rpms/asterisk/F-8 asterisk-1.4.18-httpmgrids.patch, NONE, 1.1 .cvsignore, 1.7, 1.8 asterisk.spec, 1.10, 1.11 sources, 1.7, 1.8
Jeffrey C. Ollie (jcollie)
fedora-extras-commits at redhat.com
Wed Mar 19 15:18:00 UTC 2008
Author: jcollie
Update of /cvs/pkgs/rpms/asterisk/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32648
Modified Files:
.cvsignore asterisk.spec sources
Added Files:
asterisk-1.4.18-httpmgrids.patch
Log Message:
Update to 1.4.18.1 plus another patch to fix some security issues.
asterisk-1.4.18-httpmgrids.patch:
--- NEW FILE asterisk-1.4.18-httpmgrids.patch ---
>From 0fb7bf7edd33bcbb26ead986309e6544ab325d68 Mon Sep 17 00:00:00 2001
From: kpfleming <kpfleming at 614ede4d-c843-0410-af14-a771ab80d22e>
Date: Thu, 21 Feb 2008 14:33:51 +0000
Subject: [PATCH] reduce the likelihood that HTTP Manager session ids will consist of primarily '1' bits
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@104015 614ede4d-c843-0410-af14-a771ab80d22e
---
main/manager.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/main/manager.c b/main/manager.c
index 8e33096..3edbc3e 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -2660,7 +2660,7 @@ static char *generic_http_callback(int format, struct sockaddr_in *requestor, co
ast_mutex_init(&s->__lock);
ast_mutex_lock(&s->__lock);
s->inuse = 1;
- s->managerid = rand() | (unsigned long)s;
+ s->managerid = rand() ^ (unsigned long) s;
AST_LIST_LOCK(&sessions);
AST_LIST_INSERT_HEAD(&sessions, s, list);
/* Hook into the last spot in the event queue */
--
1.5.4.3
>From 7403fb6e261f26b0e01bd538e61ded65c8321ba6 Mon Sep 17 00:00:00 2001
From: tilghman <tilghman at 614ede4d-c843-0410-af14-a771ab80d22e>
Date: Wed, 27 Feb 2008 18:15:10 +0000
Subject: [PATCH] Ensure the session ID can't be 0.
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@104704 614ede4d-c843-0410-af14-a771ab80d22e
---
main/manager.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/main/manager.c b/main/manager.c
index 3edbc3e..b78ecf5 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -2660,7 +2660,12 @@ static char *generic_http_callback(int format, struct sockaddr_in *requestor, co
ast_mutex_init(&s->__lock);
ast_mutex_lock(&s->__lock);
s->inuse = 1;
- s->managerid = rand() ^ (unsigned long) s;
+ /*!\note There is approximately a 1 in 1.8E19 chance that the following
+ * calculation will produce 0, which is an invalid ID, but due to the
+ * properties of the rand() function (and the constantcy of s), that
+ * won't happen twice in a row.
+ */
+ while ((s->managerid = rand() ^ (unsigned long) s) == 0);
AST_LIST_LOCK(&sessions);
AST_LIST_INSERT_HEAD(&sessions, s, list);
/* Hook into the last spot in the event queue */
--
1.5.4.3
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/asterisk/F-8/.cvsignore,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- .cvsignore 19 Feb 2008 12:49:01 -0000 1.7
+++ .cvsignore 19 Mar 2008 15:17:23 -0000 1.8
@@ -1 +1 @@
-asterisk-1.4.18-stripped.tar.gz
+asterisk-1.4.18.1-stripped.tar.gz
Index: asterisk.spec
===================================================================
RCS file: /cvs/pkgs/rpms/asterisk/F-8/asterisk.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- asterisk.spec 3 Mar 2008 21:02:14 -0000 1.10
+++ asterisk.spec 19 Mar 2008 15:17:23 -0000 1.11
@@ -2,8 +2,8 @@
Summary: The Open Source PBX
Name: asterisk
-Version: 1.4.18
-Release: 3%{?dist}
+Version: 1.4.18.1
+Release: 1%{?dist}
License: GPLv2
Group: Applications/Internet
URL: http://www.asterisk.org/
@@ -17,13 +17,13 @@
#
# MD5 Sums
# ========
-# 3d8b2b2ef4f202901771663b40f19c3d asterisk-1.4.18.tar.gz
-# b5027a1a87592db138e10ddbd0cece8a asterisk-1.4.18-stripped.tar.gz
+# a0d7ee4054a04529b745e60dd4e750c4 asterisk-1.4.18.1.tar.gz
+# 31f42bbdc070fef1302adfeb81fc9251 asterisk-1.4.18.1-stripped.tar.gz
#
# SHA1 Sums
# =========
-# 3a027488395510b6ebe4a0a0c372db33b2044b0a asterisk-1.4.18.tar.gz
-# 6f66bf67e87d17f9ccce5fc07643abb759862289 asterisk-1.4.18-stripped.tar.gz
+# 2991e972f3c2f8cac3849f9359afbb0db7e7203a asterisk-1.4.18.1.tar.gz
+# 14eaeb210f91c843291b018e67f765cb1b5356b4 asterisk-1.4.18.1-stripped.tar.gz
Source0: asterisk-%{version}-stripped.tar.gz
Source1: asterisk-logrotate
@@ -41,6 +41,7 @@
Patch8: asterisk-1.4.18-chanmobile.patch
Patch9: asterisk-1.4.18-autoconf.patch
Patch10: asterisk-1.4.18-funcdesc.patch
+Patch11: asterisk-1.4.18-httpmgrids.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -332,6 +333,7 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
cp %{SOURCE2} menuselect.makedeps
cp %{SOURCE3} menuselect.makeopts
@@ -902,6 +904,23 @@
%{_libdir}/asterisk/modules/codec_zap.so
%changelog
+* Wed Mar 19 2008 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.4.18.1-1
+- Update to 1.4.18.1 plus another patch to fix some security issues.
+-
+- AST-2008-002 details two buffer overflows that were discovered in
+- RTP codec payload type handling.
+- * http://downloads.digium.com/pub/security/AST-2008-002.pdf
+- * All users of SIP in Asterisk 1.4 and 1.6 are affected.
+-
+- AST-2008-003 details a vulnerability which allows an attacker to
+- bypass SIP authentication and to make a call into the context
+- specified in the general section of sip.conf.
+- * http://downloads.digium.com/pub/security/AST-2008-003.pdf
+- * All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected.
+-
+- AST-2008-005 details a problem in the way manager IDs are caculated.
+- * http://downloads.digium.com/pub/security/AST-2008-005.pdf
+
* Mon Mar 3 2008 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.4.18-3
- Package the directory used to store monitor recordings.
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/asterisk/F-8/sources,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- sources 19 Feb 2008 12:49:01 -0000 1.7
+++ sources 19 Mar 2008 15:17:23 -0000 1.8
@@ -1 +1 @@
-b5027a1a87592db138e10ddbd0cece8a asterisk-1.4.18-stripped.tar.gz
+31f42bbdc070fef1302adfeb81fc9251 asterisk-1.4.18.1-stripped.tar.gz
More information about the fedora-extras-commits
mailing list