[Pkg-voip-commits] [asterisk] 03/03: work on asterisk 11.20.0
Jeremy Lainé
sharky at moszumanska.debian.org
Tue Dec 8 11:45:59 UTC 2015
This is an automated email from the git hooks/post-receive script.
sharky pushed a commit to branch review-ast1120
in repository asterisk.
commit fc74097e268f38c322988405523eb776312b46b2
Author: Jeremy Lainé <jeremy.laine at m4x.org>
Date: Mon Dec 7 20:50:48 2015 +0100
work on asterisk 11.20.0
---
debian/changelog | 18 +++-
debian/patches/AST-2014-012.patch | 33 ------
debian/patches/AST-2014-014.patch | 83 ---------------
debian/patches/AST-2014-017.patch | 54 ----------
debian/patches/AST-2014-018.patch | 40 -------
debian/patches/AST-2014-019.patch | 99 ------------------
debian/patches/AST-2015-002.patch | 156 ----------------------------
debian/patches/allow-tilde-destdir | 25 -----
debian/patches/enable_dtls_read_ahead.patch | 28 -----
debian/patches/escape_manpage_hyphen.patch | 19 ----
debian/patches/neon_version_check.patch | 19 ----
debian/patches/pjproject | 14 +--
debian/patches/res_fax_bounds.patch | 17 ---
debian/patches/restore_abi_sum.patch | 61 +++++++++++
debian/patches/series | 14 +--
15 files changed, 82 insertions(+), 598 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 25e8d87..561c74c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,17 @@
-asterisk (1:11.13.1~dfsg-3) UNRELEASED; urgency=high
-
+asterisk (1:11.20.0~dfsg-1~) UNRELEASED; urgency=high
+
+ * New upstream release:
+ - Fixes AST-2015-003 / CVE-2015-3008 (Closes: #782411).
+ - Drop allow-tilde-destdir patch, fixed upstream.
+ - Drop escape_manpage_hyphen patch, fixed upstream.
+ - Drop neon_version_check patch, fixed upstream.
+ - Drop res_fax_bounds patch, fixed upstream.
+ - Drop AST-2014-012 patch, fixed upstream.
+ - Drop AST-2014-014 patch, fixed upstream.
+ - Drop AST-2014-017 patch, fixed upstream.
+ - Drop AST-2014-019 patch, fixed upstream.
* Add a placeholder conf in manager.d (Closes: #776080).
- * Fix DTLS which was broken by OpenSSL security patches.
- * Fix security issue AST-2015-002: Mitigation for libcURL HTTP request
- injection vulnerability.
+ * Revert upstream change to buildopts.h, ABI has not changed.
-- Jeremy Lainé <jeremy.laine at m4x.org> Wed, 04 Feb 2015 18:39:53 +0100
diff --git a/debian/patches/AST-2014-012.patch b/debian/patches/AST-2014-012.patch
deleted file mode 100644
index 3653c3f..0000000
--- a/debian/patches/AST-2014-012.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 5927deff8aa3784ebb1ba3ada8d5c99b172642c7 Mon Sep 17 00:00:00 2001
-From: Mark Michelson <mmichelson at digium.com>
-Date: Thu, 20 Nov 2014 16:35:18 +0000
-Subject: Mixed IP address families in access control lists may permit unwanted traffic
-Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428417
-CVE: CVE-2014-8412
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24469
-
-Prior to this commit, the address family of the first item in an ACL
-was used to compare all incoming traffic. This could lead to traffic
-of other IP address families bypassing ACLs.
-
-See Also: http://downloads.asterisk.org/pub/security/AST-2014-012.html
----
- main/acl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/main/acl.c b/main/acl.c
-index ff93ba6..65d0f1d 100644
---- a/main/acl.c
-+++ b/main/acl.c
-@@ -776,7 +776,7 @@ enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockad
- ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
- ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
- #endif
-- if (ast_sockaddr_is_ipv4(&ha->addr)) {
-+ if (ast_sockaddr_is_ipv4(¤t_ha->addr)) {
- if (ast_sockaddr_is_ipv6(addr)) {
- if (ast_sockaddr_is_ipv4_mapped(addr)) {
- /* IPv4 ACLs apply to IPv4-mapped addresses */
---
-2.1.3
-
diff --git a/debian/patches/AST-2014-014.patch b/debian/patches/AST-2014-014.patch
deleted file mode 100644
index 69ab3de..0000000
--- a/debian/patches/AST-2014-014.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 90cdc0d1c75ac44837da9ff4a6cecf754d99e4f9 Mon Sep 17 00:00:00 2001
-From: Joshua Colp <jcolp at digium.com>
-Date: Thu, 20 Nov 2014 14:20:08 +0000
-Subject: High call load may result in hung channels in ConfBridge
-CVE: CVE-2014-8414
-Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428299
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24440
-
-ConfBridge is the voice conferencing application in Asterisk.
