b3aaa725f1
Fixes the following security vulnerabilities: AST-2019-006: SIP request can change address of a SIP peer. A SIP request can be sent to Asterisk that can change a SIP peer’s IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer’s name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the “nat” option is set to the default, or “auto_force_rport”. https://downloads.asterisk.org/pub/security/AST-2019-006.pdf AST-2019-007: AMI user could execute system commands. A remote authenticated Asterisk Manager Interface (AMI) user without “system” authorization could use a specially crafted “Originate” AMI request to execute arbitrary system commands. https://downloads.asterisk.org/pub/security/AST-2019-007.pdf AST-2019-008: Re-invite with T.38 and malformed SDP causes crash. If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur. https://downloads.asterisk.org/pub/security/AST-2019-008.pdf Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> |
||
|---|---|---|
| .. | ||
| 0001-sounds-do-not-download-and-check-sha1s.patch | ||
| 0002-configure-fix-detection-of-libcrypt.patch | ||
| 0003-build-ensure-target-directory-for-modules-exists.patch | ||
| 0004-install-samples-need-the-data-files.patch | ||
| 0005-configure-fix-detection-of-re-entrant-resolver-funct.patch | ||
| asterisk.hash | ||
| asterisk.mk | ||
| Config.in | ||