Date: Wed, 17 Oct 2007 12:38:05 GMT From: Vladimir Korkodinov <viper@perm.raid.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/117270: [UPDATE] net/asterisk-addons to 1.4.4 Message-ID: <200710171238.l9HCc5Qs023501@www.freebsd.org> Resent-Message-ID: <200710171240.l9HCe1TA073621@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 117270 >Category: ports >Synopsis: [UPDATE] net/asterisk-addons to 1.4.4 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Oct 17 12:40:01 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Vladimir Korkodinov >Release: 6.2-STABLE >Organization: >Environment: FreeBSD monitor4 6.2-STABLE FreeBSD 6.2-STABLE #3: Mon Oct 15 16:34:50 YEKST 2007 root@monitor4:/usr/obj/usr/src/sys/viper2 i386 >Description: Here a patch to update net/asterisk-addons to 1.4.4 It corrects the bug(http://downloads.digium.com/pub/asa/AST-2007-023.pdf) "Asterisk Project Security Advisory - AST-2007-023 Susceptibility | Remote Unauthenticated Sessions Description The source and destination numbers for a given call are not correctly escaped by the cdr_addon_mysql module when inserting a record. Therefore, a carefully crafted destination number sent to an Asterisk system running cdr_addon_mysql could escape out of a SQL data field and create another query. This vulnerability is made all the more severe if a user were using realtime data, since the data may exist in the same database as the inserted call detail record, thus creating all sorts of possible data corruption and invalidation issues." >How-To-Repeat: >Fix: Apply patch Patch attached with submission follows: diff -ruN asterisk-addons.old/Makefile asterisk-addons/Makefile --- asterisk-addons.old/Makefile 2007-07-28 15:16:08.000000000 +0600 +++ asterisk-addons/Makefile 2007-10-17 17:36:19.000000000 +0600 @@ -6,7 +6,7 @@ # PORTNAME= asterisk-addons -PORTVERSION= 1.4.2 +PORTVERSION= 1.4.4 CATEGORIES= net MASTER_SITES= http://ftp.digium.com/pub/asterisk/releases/ diff -ruN asterisk-addons.old/distinfo asterisk-addons/distinfo --- asterisk-addons.old/distinfo 2007-07-06 08:24:25.000000000 +0600 +++ asterisk-addons/distinfo 2007-10-17 17:36:26.000000000 +0600 @@ -1,3 +1,3 @@ -MD5 (asterisk-addons-1.4.2.tar.gz) = c080b02e6ddc81dab6a64691af890805 -SHA256 (asterisk-addons-1.4.2.tar.gz) = 6d12a1a73cfe0cb14c960e422d0d3c261740857d2a86785f08cf89d44574cc82 -SIZE (asterisk-addons-1.4.2.tar.gz) = 1000286 +MD5 (asterisk-addons-1.4.4.tar.gz) = a25f4908ea122eeee4df7e0697fe5dfb +SHA256 (asterisk-addons-1.4.4.tar.gz) = 888fe9ac84862b887e78f8ec4a83bc891897702ab123f05309ff117e55b6645b +SIZE (asterisk-addons-1.4.4.tar.gz) = 1002173 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710171238.l9HCc5Qs023501>