From: Kevin Harwell Date: Thu, 31 Aug 2017 15:32:04 +0000 (-0500) Subject: Update for certified/11.6-cert17 X-Git-Tag: certified/11.6-cert17^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76ee915193c568d4fdfd6a30df2793f4711d2b6d;p=thirdparty%2Fasterisk.git Update for certified/11.6-cert17 --- diff --git a/.version b/.version index a9d13af2c0..1265036ed6 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -certified/11.6-cert16 \ No newline at end of file +certified/11.6-cert17 \ No newline at end of file diff --git a/ChangeLog b/ChangeLog index 73704a73ea..bea77cc1cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,61 @@ +2017-08-31 15:32 +0000 Asterisk Development Team + + * asterisk certified/11.6-cert17 Released. + +2017-07-01 19:24 +0000 [4c4e7303a8] Corey Farrell + + * AST-2017-006: Fix app_minivm application MinivmNotify command injection + + An admin can configure app_minivm with an externnotify program to be run + when a voicemail is received. The app_minivm application MinivmNotify + uses ast_safe_system() for this purpose which is vulnerable to command + injection since the Caller-ID name and number values given to externnotify + can come from an external untrusted source. + + * Add ast_safe_execvp() function. This gives modules the ability to run + external commands with greater safety compared to ast_safe_system(). + Specifically when some parameters are filled by untrusted sources the new + function does not allow malicious input to break argument encoding. This + may be of particular concern where CALLERID(name) or CALLERID(num) may be + used as a parameter to a script run by ast_safe_system() which could + potentially allow arbitrary command execution. + + * Changed app_minivm.c:run_externnotify() to use the new ast_safe_execvp() + instead of ast_safe_system() to avoid command injection. + + * Document code injection potential from untrusted data sources for other + shell commands that are under user control. + + ASTERISK-27103 + + Change-Id: I7552472247a84cde24e1358aaf64af160107aef1 + +2017-05-22 10:36 +0000 [04c45758ca] Joshua Colp + + * res_rtp_asterisk: Only learn a new source in learn state. + + This change moves the logic which learns a new source address + for RTP so it only occurs in the learning state. The learning + state is entered on initial allocation of RTP or if we are + told that the remote address for the media has changed. While + in the learning state if we continue to receive media from + the original source we restart the learning process. It is + only once we receive a sufficient number of RTP packets from + the new source that we will switch to it. Once this is done + the closed state is entered where all packets that do not + originate from the expected source are dropped. + + The learning process has also been improved to take into + account the time between received packets so a flood of them + while in the learning state does not cause media to be switched. + + Finally RTCP now drops packets which are not for the learned + SSRC if strict RTP is enabled. + + ASTERISK-27013 + + Change-Id: I56a96e993700906355e79bc880ad9d4ad3ab129c + 2016-12-08 20:29 +0000 Asterisk Development Team * asterisk certified/11.6-cert16 Released. diff --git a/asterisk-certified-11.6-cert16-summary.html b/asterisk-certified-11.6-cert16-summary.html deleted file mode 100644 index c0c0654962..0000000000 --- a/asterisk-certified-11.6-cert16-summary.html +++ /dev/null @@ -1,23 +0,0 @@ -Release Summary - asterisk-certified/11.6-cert16

Release Summary

asterisk-certified/11.6-cert16

Date: 2016-12-08

<asteriskteam@digium.com>

Table of Contents

    -
  1. Summary
    2. -
  2. Contributors
    3. -
  3. Closed Issues
    4. -
  4. Other Changes
    5. -
  5. Diffstat
    6. -

Summary

[Back to Top]

This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.

Security Advisories:

The data in this summary reflects changes that have been made since the previous release, asterisk-certified/11.6-cert15.

Contributors

[Back to Top]

This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.

- - -
CodersTestersReporters
1 Kevin Harwell
1 Walter Doekes
1 Walter Doekes

Closed Issues

[Back to Top]

This is a list of all issues from the issue tracker that were closed by changes that went into this release.

Bug

Category: Channels/chan_sip/Interoperability

ASTERISK-26433: chan_sip: Allows To-tag checks to be bypassed, setting up new calls
Reported by: Walter Doekes
    -
  • [93dfe39642] Walter Doekes -- chan_sip: Do not allow non-SP/HTAB between header key and colon.
    • -

Commits Not Associated with an Issue

[Back to Top]

This is a list of all changes that went into this release that did not reference a JIRA issue.

