[Pkg-voip-commits] [asterisk] 03/06: Fix patch descriptions
tzafrir at debian.org
tzafrir at debian.org
Tue Dec 16 11:08:37 UTC 2014
This is an automated email from the git hooks/post-receive script.
tzafrir pushed a commit to branch jessie
in repository asterisk.
commit 8f719ef2e7d0ae07dd0f80755f63ce7049befea1
Author: Tzafrir Cohen <tzafrir at debian.org>
Date: Tue Dec 16 11:51:38 2014 +0200
Fix patch descriptions
---
debian/changelog | 2 ++
debian/patches/AST-2014-012.patch | 4 +++-
debian/patches/AST-2014-014.patch | 16 +++++++++-------
debian/patches/AST-2014-017.patch | 25 ++++++++++++-------------
debian/patches/AST-2014-018.patch | 23 +++++++++++------------
5 files changed, 37 insertions(+), 33 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index d537b49..93da007 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ asterisk (1:11.13.1~dfsg-2) unstable; urgency=medium
* New upstream release: fixes AST-2014-011 (CVE-2014-3566, POODLE).
* Add a local gbp.conf for branch jessie
* New patches for recent security issues (Closes: #771463):
+ - AST-2014-012: Mixed IP address families in ACLs may permit unwanted
+ traffic
- AST-2014-014: High call load may result in hung channels in ConfBridge
- AST-2014-017: Mark CONFBRIDGE as a sensitive function for external APIs
- AST-2014-018: Mark DB as a sensitive function for external APIs
diff --git a/debian/patches/AST-2014-012.patch b/debian/patches/AST-2014-012.patch
index f12d6ce..3653c3f 100644
--- a/debian/patches/AST-2014-012.patch
+++ b/debian/patches/AST-2014-012.patch
@@ -1,7 +1,7 @@
From 5927deff8aa3784ebb1ba3ada8d5c99b172642c7 Mon Sep 17 00:00:00 2001
From: Mark Michelson <mmichelson at digium.com>
Date: Thu, 20 Nov 2014 16:35:18 +0000
-Subject: Fix error with mixed address family ACLs.
+Subject: Mixed IP address families in access control lists may permit unwanted traffic
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428417
CVE: CVE-2014-8412
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24469
@@ -9,6 +9,8 @@ Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24469
Prior to this commit, the address family of the first item in an ACL
was used to compare all incoming traffic. This could lead to traffic
of other IP address families bypassing ACLs.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2014-012.html
---
main/acl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/AST-2014-014.patch b/debian/patches/AST-2014-014.patch
index 92f461c..69ab3de 100644
--- a/debian/patches/AST-2014-014.patch
+++ b/debian/patches/AST-2014-014.patch
@@ -1,8 +1,12 @@
From 90cdc0d1c75ac44837da9ff4a6cecf754d99e4f9 Mon Sep 17 00:00:00 2001
From: Joshua Colp <jcolp at digium.com>
Date: Thu, 20 Nov 2014 14:20:08 +0000
-Subject: [PATCH 1/3] AST-2014-014: Fix race condition where channels may get
- stuck in ConfBridge under load.
+Subject: High call load may result in hung channels in ConfBridge
+CVE: CVE-2014-8414
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428299
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24440
+
+ConfBridge is the voice conferencing application in Asterisk.
Under load it was possible for the bridging API, and thus ConfBridge, to get
channels that may have hung up stuck in it. This is because handling of state
@@ -13,13 +17,11 @@ had been hung up this would get overwritten.
This change adds locking to protect changing of the state and also
takes into consideration the existing state.
-ASTERISK-24440 #close
-Reported by: Ben Klang
+In the default configuration ConfBridge is not used, but its useage is
+common, often for unauthenticated remote users.
Review: https://reviewboard.asterisk.org/r/4173/
-
-
-git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428299 f38db490-d61c-443f-a65b-d21fe96a405b
+See Also: http://downloads.asterisk.org/pub/security/AST-2014-014.html
---
main/bridging.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/debian/patches/AST-2014-017.patch b/debian/patches/AST-2014-017.patch
index a4e1ed4..26901a4 100644
--- a/debian/patches/AST-2014-017.patch
+++ b/debian/patches/AST-2014-017.patch
@@ -1,17 +1,15 @@
From 192e4a1d7a04077fe3e94d6eff3ebbd187aa8c05 Mon Sep 17 00:00:00 2001
From: Kevin Harwell <kharwell at digium.com>
Date: Thu, 20 Nov 2014 15:42:01 +0000
-Subject: [PATCH 2/3] AST-2014-017 - app_confbridge: permission escalation/
- class authorization.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
+Subject: Permission escalation through ConfBridge actions/dialplan functions
+CVE: CVE-2014-8417
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428332
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24490
-Confbridge dialplan function permission escalation via AMI and inappropriate
-class authorization on the ConfbridgeStartRecord action. The CONFBRIDGE dialplan
-function when executed from an external protocol (for instance AMI), could
-result in a privilege escalation. Also, the AMI action “ConfbridgeStartRecord”
-could also be used to execute arbitrary system commands without first checking
+The CONFBRIDGE dialplan function when executed from an external protocol
+(for instance AMI - the Asterisk Manager Interface), could result in a
+privilege escalation. Also, the AMI action “ConfbridgeStartRecord” could
+also be used to execute arbitrary system commands without first checking
for system access.
Asterisk now inhibits the CONFBRIDGE function from being executed from an
@@ -19,11 +17,12 @@ external interface if the live_dangerously option is set to no. Also, the
“ConfbridgeStartRecord” AMI action is now only allowed to execute under a
user with system level access.
-ASTERISK-24490
-Reported by: Gareth Palmer
+In the default configuration the manager interface is only accessible
+from localhost with no users configured and no AGI script is installed,
+however using such interfaces is very common.
-git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428332 f38db490-d61c-443f-a65b-d21fe96a405b
+See Also: http://downloads.asterisk.org/pub/security/AST-2014-017.html
---
apps/app_confbridge.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/patches/AST-2014-018.patch b/debian/patches/AST-2014-018.patch
index d1af4b0..6d1d5c9 100644
--- a/debian/patches/AST-2014-018.patch
+++ b/debian/patches/AST-2014-018.patch
@@ -1,24 +1,23 @@
From 97a7e59635cc71f82e932d9f142ac58ffbfee431 Mon Sep 17 00:00:00 2001
From: Kevin Harwell <kharwell at digium.com>
Date: Thu, 20 Nov 2014 16:22:50 +0000
-Subject: [PATCH 3/3] AST-2014-018 - func_db: DB Dialplan function permission
- escalation via AMI.
+Subject: AMI permission escalation through DB dialplan function
+CVE: CVE-2014-8418
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428363
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24534
-The DB dialplan function when executed from an external protocol (for instance
-AMI), could result in a privilege escalation.
+The DB dialplan function when executed from an external protocol (for
+instance AMI - the Asterisk Manager Interface), could result in a
+privilege escalation.
Asterisk now inhibits the DB function from being executed from an external
interface if the live_dangerously option is set to no.
-ASTERISK-24534
-Reported by: Gareth Palmer
-patches: submitted by Gareth Palmer (license 5169)
-........
+In the default configuration the manager interface is only accessible
+from localhost with no users configured and no AGI script is installed,
+however using such interfaces is very common.
-Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8
-
-
-git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/11@428363 f38db490-d61c-443f-a65b-d21fe96a405b
+See Also: http://downloads.asterisk.org/pub/security/AST-2014-018.html
---
funcs/func_db.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list