-
-Under load it was possible for the bridging API, and thus ConfBridge, to get
-channels that may have hung up stuck in it. This is because handling of state
-transitions for a bridged channel within a bridge was not protected and simply
-set the new state without regard to the existing state. If the existing state
-had been hung up this would get overwritten.
-
-This change adds locking to protect changing of the state and also
-takes into consideration the existing state.
-
-In the default configuration ConfBridge is not used, but its useage is
-common, often for unauthenticated remote users.
-
-Review: https://reviewboard.asterisk.org/r/4173/
-See Also: http://downloads.asterisk.org/pub/security/AST-2014-014.html
----
- main/bridging.c | 26 +++++++++++++++++++++-----
- 1 file changed, 21 insertions(+), 5 deletions(-)
-
-diff --git a/main/bridging.c b/main/bridging.c
-index a36ccf9..0f8f4e8 100644
---- a/main/bridging.c
-+++ b/main/bridging.c
-@@ -120,8 +120,22 @@ int ast_bridge_technology_unregister(struct ast_bridge_technology *technology)
-
- void ast_bridge_change_state(struct ast_bridge_channel *bridge_channel, enum ast_bridge_channel_state new_state)
- {
-- /* Change the state on the bridge channel */
-- bridge_channel->state = new_state;
-+ /* Change the state on the bridge channel with some manner of intelligence. */
-+ ao2_lock(bridge_channel);
-+ switch (bridge_channel->state) {
-+ case AST_BRIDGE_CHANNEL_STATE_DEPART:
-+ break;
-+ case AST_BRIDGE_CHANNEL_STATE_END:
-+ case AST_BRIDGE_CHANNEL_STATE_HANGUP:
-+ if (new_state != AST_BRIDGE_CHANNEL_STATE_DEPART) {
-+ break;
-+ }
-+ /* Fall through */
-+ default:
-+ bridge_channel->state = new_state;
-+ break;
-+ }
-+ ao2_unlock(bridge_channel);
-
- /* Only poke the channel's thread if it is not us */
- if (!pthread_equal(pthread_self(), bridge_channel->thread)) {
-@@ -130,8 +144,6 @@ void ast_bridge_change_state(struct ast_bridge_channel *bridge_channel, enum ast
- ast_cond_signal(&bridge_channel->cond);
- ao2_unlock(bridge_channel);
- }
--
-- return;
- }
-
- /*! \brief Helper function to poke the bridge thread */
-@@ -1147,8 +1159,12 @@ static void *bridge_channel_thread(void *data)
- state = bridge_channel_join(bridge_channel);
-
- /* If no other thread is going to take the channel then hang it up, or else we would have to service it until something else came along */
-- if (bridge_channel->allow_impart_hangup && (state == AST_BRIDGE_CHANNEL_STATE_END || state == AST_BRIDGE_CHANNEL_STATE_HANGUP)) {
-+ if (bridge_channel->allow_impart_hangup
-+ && state != AST_BRIDGE_CHANNEL_STATE_DEPART) {
- ast_hangup(bridge_channel->chan);
-+
-+ /* nobody is waiting to join me. */
-+ pthread_detach(pthread_self());
- }
-
- /* cleanup */
---
-2.1.3
-
diff --git a/debian/patches/AST-2014-017.patch b/debian/patches/AST-2014-017.patch
deleted file mode 100644
index 26901a4..0000000
--- a/debian/patches/AST-2014-017.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 192e4a1d7a04077fe3e94d6eff3ebbd187aa8c05 Mon Sep 17 00:00:00 2001
-From: Kevin Harwell <kharwell at digium.com>
-Date: Thu, 20 Nov 2014 15:42:01 +0000
-Subject: Permission escalation through ConfBridge actions/dialplan functions
-CVE: CVE-2014-8417
-Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428332
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24490
-
-The CONFBRIDGE dialplan function when executed from an external protocol
-(for instance AMI - the Asterisk Manager Interface), could result in a
-privilege escalation. Also, the AMI action “ConfbridgeStartRecord” could
-also be used to execute arbitrary system commands without first checking
-for system access.
-
-Asterisk now inhibits the CONFBRIDGE function from being executed from an
-external interface if the live_dangerously option is set to no. Also, the
-“ConfbridgeStartRecord” AMI action is now only allowed to execute under a
-user with system level access.
-
-In the default configuration the manager interface is only accessible
-from localhost with no users configured and no AGI script is installed,
-however using such interfaces is very common.
