disable_moh: Previosly disabled, removed from pool.
      * patches/ubuntu-banner: Ported debian-banner to display Ubuntu
        centric bug report information.
      * Refresh quilt patches
    
     -- Dave Walker (Daviey) <email address hidden>   Tue, 22 Sep 2009 16:22:14 +0100