Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Oct 2007 12:38:05 GMT
From:      Vladimir Korkodinov <viper@perm.raid.ru>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/117270: [UPDATE] net/asterisk-addons to 1.4.4 
Message-ID:  <200710171238.l9HCc5Qs023501@www.freebsd.org>
Resent-Message-ID: <200710171240.l9HCe1TA073621@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         117270
>Category:       ports
>Synopsis:       [UPDATE] net/asterisk-addons to 1.4.4
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 17 12:40:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Vladimir Korkodinov
>Release:        6.2-STABLE
>Organization:
>Environment:
FreeBSD monitor4 6.2-STABLE FreeBSD 6.2-STABLE #3: Mon Oct 15 16:34:50 YEKST 2007     root@monitor4:/usr/obj/usr/src/sys/viper2  i386

>Description:
Here a patch to update net/asterisk-addons to 1.4.4 
It corrects the bug(http://downloads.digium.com/pub/asa/AST-2007-023.pdf)
"Asterisk Project Security Advisory - AST-2007-023
Susceptibility   | Remote Unauthenticated Sessions
Description 
The source and destination numbers for a given call are  
not correctly escaped by the cdr_addon_mysql module when 
inserting a record. Therefore, a carefully crafted       
destination number sent to an Asterisk system running    
cdr_addon_mysql could escape out of a SQL data field and 
create another query. This vulnerability is made all the 
more severe if a user were using realtime data, since    
the data may exist in the same database as the inserted  
call detail record, thus creating all sorts of possible  
data corruption and invalidation issues."

>How-To-Repeat:

>Fix:
Apply patch

Patch attached with submission follows:

diff -ruN asterisk-addons.old/Makefile asterisk-addons/Makefile
--- asterisk-addons.old/Makefile	2007-07-28 15:16:08.000000000 +0600
+++ asterisk-addons/Makefile	2007-10-17 17:36:19.000000000 +0600
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	asterisk-addons
-PORTVERSION=	1.4.2
+PORTVERSION=	1.4.4
 CATEGORIES=	net
 MASTER_SITES=	http://ftp.digium.com/pub/asterisk/releases/
 
diff -ruN asterisk-addons.old/distinfo asterisk-addons/distinfo
--- asterisk-addons.old/distinfo	2007-07-06 08:24:25.000000000 +0600
+++ asterisk-addons/distinfo	2007-10-17 17:36:26.000000000 +0600
@@ -1,3 +1,3 @@
-MD5 (asterisk-addons-1.4.2.tar.gz) = c080b02e6ddc81dab6a64691af890805
-SHA256 (asterisk-addons-1.4.2.tar.gz) = 6d12a1a73cfe0cb14c960e422d0d3c261740857d2a86785f08cf89d44574cc82
-SIZE (asterisk-addons-1.4.2.tar.gz) = 1000286
+MD5 (asterisk-addons-1.4.4.tar.gz) = a25f4908ea122eeee4df7e0697fe5dfb
+SHA256 (asterisk-addons-1.4.4.tar.gz) = 888fe9ac84862b887e78f8ec4a83bc891897702ab123f05309ff117e55b6645b
+SIZE (asterisk-addons-1.4.4.tar.gz) = 1002173


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710171238.l9HCc5Qs023501>