-
-
-See Also: http://downloads.asterisk.org/pub/security/AST-2014-017.html
----
- apps/app_confbridge.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/apps/app_confbridge.c b/apps/app_confbridge.c
-index 70844d6..2fa7904 100644
---- a/apps/app_confbridge.c
-+++ b/apps/app_confbridge.c
-@@ -3189,7 +3189,7 @@ static int load_module(void)
- ast_log(LOG_ERROR, "Unable to load config. Not loading module.\n");
- return AST_MODULE_LOAD_DECLINE;
- }
-- if ((ast_custom_function_register(&confbridge_function))) {
-+ if ((ast_custom_function_register_escalating(&confbridge_function, AST_CFE_WRITE))) {
- return AST_MODULE_LOAD_FAILURE;
- }
- if ((ast_custom_function_register(&confbridge_info_function))) {
-@@ -3220,7 +3220,7 @@ static int load_module(void)
- res |= ast_manager_register_xml("ConfbridgeKick", EVENT_FLAG_CALL, action_confbridgekick);
- res |= ast_manager_register_xml("ConfbridgeUnlock", EVENT_FLAG_CALL, action_confbridgeunlock);
- res |= ast_manager_register_xml("ConfbridgeLock", EVENT_FLAG_CALL, action_confbridgelock);
-- res |= ast_manager_register_xml("ConfbridgeStartRecord", EVENT_FLAG_CALL, action_confbridgestartrecord);
-+ res |= ast_manager_register_xml("ConfbridgeStartRecord", EVENT_FLAG_SYSTEM, action_confbridgestartrecord);
- res |= ast_manager_register_xml("ConfbridgeStopRecord", EVENT_FLAG_CALL, action_confbridgestoprecord);
- res |= ast_manager_register_xml("ConfbridgeSetSingleVideoSrc", EVENT_FLAG_CALL, action_confbridgesetsinglevideosrc);
- if (res) {
---
-2.1.3
-
diff --git a/debian/patches/AST-2014-018.patch b/debian/patches/AST-2014-018.patch
deleted file mode 100644
index 6d1d5c9..0000000
--- a/debian/patches/AST-2014-018.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 97a7e59635cc71f82e932d9f142ac58ffbfee431 Mon Sep 17 00:00:00 2001
-From: Kevin Harwell <kharwell at digium.com>
-Date: Thu, 20 Nov 2014 16:22:50 +0000
-Subject: AMI permission escalation through DB dialplan function
-CVE: CVE-2014-8418
-Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=428363
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24534
-
-The DB dialplan function when executed from an external protocol (for
-instance AMI - the Asterisk Manager Interface), could result in a
-privilege escalation.
-
-Asterisk now inhibits the DB function from being executed from an external
-interface if the live_dangerously option is set to no.
-
-In the default configuration the manager interface is only accessible
-from localhost with no users configured and no AGI script is installed,
-however using such interfaces is very common.
-
-See Also: http://downloads.asterisk.org/pub/security/AST-2014-018.html
----
- funcs/func_db.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/funcs/func_db.c b/funcs/func_db.c
-index ebe58f0..b56fef9 100644
---- a/funcs/func_db.c
-+++ b/funcs/func_db.c
-@@ -351,7 +351,7 @@ static int load_module(void)
- {
- int res = 0;
-
-- res |= ast_custom_function_register(&db_function);
-+ res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH);
- res |= ast_custom_function_register(&db_exists_function);
- res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);
- res |= ast_custom_function_register(&db_keys_function);
---
-2.1.3
-
diff --git a/debian/patches/AST-2014-019.patch b/debian/patches/AST-2014-019.patch
deleted file mode 100644
index 0e3e696..0000000
--- a/debian/patches/AST-2014-019.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 029aa170547847860608f194f1040bdf8f910460 Mon Sep 17 00:00:00 2001
-From: Joshua Colp <jcolp at digium.com>
-Date: Wed, 10 Dec 2014 13:30:22 +0000
-Subject: Remote Crash Vulnerability in WebSocket Server
-CVE: CVE-2014-9374
-Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=429270
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24472
-
-Frames with a payload length of 0 were incorrectly handled in
-res_http_websocket. Provided a frame with a payload had been received
-prior it was possible for a double free to occur. The realloc operation
-would succeed (thus freeing the payload) but be treated as an error.
-When the session was then torn down the payload would be freed again
-causing a crash. The read function now takes this into account.
-
-This change also fixes assumptions made by users of res_http_websocket.
-There is no guarantee that a frame received from it will be NULL
-terminated.
-
-In the default configuration, the websocket server is not used.
