-certified/11.6-cert15
\ No newline at end of file
+certified/11.6-cert16
\ No newline at end of file
+2016-12-08 20:28 +0000 Asterisk Development Team <asteriskteam@digium.com>
+
+ * asterisk certified/11.6-cert16 Released.
+
+2016-11-30 09:31 +0000 [93dfe39642] Walter Doekes <walter+asterisk@wjd.nu>
+
+ * chan_sip: Do not allow non-SP/HTAB between header key and colon.
+
+ RFC says SIP headers look like:
+
+ HCOLON = *( SP / HTAB ) ":" SWS
+ SWS = [LWS] ; sep whitespace
+ LWS = [*WSP CRLF] 1*WSP ; linear whitespace
+ WSP = SP / HTAB ; from rfc2234
+
+ chan_sip implemented this:
+
+ HCOLON = *( LOWCTL / SP ) ":" SWS
+ LOWCTL = %x00-1F ; CTL without DEL
+
+ This discrepancy meant that SIP proxies in front of Asterisk with
+ chan_sip could pass on unknown headers with \x00-\x1F in them, which
+ would be treated by Asterisk as a different (known) header. For
+ example, the "To\x01:" header would gladly be forwarded by some proxies
+ as irrelevant, but chan_sip would treat it as the relevant "To:" header.
+
+ Those relying on a SIP proxy to scrub certain headers could mistakenly
+ get unexpected and unvalidated data fed to Asterisk.
+
+ This change fixes so chan_sip only considers SP/HTAB as valid tokens
+ before the colon, making it agree on the headers with other speakers of
+ SIP.
+
+ ASTERISK-26433 #close
+ AST-2016-009
+
+ Change-Id: I78086fbc524ac733b8f7f78cb423c91075fd489b
+ (cherry picked from commit 26dd464dbd0ad7439bc29ce59ec55903d518ec6e)
+
2016-09-08 16:38 +0000 Asterisk Development Team <asteriskteam@digium.com>
* asterisk certified/11.6-cert15 Released.
+++ /dev/null
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-certified/11.6-cert15</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-certified/11.6-cert15</h3><h3 align="center">Date: 2016-09-08</h3><h3 align="center"><asteriskteam@digium.com></h3><hr><h2 align="center">Table of Contents</h2><ol>
-<li><a href="#summary">Summary</a></li>
-<li><a href="#contributors">Contributors</a></li>
-<li><a href="#closed_issues">Closed Issues</a></li>
-<li><a href="#commits">Other Changes</a></li>
-<li><a href="#diffstat">Diffstat</a></li>
-</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
-<li><a href="http://downloads.asterisk.org/pub/security/AST-2016-007.html">AST-2016-007</a></li>
-</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-certified/11.6-cert14.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
-<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
-<tr valign="top"><td width="33%">3 George Joseph <gjoseph@digium.com><br/>1 Corey Farrell <git@cfware.com><br/></td><td width="33%"><td width="33%">1 Etienne Lessard <elessard@proformatique.com><br/></td></tr>
-</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Bug</h3><h4>Category: Channels/chan_sip/General</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-26272">ASTERISK-26272</a>: chan_sip: File descriptors leak (UDP sockets)<br/>Reported by: Etienne Lessard<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=c7cb8f7808718d3e275a7114ebe5939020618879">[c7cb8f7808]</a> Corey Farrell -- chan_sip: Don't allocate new RTP instances on top of old ones.</li>
-</ul><br><hr><a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all changes that went into this release that did not reference a JIRA issue.</p><table width="100%" border="1">
-<tr><th>Revision</th><th>Author</th><th>Summary</th></tr>
-<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=1fedc0585e75c3df4f3d12b1056d7975eceb434b">1fedc0585e</a></td><td>gtjoseph</td><td>Release summaries: Remove previous versions</td></tr>
-<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=107b121ff82593b33381014ad797b4c7529f9e01">107b121ff8</a></td><td>gtjoseph</td><td>.version: Update for certified/11.6-cert15</td></tr>
-<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=4e3297d0b0b80a079d87831c2bda33cb6e6503af">4e3297d0b0</a></td><td>gtjoseph</td><td>.lastclean: Update for certified/11.6-cert15</td></tr>
-</table><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>asterisk-certified-11.6-cert14-summary.html | 77 --------