- - -
RevisionAuthorSummary
c54d57a9f6Kevin HarwellUpdate for certified/11.6-cert16

Diffstat Results

[Back to Top]

This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.

asterisk-certified-11.6-cert15-summary.html   |   23 -----
-asterisk-certified-11.6-cert15-summary.txt    |  108 --------------------------
-b/.version                                    |    2
-b/ChangeLog                                   |   39 +++++++++
-b/asterisk-certified-11.6-cert16-summary.html |   13 +++
-b/asterisk-certified-11.6-cert16-summary.txt  |   29 ++++++
-6 files changed, 82 insertions(+), 132 deletions(-)

\ No newline at end of file diff --git a/asterisk-certified-11.6-cert16-summary.txt b/asterisk-certified-11.6-cert16-summary.txt deleted file mode 100644 index 7269b2c58d..0000000000 --- a/asterisk-certified-11.6-cert16-summary.txt +++ /dev/null @@ -1,107 +0,0 @@ - Release Summary - - asterisk-certified/11.6-cert16 - - Date: 2016-12-08 - - - - ---------------------------------------------------------------------- - - Table of Contents - - 1. Summary - 2. Contributors - 3. Closed Issues - 4. Other Changes - 5. Diffstat - - ---------------------------------------------------------------------- - - Summary - - [Back to Top] - - This release has been made to address one or more security vulnerabilities - that have been identified. A security advisory document has been published - for each vulnerability that includes additional information. Users of - versions of Asterisk that are affected are strongly encouraged to review - the advisories and determine what action they should take to protect their - systems from these issues. - - Security Advisories: - - * AST-2016-009 - - The data in this summary reflects changes that have been made since the - previous release, asterisk-certified/11.6-cert15. - - ---------------------------------------------------------------------- - - Contributors - - [Back to Top] - - This table lists the people who have submitted code, those that have - tested patches, as well as those that reported issues on the issue tracker - that were resolved in this release. For coders, the number is how many of - their patches (of any size) were committed into this release. For testers, - the number is the number of times their name was listed as assisting with - testing a patch. Finally, for reporters, the number is the number of - issues that they reported that were affected by commits that went into - this release. - - Coders Testers Reporters - 1 Kevin Harwell 1 Walter Doekes - 1 Walter Doekes - - ---------------------------------------------------------------------- - - Closed Issues - - [Back to Top] - - This is a list of all issues from the issue tracker that were closed by - changes that went into this release. - - Bug - - Category: Channels/chan_sip/Interoperability - - ASTERISK-26433: chan_sip: Allows To-tag checks to be bypassed, setting up - new calls - Reported by: Walter Doekes - * [93dfe39642] Walter Doekes -- chan_sip: Do not allow non-SP/HTAB - between header key and colon. - - ---------------------------------------------------------------------- - - Commits Not Associated with an Issue - - [Back to Top] - - This is a list of all changes that went into this release that did not - reference a JIRA issue. - - +------------------------------------------------------------------------+ - | Revision | Author | Summary | - |---------------+------------------+-------------------------------------| - | c54d57a9f6 | Kevin Harwell | Update for certified/11.6-cert16 | - +------------------------------------------------------------------------+ - - ---------------------------------------------------------------------- - - Diffstat Results - - [Back to Top] - - This is a summary of the changes to the source code that went into this - release that was generated using the diffstat utility. - - asterisk-certified-11.6-cert15-summary.html | 23 ----- - asterisk-certified-11.6-cert15-summary.txt | 108 -------------------------- - b/.version | 2 - b/ChangeLog | 39 +++++++++ - b/asterisk-certified-11.6-cert16-summary.html | 13 +++ - b/asterisk-certified-11.6-cert16-summary.txt | 29 ++++++ - 6 files changed, 82 insertions(+), 132 deletions(-) diff --git a/asterisk-certified-11.6-cert17-summary.html b/asterisk-certified-11.6-cert17-summary.html new file mode 100644 index 0000000000..a134677873 --- /dev/null +++ b/asterisk-certified-11.6-cert17-summary.html @@ -0,0 +1,39 @@ +Release Summary - asterisk-certified/11.6-cert17

Release Summary

asterisk-certified/11.6-cert17

Date: 2017-08-31

<asteriskteam@digium.com>

Table of Contents

    +
  1. Summary
    2. +
  2. Contributors
    3. +
  3. Closed Issues
    4. +
  4. Diffstat
    5. +

Summary

[Back to Top]

This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.

Security Advisories:

The data in this summary reflects changes that have been made since the previous release, asterisk-certified/11.6-cert16.

Contributors

[Back to Top]

This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.

+ + +
CodersTestersReporters
1 Corey Farrell
1 Joshua Colp
1 Joshua Colp
1 Corey Farrell

Closed Issues

[Back to Top]

This is a list of all issues from the issue tracker that were closed by changes that went into this release.