-
-Review: https://reviewboard.asterisk.org/r/4220/
-Review: https://reviewboard.asterisk.org/r/4219/
-See Also: http://downloads.asterisk.org/pub/security/AST-2014-019.html
----
- channels/chan_sip.c | 6 +++++-
- res/res_http_websocket.c | 27 ++++++++++++++++-----------
- 2 files changed, 21 insertions(+), 12 deletions(-)
-
-diff --git a/channels/chan_sip.c b/channels/chan_sip.c
-index 8ac9aae..5c6a8437 100644
---- a/channels/chan_sip.c
-+++ b/channels/chan_sip.c
-@@ -2596,12 +2596,16 @@ static void sip_websocket_callback(struct ast_websocket *session, struct ast_var
-
- if (opcode == AST_WEBSOCKET_OPCODE_TEXT || opcode == AST_WEBSOCKET_OPCODE_BINARY) {
- struct sip_request req = { 0, };
-+ char data[payload_len + 1];
-
- if (!(req.data = ast_str_create(payload_len + 1))) {
- goto end;
- }
-
-- if (ast_str_set(&req.data, -1, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
-+ strncpy(data, payload, payload_len);
-+ data[payload_len] = '\0';
-+
-+ if (ast_str_set(&req.data, -1, "%s", data) == AST_DYNSTR_BUILD_FAILED) {
- deinit_req(&req);
- goto end;
- }
-diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
-index 5258a5f..81fa83d 100644
---- a/res/res_http_websocket.c
-+++ b/res/res_http_websocket.c
-@@ -462,14 +462,6 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read)(struct ast_websocket *session, cha
- }
- }
-
-- if (!(new_payload = ast_realloc(session->payload, (session->payload_len + *payload_len)))) {
-- ast_log(LOG_WARNING, "Failed allocation: %p, %zu, %"PRIu64"\n",
-- session->payload, session->payload_len, *payload_len);
-- *payload_len = 0;
-- ast_websocket_close(session, 1009);
-- return 0;
-- }
--
- /* Per the RFC for PING we need to send back an opcode with the application data as received */
- if ((*opcode == AST_WEBSOCKET_OPCODE_PING) && (ast_websocket_write(session, AST_WEBSOCKET_OPCODE_PONG, *payload, *payload_len))) {
- *payload_len = 0;
-@@ -477,9 +469,22 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read)(struct ast_websocket *session, cha
- return 0;
- }
-
-- session->payload = new_payload;
-- memcpy((session->payload + session->payload_len), (*payload), (*payload_len));
-- session->payload_len += *payload_len;
-+ if (*payload_len) {
-+ if (!(new_payload = ast_realloc(session->payload, (session->payload_len + *payload_len)))) {
-+ ast_log(LOG_WARNING, "Failed allocation: %p, %zu, %"PRIu64"\n",
-+ session->payload, session->payload_len, *payload_len);
-+ *payload_len = 0;
-+ ast_websocket_close(session, 1009);
-+ return 0;
-+ }
-+
-+ session->payload = new_payload;
-+ memcpy((session->payload + session->payload_len), (*payload), (*payload_len));
-+ session->payload_len += *payload_len;
-+ } else if (!session->payload_len && session->payload) {
-+ ast_free(session->payload);
-+ session->payload = NULL;
-+ }
-
- if (!fin && session->reconstruct && (session->payload_len < session->reconstruct)) {
- /* If this is not a final message we need to defer returning it until later */
---
-2.1.3
-
diff --git a/debian/patches/AST-2015-002.patch b/debian/patches/AST-2015-002.patch
deleted file mode 100644
index 02bc9c6..0000000
--- a/debian/patches/AST-2015-002.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 39bd4ff0a20297ad0632a675ba414d6aaf4a35cd Mon Sep 17 00:00:00 2001
-From: Mark Michelson <mmichelson at digium.com>
-Date: Wed, 28 Jan 2015 17:05:26 +0000
-Subject: Mitigate possible HTTP injection attacks using CURL() function in Asterisk.
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24676
-Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=431297
-
-CVE-2014-8150 disclosed a vulnerability in libcURL where HTTP request injection
-can be performed given properly-crafted URLs.
-
-Since Asterisk makes use of libcURL, and it is possible that users of Asterisk may
-get cURL URLs from user input or remote sources, we have made a patch to Asterisk
-to prevent such HTTP injection attacks from originating from Asterisk.
-
-Review: https://reviewboard.asterisk.org/r/4364
-
-See also http://downloads.asterisk.org/pub/security/AST-2015-002.html
-
-Includes the compilation fix from the following commit r431298.
