Author: Matthias Klose
Revision Date: 2015-09-02 16:01:33 UTC

Add build dependencies on libavformat-dev, libv4l-dev, libavutil-dev,
libswscale-dev, libavcodec-dev.

Author: Matthias Klose
Revision Date: 2015-09-02 16:01:33 UTC

Add build dependencies on libavformat-dev, libv4l-dev, libavutil-dev,
libswscale-dev, libavcodec-dev.

Author: Iain Lane
Revision Date: 2015-01-06 12:09:18 UTC

No-change rebuild for new libical

Author: Iain Lane
Revision Date: 2015-01-06 12:09:18 UTC

No-change rebuild for new libical

Author: Artur Rona
Revision Date: 2014-08-20 23:14:39 UTC

* Merge from Debian unstable. Remaining changes:
  - debian/asterisk.init:
    + chown /dev/dahdi.
  - debian/control, debian/rules:
    + Enable Hardening Wrapper (PIE and BIND_NOW).
  - debian/control:
    + Build against libical 1.0.

Author: Artur Rona
Revision Date: 2014-08-20 23:14:39 UTC

* Merge from Debian unstable. Remaining changes:
  - debian/asterisk.init:
    + chown /dev/dahdi.
  - debian/control, debian/rules:
    + Enable Hardening Wrapper (PIE and BIND_NOW).
  - debian/control:
    + Build against libical 1.0.

Author: Mahyuddin Susanto
Revision Date: 2013-12-24 12:18:35 UTC

* Merge from Debian testing, remaining changes:
  - debian/asterisk.init: chown /dev/dahdi
  - debian/control, debian/rules:
    + Enable Hardening Wrapper (PIE and BIND_NOW)
    + Build against libical 1.0

Author: Mahyuddin Susanto
Revision Date: 2013-12-24 12:18:35 UTC

* Merge from Debian testing, remaining changes:
  - debian/asterisk.init: chown /dev/dahdi
  - debian/control, debian/rules:
    + Enable Hardening Wrapper (PIE and BIND_NOW)
    + Build against libical 1.0

Author: Colin Watson
Revision Date: 2013-10-17 00:43:57 UTC

Use the autotools-dev dh addon to update config.guess/config.sub for
arm64.

Author: Colin Watson
Revision Date: 2013-10-17 00:43:57 UTC

Use the autotools-dev dh addon to update config.guess/config.sub for
arm64.

Author: Julian Taylor
Revision Date: 2012-10-09 21:44:39 UTC

Build-depend on hardening-wrapper again,
reenables pie and bindnow (LP: #1039542)

Author: Julian Taylor
Revision Date: 2012-10-09 21:44:39 UTC

Build-depend on hardening-wrapper again,
reenables pie and bindnow (LP: #1039542)

Author: Paul Belanger
Revision Date: 2012-03-11 00:40:50 UTC

* debian/patches/backport-r312866.diff
- Responding to OPTIONS packet with 404 because Asterisk not looking for
   "s" extension (LP: #920020)

Author: Julian Taylor
Revision Date: 2012-10-09 21:44:39 UTC

Build-depend on hardening-wrapper again,
reenables pie and bindnow (LP: #1039542)

Author: Julian Taylor
Revision Date: 2012-10-09 21:44:39 UTC

Build-depend on hardening-wrapper again,
reenables pie and bindnow (LP: #1039542)

Author: Allison Randal
Revision Date: 2012-09-10 01:18:03 UTC

* SECURITY UPDATE: Backported fixes from upstream and Debian unstable. (LP: #1048093)
  - debian/patches/AST-2012-010 (CVE-2012-3863):
    DoS resource leak on uncompleted re-invite transactions
  - debian/patches/AST-2012-011 (CVE-2012-3812):
    DoS remote crash vulnerability in voice mail
  - debian/patches/AST-2012-013 (CVE-2012-4737):
    ACL rules ignored during calls by some IAX2 peers

Author: Andrew Mitchell
Revision Date: 2012-04-24 22:15:54 UTC

* Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581)
* Remaining changes:
  - debian/asterisk.init: chown /dev/dahdi
  - debian/backports/hardy: add file
  - debian/backports/asterisk.init.hardy: add file
  - Fix building on armhf with debian/patches/armhf-fixes:
    + Flatten linux-gnueabihf in configure to linux-gnu, in
      the same way that's already done for linux-gnueabi
* Changes dropped from Ubuntu delta as no longer applicable:
  - debian/patches/backport-r312866.diff: Backported from upstream
  - debian/control: Build-depend on hardening-wrapper, now handled
    by dpkg-buildflags
  - debian/rules: Make use of hardening-wrapper

