-
asterisk (1:13.14.1~dfsg-2+deb9u4) stretch-security; urgency=medium
* AST-2018-004 / CVE-2018-7284: Crash when receiving SUBSCRIBE request
(Closes: #891227)
* AST-2018-005 / CVE-2018-7286: Crash when large numbers of TCP connections
are closed suddenly (Closes: #891228)
* AST-2018-008 / CVE-2018-12227: PJSIP endpoint presence disclosure when
using ACL (Closes: #902954)
* AST-2018-009 / CVE-2018-17281: Remote crash vulnerability in HTTP
websocket upgrade (Closes: #909554)
-- Bernhard Schmidt <email address hidden> Sun, 30 Sep 2018 23:24:10 +0200
-
asterisk (1:13.14.1~dfsg-2+deb9u3) stretch-security; urgency=medium
[ Tzafrir Cohen ]
* AST-2017-009: ignored for the record.
* AST-2017-010 / CVE-2017-16671: Buffer overflow in CDRs (call logs)
(Closes: #881257)
* AST-2017-011 / CVE-2017-16672: Memory/File Descriptor/RTP leak in
pjsip session resource (Closes: #881256)
* AST-2017-012 / CVE-2017-17664: Remote Crash Vulnerability in RTCP Stack
(Closes: #884345)
* AST-2017-013 / CVE-2017-17090: DoS (memory leak) in chan_skinny
(Closes: #883342)
* ASTERISK-26606.patch: fix openssl error reporting (Closes: #883767)
* debian/.gitignore: typo
* gbp.conf: set branch name
[ Bernhard Schmidt ]
* Drop duplicate filter line from d/gbp.conf
-- Tzafrir Cohen <email address hidden> Fri, 29 Dec 2017 16:27:08 +0200
-
asterisk (1:13.14.1~dfsg-2+deb9u2) stretch-security; urgency=high
* CVE-2017-14603 / AST-2017-008
This is a follow-up for AST-2017-005: RTP/RTCP information leak
improving robustness of the security fix and fixing a regression
with re-INVITEs (Closes: #876328)
* Fix one-way audio with chan_sip when transcoding (Closes: #875450)
-- Bernhard Schmidt <email address hidden> Sat, 23 Sep 2017 21:26:19 +0200
-
asterisk (1:13.14.1~dfsg-2+deb9u1) stretch-security; urgency=high
* CVE-2017-14099 / AST-2017-005
Media takeover in RTP stack ("RTP bleed") (Closes: #873907)
* CVE-2017-14100 / AST-2017-006
Shell access command injection in app_minivm (Closes: #873908)
-- Bernhard Schmidt <email address hidden> Sat, 02 Sep 2017 23:21:14 +0200
-
asterisk (1:13.14.1~dfsg-2) unstable; urgency=high
[ Tzafrir Cohen ]
* CVE-2017-9358 / AST-2017-004: Memory exhaustion on short SCCP packets
(Closes: #863906)
* Documentation updates in debian/:
- d/p/test_framework.patch: no longer an upstream issue
- d/asterisk-config-custom:
- fix typo: buildbuildpackage (Closes: #860902)
- add comment that dpkg-buildpackage comes from dpkg-dev
-- Bernhard Schmidt <email address hidden> Fri, 02 Jun 2017 14:40:15 +0200
-
asterisk (1:13.14.1~dfsg-1) unstable; urgency=medium
* New upstream version 13.14.1
- Fixes AST-2017-001 (Buffer overflow in CDR's set user) (Closes: #859910)
* Import upstream fix to set the RTP source address to the address bound by
the PJSIP transport (Closes: #859911)
-- Bernhard Schmidt <email address hidden> Mon, 10 Apr 2017 12:53:03 +0200
-
asterisk (1:13.14.0~dfsg-1) unstable; urgency=medium
[ Bernhard Schmidt ]
* New upstream version 13.14.0~dfsg
- Fixes RTP error on systems with disabled IPv6 (Closes: #853792)
- Fixes asymetric RTP codec selection (Closes: #855014)
* drop pjsip_improve_logging.patch, applied upstream
* drop configure-osarch, applied upstream
-- Bernhard Schmidt <email address hidden> Tue, 14 Feb 2017 21:54:29 +0100
-
asterisk (1:13.13.1~dfsg-4) unstable; urgency=medium
* Depend on asterisk-core-sounds-en instead of -gsm
-- Bernhard Schmidt <email address hidden> Tue, 24 Jan 2017 14:14:03 +0100
-
asterisk (1:13.13.1~dfsg-2) unstable; urgency=medium
[ Tzafrir Cohen ]
* test_framework.patch: fix ABI
* Add a DAHDI hook script for Asterisk (Closes: #848584)
[ Bernhard Schmidt ]
* disable the open-source Opus and VP8 codec
- these are built out-of-tree in asterisk-opus now, add Suggests
-- Bernhard Schmidt <email address hidden> Sun, 25 Dec 2016 19:54:12 +0100
-
asterisk (1:13.12.2~dfsg-2) unstable; urgency=medium
[ Bernhard Schmidt ]
* Import upstream fix for libedit unicode garbage (Closes: #845144)
-- Bernhard Schmidt <email address hidden> Thu, 01 Dec 2016 20:13:27 +0100
-
asterisk (1:13.12.2~dfsg-1) unstable; urgency=medium
[ Tzafrir Cohen ]
* libsystemd is needed for sd_notify support
* upstreaming radcli-detection.patch
[ Bernhard Schmidt ]
* Additional upstream signing key for Rusty Newton <email address hidden>
* New upstream version 13.12.2~dfsg
-- Bernhard Schmidt <email address hidden> Sun, 13 Nov 2016 20:58:36 +0100
-
asterisk (1:13.8.2~dfsg-1) unstable; urgency=medium
[ Tzafrir Cohen ]
* New upstream release (Fixes AST-2016-005).