-
----
- funcs/func_curl.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 83 insertions(+)
-
-diff --git a/funcs/func_curl.c b/funcs/func_curl.c
-index 1a69071..480e677 100644
---- a/funcs/func_curl.c
-+++ b/funcs/func_curl.c
-@@ -50,6 +50,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
- #include "asterisk/app.h"
- #include "asterisk/utils.h"
- #include "asterisk/threadstorage.h"
-+#include "asterisk/test.h"
-
- /*** DOCUMENTATION
- <function name="CURL" language="en_US">
-@@ -568,6 +569,31 @@ static void curl_instance_cleanup(void *data)
- AST_THREADSTORAGE_CUSTOM(curl_instance, curl_instance_init, curl_instance_cleanup);
- AST_THREADSTORAGE(thread_escapebuf);
-
-+/*!
-+ * \brief Check for potential HTTP injection risk.
-+ *
-+ * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection
-+ * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination,
-+ * followed by a complete HTTP request. Proxies will handle this as two separate HTTP
-+ * requests rather than as a malformed URL.
-+ *
-+ * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that
-+ * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement
-+ * the same fix as libcURL for determining if a URL is vulnerable to an injection attack.
-+ *
-+ * \param url The URL to check for vulnerability
-+ * \retval 0 The URL is not vulnerable
-+ * \retval 1 The URL is vulnerable.
-+ */
-+static int url_is_vulnerable(const char *url)
-+{
-+ if (strpbrk(url, "\r\n")) {
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
- static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info, char *buf, struct ast_str **input_str, ssize_t len)
- {
- struct ast_str *escapebuf = ast_str_thread_get(&thread_escapebuf, 16);
-@@ -605,6 +631,11 @@ static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info
-
- AST_STANDARD_APP_ARGS(args, info);
-
-+ if (url_is_vulnerable(args.url)) {
-+ ast_log(LOG_ERROR, "URL '%s' is vulnerable to HTTP injection attacks. Aborting CURL() call.\n", args.url);
-+ return -1;
-+ }
-+
- if (chan) {
- ast_autoservice_start(chan);
- }
-@@ -763,6 +794,54 @@ static struct ast_custom_function acf_curlopt = {
- .write = acf_curlopt_write,
- };
-
-+AST_TEST_DEFINE(vulnerable_url)
-+{
-+ const char *bad_urls [] = {
-+ "http://example.com\r\nDELETE http://example.com/everything",
-+ "http://example.com\rDELETE http://example.com/everything",
-+ "http://example.com\nDELETE http://example.com/everything",
-+ "\r\nhttp://example.com",
-+ "\rhttp://example.com",
-+ "\nhttp://example.com",
-+ "http://example.com\r\n",
-+ "http://example.com\r",
-+ "http://example.com\n",
-+ };
-+ const char *good_urls [] = {
-+ "http://example.com",
-+ "http://example.com/%5Cr%5Cn",
-+ };
-+ int i;
-+ enum ast_test_result_state res = AST_TEST_PASS;
-+
-+ switch (cmd) {
-+ case TEST_INIT:
-+ info->name = "vulnerable_url";
-+ info->category = "/funcs/func_curl/";
-+ info->summary = "cURL vulnerable URL test";
-+ info->description =
-+ "Ensure that any combination of '\\r' or '\\n' in a URL invalidates the URL";
-+ case TEST_EXECUTE:
-+ break;
-+ }
-+
-+ for (i = 0; i < ARRAY_LEN(bad_urls); ++i) {
-+ if (!url_is_vulnerable(bad_urls[i])) {
-+ ast_test_status_update(test, "String '%s' detected as valid when it should be invalid\n", bad_urls[i]);
-+ res = AST_TEST_FAIL;
-+ }
-+ }
-+
-+ for (i = 0; i < ARRAY_LEN(good_urls); ++i) {
-+ if (url_is_vulnerable(good_urls[i])) {
-+ ast_test_status_update(test, "String '%s' detected as invalid when it should be valid\n", good_urls[i]);
-+ res = AST_TEST_FAIL;
-+ }
-+ }
-+
-+ return res;
-+}
-+
- static int unload_module(void)
- {
- int res;
-@@ -770,6 +849,8 @@ static int unload_module(void)
- res = ast_custom_function_unregister(&acf_curl);
- res |= ast_custom_function_unregister(&acf_curlopt);
-
-+ AST_TEST_UNREGISTER(vulnerable_url);
-+
- return res;
- }
-
-@@ -787,6 +868,8 @@ static int load_module(void)
- res = ast_custom_function_register(&acf_curl);
- res |= ast_custom_function_register(&acf_curlopt);
-
-+ AST_TEST_REGISTER(vulnerable_url);
-+
- return res;
- }
-
---
-2.1.4
-
diff --git a/debian/patches/allow-tilde-destdir b/debian/patches/allow-tilde-destdir
deleted file mode 100644
index da5d2fb..0000000
--- a/debian/patches/allow-tilde-destdir
+++ /dev/null
@@ -1,25 +0,0 @@
-Subject: relax badshell tilde test
-Author: Faidon Liambotis <paravoid at debian.org>
-Bug: http://issues.asterisk.org/view.php?id=14718
-Last-Update: 2009-12-19
-
-badshell is disallowing tildes (~) in the DESTDIR directory to warn people
-who use a shell that doesn't expand it to $HOMEDIR.