-asterisk-certified-11.6-cert14-summary.txt | 259 ----------------------------
-b/.version | 2
-b/channels/chan_sip.c | 33 +++
-4 files changed, 34 insertions(+), 337 deletions(-)</pre><br></html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-certified/11.6-cert16</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-certified/11.6-cert16</h3><h3 align="center">Date: 2016-12-08</h3><h3 align="center"><asteriskteam@digium.com></h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2016-009.html">AST-2016-009</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-certified/11.6-cert15.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">1 Walter Doekes <walter+asterisk@wjd.nu><br/></td><td width="33%"><td width="33%">1 Walter Doekes <walter+asterisk@wjd.nu><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Bug</h3><h4>Category: Channels/chan_sip/Interoperability</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-26433">ASTERISK-26433</a>: chan_sip: Allows To-tag checks to be bypassed, setting up new calls<br/>Reported by: Walter Doekes<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=93dfe3964212deb8abbee7ab7f0153c64d660726">[93dfe39642]</a> Walter Doekes -- chan_sip: Do not allow non-SP/HTAB between header key and colon.</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>0 files changed</pre><br></html>
\ No newline at end of file
Release Summary
- asterisk-certified/11.6-cert15
+ asterisk-certified/11.6-cert16
- Date: 2016-09-08
+ Date: 2016-12-08
<asteriskteam@digium.com>
1. Summary
2. Contributors
3. Closed Issues
- 4. Other Changes
- 5. Diffstat
+ 4. Diffstat
----------------------------------------------------------------------
Security Advisories:
- * AST-2016-007
+ * AST-2016-009
The data in this summary reflects changes that have been made since the
- previous release, asterisk-certified/11.6-cert14.
+ previous release, asterisk-certified/11.6-cert15.
----------------------------------------------------------------------
this release.
Coders Testers Reporters
- 3 George Joseph 1 Etienne Lessard
- 1 Corey Farrell
+ 1 Walter Doekes 1 Walter Doekes
----------------------------------------------------------------------
Bug
- Category: Channels/chan_sip/General
+ Category: Channels/chan_sip/Interoperability
- ASTERISK-26272: chan_sip: File descriptors leak (UDP sockets)
- Reported by: Etienne Lessard
- * [c7cb8f7808] Corey Farrell -- chan_sip: Don't allocate new RTP
- instances on top of old ones.
-
- ----------------------------------------------------------------------
-
- Commits Not Associated with an Issue
-
- [Back to Top]
-
- This is a list of all changes that went into this release that did not
- reference a JIRA issue.
-
- +------------------------------------------------------------------------+
- | Revision | Author | Summary |
- |-------------+-----------+----------------------------------------------|
- | 1fedc0585e | gtjoseph | Release summaries: Remove previous versions |
- |-------------+-----------+----------------------------------------------|
- | 107b121ff8 | gtjoseph | .version: Update for certified/11.6-cert15 |
- |-------------+-----------+----------------------------------------------|
- | 4e3297d0b0 | gtjoseph | .lastclean: Update for certified/11.6-cert15 |
- +------------------------------------------------------------------------+
+ ASTERISK-26433: chan_sip: Allows To-tag checks to be bypassed, setting up
+ new calls
+ Reported by: Walter Doekes
+ * [93dfe39642] Walter Doekes -- chan_sip: Do not allow non-SP/HTAB
+ between header key and colon.
----------------------------------------------------------------------
This is a summary of the changes to the source code that went into this
release that was generated using the diffstat utility.
- asterisk-certified-11.6-cert14-summary.html | 77 --------
- asterisk-certified-11.6-cert14-summary.txt | 259 ----------------------------
- b/.version | 2
- b/channels/chan_sip.c | 33 +++
- 4 files changed, 34 insertions(+), 337 deletions(-)
+ 0 files changed
projects / thirdparty / asterisk.git / commitdiff