Bug

Category: Applications/app_minivm

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Applications/app_mixmonitor

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Applications/app_system

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Applications/app_voicemail

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Channels/chan_dahdi

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Core/General

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Functions/func_shell

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Resources/res_monitor

ASTERISK-27103: core: ast_safe_system command injection possible.
Reported by: Corey Farrell
    +
  • [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application MinivmNotify command injection
    • +

Category: Resources/res_rtp_asterisk

ASTERISK-27013: res_rtp_asterisk: Media can be hijacked even with strict RTP enabled
Reported by: Joshua Colp
    +
  • [04c45758ca] Joshua Colp -- res_rtp_asterisk: Only learn a new source in learn state.
    • +

Diffstat Results

[Back to Top]

This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.

README-SERIOUSLY.bestpractices.txt |    7 ++
+apps/app_minivm.c                  |   36 +++++++++-----
+apps/app_mixmonitor.c              |   10 +++
+apps/app_system.c                  |   10 +++
+configs/minivm.conf.sample         |    2
+funcs/func_shell.c                 |    5 +
+include/asterisk/app.h             |   31 +++++++++++-
+main/asterisk.c                    |   93 +++++++++++++++++++++++++++++++------
+res/res_monitor.c                  |   13 +++--
+res/res_rtp_asterisk.c             |   70 +++++++++++++++------------
+10 files changed, 213 insertions(+), 64 deletions(-)

\ No newline at end of file diff --git a/asterisk-certified-11.6-cert17-summary.txt b/asterisk-certified-11.6-cert17-summary.txt new file mode 100644 index 0000000000..c8501d584e --- /dev/null +++ b/asterisk-certified-11.6-cert17-summary.txt @@ -0,0 +1,151 @@ + Release Summary + + asterisk-certified/11.6-cert17 + + Date: 2017-08-31 + + + + ---------------------------------------------------------------------- + + Table of Contents + + 1. Summary + 2. Contributors + 3. Closed Issues + 4. Diffstat + + ---------------------------------------------------------------------- + + Summary + + [Back to Top] + + This release has been made to address one or more security vulnerabilities + that have been identified. A security advisory document has been published + for each vulnerability that includes additional information. Users of + versions of Asterisk that are affected are strongly encouraged to review + the advisories and determine what action they should take to protect their + systems from these issues. + + Security Advisories: + + * AST-2017-005,AST-2017-006 + + The data in this summary reflects changes that have been made since the + previous release, asterisk-certified/11.6-cert16. + + ---------------------------------------------------------------------- + + Contributors + + [Back to Top] + + This table lists the people who have submitted code, those that have + tested patches, as well as those that reported issues on the issue tracker + that were resolved in this release. For coders, the number is how many of + their patches (of any size) were committed into this release. For testers, + the number is the number of times their name was listed as assisting with + testing a patch. Finally, for reporters, the number is the number of + issues that they reported that were affected by commits that went into + this release. + + Coders Testers Reporters + 1 Corey Farrell 1 Joshua Colp + 1 Joshua Colp 1 Corey Farrell + + ---------------------------------------------------------------------- + + Closed Issues + + [Back to Top] + + This is a list of all issues from the issue tracker that were closed by + changes that went into this release. + + Bug + + Category: Applications/app_minivm + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Applications/app_mixmonitor + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Applications/app_system + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Applications/app_voicemail + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Channels/chan_dahdi + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Core/General + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Functions/func_shell + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Resources/res_monitor + + ASTERISK-27103: core: ast_safe_system command injection possible. + Reported by: Corey Farrell + * [4c4e7303a8] Corey Farrell -- AST-2017-006: Fix app_minivm application + MinivmNotify command injection + + Category: Resources/res_rtp_asterisk + + ASTERISK-27013: res_rtp_asterisk: Media can be hijacked even with strict + RTP enabled + Reported by: Joshua Colp + * [04c45758ca] Joshua Colp -- res_rtp_asterisk: Only learn a new source + in learn state. + + ---------------------------------------------------------------------- + + Diffstat Results + + [Back to Top] + + This is a summary of the changes to the source code that went into this + release that was generated using the diffstat utility. + + README-SERIOUSLY.bestpractices.txt | 7 ++ + apps/app_minivm.c | 36 +++++++++----- + apps/app_mixmonitor.c | 10 +++ + apps/app_system.c | 10 +++ + configs/minivm.conf.sample | 2 + funcs/func_shell.c | 5 + + include/asterisk/app.h | 31 +++++++++++- + main/asterisk.c | 93 +++++++++++++++++++++++++++++++------ + res/res_monitor.c | 13 +++-- + res/res_rtp_asterisk.c | 70 +++++++++++++++------------ + 10 files changed, 213 insertions(+), 64 deletions(-)