-
-However, we have such a tilde in our directory (~rcN) that isn't expanded
-to $HOMEDIR nor shouldn't be.
-
-This patch relaxes this test just for cases where the ~ is followed by a '/',
-which should catch most cases.
-
---- a/Makefile
-+++ b/Makefile
-@@ -596,7 +596,7 @@ oldmodcheck:
- fi
-
- badshell:
--ifneq ($(findstring ~,$(DESTDIR)),)
-+ifneq ($(findstring ~/,$(DESTDIR)),)
- @echo "Your shell doesn't do ~ expansion when expected (specifically, when doing \"make install DESTDIR=~/path\")."
- @echo "Try replacing ~ with \$$HOME, as in \"make install DESTDIR=\$$HOME/path\"."
- @exit 1
diff --git a/debian/patches/enable_dtls_read_ahead.patch b/debian/patches/enable_dtls_read_ahead.patch
deleted file mode 100644
index e47b66a..0000000
--- a/debian/patches/enable_dtls_read_ahead.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Jeremy Lainé <jeremy.laine at m4x.org>
-Subject: Fix DTLS when used with patched OpenSSL
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24711
-
-A recent security fix for OpenSSL broke DTLS negotiation for many
-applications. This was caused by read ahead not being enabled when it
-should be. While a commit has gone into OpenSSL to force read ahead
-on for DTLS it may take some time for a release to be made and the
-change to be present in distributions (if at all). As enabling read
-ahead is a simple one line change this commit does that and fixes
-the issue.
-
-See also:
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775502
-
-diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
-index ec3f147..a638572 100644
---- a/res/res_rtp_asterisk.c
-+++ b/res/res_rtp_asterisk.c
-@@ -1260,6 +1260,8 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
- return -1;
- }
-
-+ SSL_CTX_set_read_ahead(rtp->ssl_ctx, 1);
-+
- rtp->dtls_verify = dtls_cfg->verify;
-
- SSL_CTX_set_verify(rtp->ssl_ctx, (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_FINGERPRINT) || (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_CERTIFICATE) ?
diff --git a/debian/patches/escape_manpage_hyphen.patch b/debian/patches/escape_manpage_hyphen.patch
deleted file mode 100644
index 8816e61..0000000
--- a/debian/patches/escape_manpage_hyphen.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Author: Jeremy Lainé <jeremy.laine at m4x.org>
-Description: fix groff error in asterisk manpage
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-23768
-
-Fix an unescaped hyphen in the asterisk manpage.
-
-diff --git a/doc/asterisk.8 b/doc/asterisk.8
-index 15d7ab7..d566480 100644
---- a/doc/asterisk.8
-+++ b/doc/asterisk.8
-@@ -98,7 +98,7 @@ option also implies \*(T<\fB\-f\fR\*(T> (no forking). However when
- connecting to an existing Asterisk instance (\*(T<\fB\-r\fR\*(T> or
- \*(T<\fB\-R\fR\*(T>), it may only increase the debug level.
- .TP
---e \fImemory\fR
-+\-e \fImemory\fR
- Limit the generation of new channels when the amount of free memory
- has decreased to under \fImemory\fR megabytes.
- Equivalent to \*(T<\fBminmemfree = \fR\*(T>\fImemory\fR in
diff --git a/debian/patches/neon_version_check.patch b/debian/patches/neon_version_check.patch
deleted file mode 100644
index 5a1b3e8..0000000
--- a/debian/patches/neon_version_check.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-From: Jeremy Lainé <jeremy.laine at m4x.org>
-Subject: relax neon version check
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24325
-
-Relax the neon version check to also accept version 0.30.x
-
-diff --git a/res/res_calendar_ews.c b/res/res_calendar_ews.c
-index 0f8b0c2..a617790 100644
---- a/res/res_calendar_ews.c
-+++ b/res/res_calendar_ews.c
-@@ -907,7 +907,7 @@ static int load_module(void)
- {
- /* Actualy, 0.29.1 is required (because of NTLM authentication), but this
- * function does not support matching patch version. */
-- if (ne_version_match(0, 29)) {
-+ if (ne_version_match(0, 29) && ne_version_match(0, 30)) {
- ast_log(LOG_ERROR, "Exchange Web Service calendar module require neon >= 0.29.1, but %s is installed.\n", ne_version_string());
- return AST_MODULE_LOAD_DECLINE;
- }
diff --git a/debian/patches/pjproject b/debian/patches/pjproject
index 0d37f3c..66ed2b9 100644
--- a/debian/patches/pjproject
+++ b/debian/patches/pjproject
@@ -20,7 +20,7 @@ ICE/STUN/TURN support in res_rtp_asterisk is also now optional.