* systemd: only restart on failure
[ Jonas Smedegaard ]
* Link against radcli favored over freeradius-client/radiusclient-ng:
+ Add patch to autodetect radcli.
+ Build-depend on libradcli-dev, with libfreeradius-client-dev or
libradiusclient-ng-dev only as fallbacks.
Closes: Bug#822339. Thanks to Daniel Pocock.
* Enable PJProject and FFMpeg: Both projects has re-entered testing.
-- Jonas Smedegaard <email address hidden> Wed, 18 May 2016 14:44:34 +0200
-
asterisk (1:13.7.2~dfsg-1) unstable; urgency=medium
[ upstream ]
* New minor releases.
+ Fixes AST-2015-001.
CVE-2015-1558. Closes: Bug#780601.
+ Fixes AST-2015-002.
Related to CVE-2014-8150.
[ Jonas Smedegaard ]
* Update patches:
+ Unfuzz patches enable_addons smsq_enable.
+ Refresh and tighten all patches.
+ Add/update DEP3 patch headers, with long descriptions embedded in
Description field.
* Modernize Vcs-* field URLs:
+ Use https protocol.
+ Use cgit viewer.
* Declare compliance with Debian Policy 3.9.7.
* Wrap and sort control file.
* Add myself as uploader.
* Tidy copyright info: Strip trailing whitespace.
* Drop/simplify obsolete versioning or fallbacks in build-dependencies
or breaks/replaces.
* Avoid X11-related on not-in-testing linkage (until in testing and
X11-related binaries are in separate binary package).
+ Only enable PJProject, SDL or FFMpeg when targeted experimental.
+ Disable in non-experimental releases.
+ Ignore ABI drift on experimental builds.
+ Temporarily stop build-depend on libpjproject-dev.
Closes: Bug#804460, #792303.
* Fix build-depend only on libsrtp-dev (not also libsrtp0-dev).
* Build-depend on liburiparser-dev, for (presumably) a more uniform
URI parsing.
Closes: Bug#786926.
* Update watch file:
+ Bump to file format 4.
+ Always repackage, using xz.
+ Mangle debian version: strip ~dfsg suffix.
* Update upstream PGP keyring: Add Joshua Colp (0xDAB29B236B940F89).
* Git-ignore quilt .pc dir.
* Have git-buildpackage filter upstream .gitignore files, enable
signed tags, and enable use of pristine-tar.
* Drop custom get-orig-source target: Use "gbp import-orig --uscan"
instead.
* Update copyright info:
+ Fix include reasons for repackaging in Source field (not separate
Comment field) as mandated by file format 1.0.
+ Consider formats/msgsm.h as non-copyright-protected, with comment
on reasoning.
+ Consider formats/msgsm.h as non-copyright-protected, with comment
on reasoning.
+ Fix use License shortnames BSD-3-clause~IETF BSD-4-clause~Clapper
(not BSD-3-clause).
+ Fix include full verbatim BSD-3-clause~IETF license.
+ Wrap at 72 chars.
+ Use "None" (not "-") as copyright holder for files in the public
domain.
+ Strip non-license text.
+ Assume unversioned GPL is same as generally for the project.
+ Drop comment on audio data encoded as C header file lacking
source: Upstream is free to choose that format as preferred form
(similar to pnm for graphics).
+ Assume GTK+ dialogue code without explicit licensing has same
license as project generally.
+ Use License-Grant and License-Reference fields.
Thanks to Ben Finney.
* Improve media support:
+ Add patch to add Opus codec module supporting transcoding.
+ Add patch to add VP8 format module supporting read/write to file.
+ Add patch to add AMR and AMR-WB modules supporting transcoding.
+ Add patches to support video in console.
+ Build-depend on libopus-dev libopencore-amrnb-dev
libopencore-amrwb-dev libavcodec-dev libswscale-dev
libsdl-image1.2-dev.
Closes: bug#786972, #531728.
* Bump ABI hash.
* Add lintian override regarding license in License-Reference field.
See bug#786450.
* Tidy README.Debian: Fix typo.
* Emit config.log if configure fails.
-- Jonas Smedegaard <email address hidden> Tue, 29 Mar 2016 16:31:49 +0200
-
asterisk (1:13.1.0~dfsg-1.1) unstable; urgency=medium
* Non-maintainer upload.
[ Matthias Klose ]
* Build with -fgnu89-inline. Closes: #777782.
* CVE-2015-1558: File descriptor leak when incompatible codecs are offered.
Closes: #780601.
[ James Cowgill ]
* Fix OSARCH detection on all linux architectures. Closes: #780287.
-- Matthias Klose <email address hidden> Fri, 10 Jul 2015 12:56:51 +0200
-
asterisk (1:11.13.1~dfsg-2) testing-proposed-updates; urgency=high
* New upstream release: fixes AST-2014-011 (CVE-2014-3566, POODLE).
* Add a local gbp.conf for branch jessie
* New patches for recent security issues (Closes: #771463):
- AST-2014-012 (CVE-2014-8412): Mixed IP address families in ACLs
may permit unwanted traffic
- AST-2014-014 (CVE-2014-8414): High call load may result in hung
channels in ConfBridge
- AST-2014-017 (CVE-2014-8417): Mark CONFBRIDGE as a sensitive
function for external APIs
- AST-2014-018 (CVE-2014-8418): Mark DB as a sensitive function for
external APIs
* AST-2014-019.patch (CVE-2014-9374): Remote Crash Vulnerability in
WebSocket Server (Closes: #773230).
* sanity check to avoid changing the ABI hash.
-- Tzafrir Cohen <email address hidden> Thu, 01 Jan 2015 01:25:11 +0200