PRI=@PBX_PRI@
--- a/configure.ac
+++ b/configure.ac
-@@ -425,6 +425,7 @@ AST_EXT_LIB_SETUP([OPENR2], [MFR2], [ope
+@@ -429,6 +429,7 @@ AST_EXT_LIB_SETUP([OPENR2], [MFR2], [ope
AST_EXT_LIB_SETUP([OSPTK], [OSP Toolkit], [osptk])
AST_EXT_LIB_SETUP([OSS], [Open Sound System], [oss])
AST_EXT_LIB_SETUP([PGSQL], [PostgreSQL], [postgres])
@@ -28,7 +28,7 @@ ICE/STUN/TURN support in res_rtp_asterisk is also now optional.
AST_EXT_LIB_SETUP([POPT], [popt], [popt])
AST_EXT_LIB_SETUP([PORTAUDIO], [PortAudio], [portaudio])
AST_EXT_LIB_SETUP([PRI], [ISDN PRI], [pri])
-@@ -2008,6 +2009,8 @@ if test "${PG_CONFIG}" != No; then
+@@ -2001,6 +2002,8 @@ if test "${PG_CONFIG}" != No; then
fi
fi
@@ -39,7 +39,7 @@ ICE/STUN/TURN support in res_rtp_asterisk is also now optional.
AST_EXT_LIB_CHECK([PORTAUDIO], [portaudio], [Pa_GetDeviceCount], [portaudio.h])
--- a/include/asterisk/autoconfig.h.in
+++ b/include/asterisk/autoconfig.h.in
-@@ -554,6 +554,9 @@
+@@ -557,6 +557,9 @@
/* Define to indicate presence of the pg_encoding_to_char API. */
#undef HAVE_PGSQL_pg_encoding_to_char
@@ -51,7 +51,7 @@ ICE/STUN/TURN support in res_rtp_asterisk is also now optional.
--- a/makeopts.in
+++ b/makeopts.in
-@@ -214,6 +214,9 @@ OSS_LIB=@OSS_LIB@ @FFMPEG_LIB@ @SDL_LIB@
+@@ -217,6 +217,9 @@ OSS_LIB=@OSS_LIB@ @FFMPEG_LIB@ @SDL_LIB@
PGSQL_INCLUDE=@PGSQL_INCLUDE@
PGSQL_LIB=@PGSQL_LIB@
@@ -63,12 +63,12 @@ ICE/STUN/TURN support in res_rtp_asterisk is also now optional.
--- a/res/Makefile
+++ b/res/Makefile
-@@ -67,31 +67,9 @@ endif
+@@ -70,31 +70,9 @@ endif
ael/pval.o: ael/pval.c
clean::
- @if [ -f pjproject/build.mak ]; then $(MAKE) -C pjproject realclean; fi
- rm -f snmp/*.o snmp/*.i ael/*.o ael/*.i ais/*.o ais/*.i
+ rm -f snmp/*.o snmp/*.i ael/*.o ael/*.i ais/*.o ais/*.i snmp/*.gcda snmp/*.gcno ael/*.gcda ael/*.gcno
-dist-clean:: distclean
-distclean::
@@ -119,7 +119,7 @@ ICE/STUN/TURN support in res_rtp_asterisk is also now optional.
#endif
#include "asterisk/stun.h"
-@@ -2067,7 +2067,7 @@ static int ice_create(struct ast_rtp_ins
+@@ -2431,7 +2431,7 @@ static int ice_create(struct ast_rtp_ins
/* Create an ICE session for ICE negotiation */
if (pj_ice_sess_create(&stun_config, NULL, PJ_ICE_SESS_ROLE_UNKNOWN, 2,
diff --git a/debian/patches/res_fax_bounds.patch b/debian/patches/res_fax_bounds.patch
deleted file mode 100644
index a2f8fcc..0000000
--- a/debian/patches/res_fax_bounds.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-From: Jeremy Lainé <jeremy.laine at m4x.org>
-Subject: out of bounds error in update_modem_bits
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24357
-
-diff --git a/res/res_fax.c b/res/res_fax.c
-index 1678256..5413fa5 100644
---- a/res/res_fax.c
-+++ b/res/res_fax.c
-@@ -585,7 +585,7 @@ static int update_modem_bits(enum ast_fax_modems *bits, const char *value)
- m[i] = NULL;
- } else {
- tok = strtok(v, ", ");
-- while (tok && (i < 5)) {
-+ while (tok && (i < 4)) {
- m[i++] = tok;
- tok = strtok(NULL, ", ");
- }
diff --git a/debian/patches/restore_abi_sum.patch b/debian/patches/restore_abi_sum.patch
new file mode 100644
index 0000000..1064d31
--- /dev/null
+++ b/debian/patches/restore_abi_sum.patch
@@ -0,0 +1,61 @@
+From: Jeremy Lainé <jeremy.laine at m4x.org>
+Subject: Revert changes to ABI hash calculation
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-25028
+
+Asterisk 11.17.1 changed the way the ABI hash is calculated by discarding
+some options from the hash calculation. This breaks the Debian package's
+Provides: asterisk-${asterisk:ABI}, so revert it.
+
+diff --git a/build_tools/make_buildopts_h b/build_tools/make_buildopts_h
+index 3f7843b..4f02896 100755
+--- a/build_tools/make_buildopts_h
++++ b/build_tools/make_buildopts_h
+@@ -7,37 +7,27 @@ cat << END
+ */
+
+ END
+-
+-if ${GREP} "AST_DEVMODE" makeopts | ${GREP} -q "yes"
+-then
+- echo "#define AST_DEVMODE 1"
+- BUILDOPTS="AST_DEVMODE"
+-fi
+-
+ TMP=`${GREP} -e "^MENUSELECT_CFLAGS" menuselect.makeopts | sed 's/MENUSELECT_CFLAGS\=//g' | sed 's/-D//g'`
+ for x in ${TMP}; do
+ echo "#define ${x} 1"
+- if test "${x}" = "DONT_OPTIMIZE" \
+- -o "${x}" = "BETTER_BACKTRACES" \
+- -o "${x}" = "LOTS_OF_SPANS" \
+- -o "${x}" = "BUILD_NATIVE" \
+- -o "${x}" = "AO2_DEBUG" \
+- -o "${x}" = "REBUILD_PARSERS" \
+- -o "${x}" = "RADIO_RELAX" \
+- -o "${x}" = "DEBUG_SCHEDULER" \
+- -o "${x}" = "DETECT_DEADLOCKS" \
+- -o "${x}" = "DUMP_SCHEDULER" ; then
+- # These aren't ABI affecting options, keep them out of AST_BUILDOPTS
+- continue
+- fi
+ if test "x${BUILDOPTS}" != "x" ; then
+ BUILDOPTS="${BUILDOPTS}, ${x}"
+ else
+ BUILDOPTS="${x}"
+ fi
+ done
++TMP=`${GREP} -e "^MENUSELECT_BUILD_DEPS" menuselect.makeopts | sed 's/MENUSELECT_BUILD_DEPS\=//g'`
++for x in ${TMP}; do
++ x2=`echo ${x} | tr a-z A-Z`
++ echo "#define AST_MODULE_${x2} 1"
++done
++if ${GREP} "AST_DEVMODE" makeopts | ${GREP} -q "yes"
++then
++ echo "#define AST_DEVMODE 1"
++ TMP="${TMP} AST_DEVMODE"
++fi
+
+-BUILDSUM=`echo ${BUILDOPTS} | ${MD5} | cut -c1-32`
++BUILDSUM=`echo ${TMP} | ${MD5} | cut -c1-32`
+
+ echo "#define AST_BUILDOPT_SUM \"${BUILDSUM}\""
+ echo "#define AST_BUILDOPTS \"${BUILDOPTS}\""
diff --git a/debian/patches/series b/debian/patches/series
index 59d91bc..b51ccb4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,4 @@
# upstream fixes
-allow-tilde-destdir
-
hack-multiple-app-voicemail
# Not used ATM. See comment in patch:
#make-clean-fixes
@@ -29,15 +27,5 @@ sigpri_handle_enodev_1.patch
reenable
ignore_failed_channels.patch
smsq_enable.patch
-escape_manpage_hyphen.patch
aelparse_enable.patch
-res_fax_bounds.patch
-neon_version_check.patch
-enable_dtls_read_ahead.patch
-
-AST-2014-012.patch
-AST-2014-014.patch
-AST-2014-017.patch
-AST-2014-018.patch
-AST-2014-019.patch
-AST-2015-002.patch
+restore_abi_sum.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list