Author: Paul Belanger
Revision Date: 2012-03-11 00:40:50 UTC

* debian/patches/backport-r312866.diff
- Responding to OPTIONS packet with 404 because Asterisk not looking for
   "s" extension (LP: #920020)

Author: James Page
Revision Date: 2011-09-20 14:05:14 UTC

* Merge from debian unstable (LP: #852479). Remaining changes:
  - debian/control: Build-depend on hardening-wrapper
  - debian/rules: Make use of hardening-wrapper
  - debian/asterisk.init: chown /dev/dahdi
  - debian/backports/hardy: add file
  - debian/backports/asterisk.init.hardy: add file
* Changes dropped from Ubuntu delta as no longer applicable:
  - debian/control:
    + Removed Uploaders field
    + Removed Debian Vcs-Svn entry and replaced with ubuntu-voip Vcs-Bzr,
      to reflect divergence in packages.

Author: James Page
Revision Date: 2011-09-20 13:05:43 UTC

  - debian/control: Build-depend on hardening-wrapper
* Changes dropped from Ubuntu delta as no longer applicable:
  - debian/control:
    + Removed Uploaders field
    + Removed Debian Vcs-Svn entry and replaced with ubuntu-voip Vcs-Bzr,
      to reflect divergence in packages.

Author: Marc Deslauriers
Revision Date: 2011-07-12 14:38:08 UTC

* SECURITY UPDATE: denial of service and possible code exection via
  crafted UDPTL packet
  - debian/patches/AST-2011-002-1.6.2.diff: properly calculate lengths in
    main/udptl.c.
  - CVE-2011-1147
* SECURITY UPDATE: denial of service via manager session with invalid
  data
  - debian/patches/AST-2011-003-1.6.2.diff: check for errors in
    main/manager.c.
  - CVE-2011-1174
* SECURITY UPDATE: denial of service via many short TLS sessions
  - debian/patches/AST-2011-004-1.6.2.diff: gracefully handle failures
    in main/tcptls.c.
  - CVE-2011-1175
* SECURITY UPDATE: denial of service via a series of TCP connections
  - debian/patches/AST-2011-005-1.6.2.diff: add timeouts and session
    limits to main/manager.c, configs/manager.conf.sample,
    channels/chan_sip.c, channels/chan_skinny.c, main/http.c,
    configs/{skinny,sip,http}.conf.sample.
  - CVE-2011-1507
* SECURITY UPDATE: remote command execution via incomplete system
  privilege check
  - debian/patches/AST-2011-006-1.6.2.diff: correctly check privileges in
    main/manager.c.
  - CVE-2011-1599
* SECURITY UPDATE: denial of service via crafted packet and SIP channel
  driver
  - debian/patches/AST-2011-008.diff: set proper length in
    channels/chan_sip.c.
  - CVE-2011-2529
* SECURITY UPDATE: denial of service and possible code execution via
  IAX2 channel driver crafted frame
  - debian/patches/AST-2011-010-1.6.2.diff: validate options in
    channels/chan_iax2.c, main/features.c.
  - CVE-2011-2535
* SECURITY UPDATE: account name enumeration
  - debian/patches/AST-2011-011-1.6.2.diff: adjust responses in
    channels/chan_sip.c.
  - CVE-2011-2536

Author: Marc Deslauriers
Revision Date: 2011-07-12 14:38:08 UTC

* SECURITY UPDATE: denial of service and possible code exection via
  crafted UDPTL packet
  - debian/patches/AST-2011-002-1.6.2.diff: properly calculate lengths in
    main/udptl.c.
  - CVE-2011-1147
* SECURITY UPDATE: denial of service via manager session with invalid
  data
  - debian/patches/AST-2011-003-1.6.2.diff: check for errors in
    main/manager.c.
  - CVE-2011-1174
* SECURITY UPDATE: denial of service via many short TLS sessions
  - debian/patches/AST-2011-004-1.6.2.diff: gracefully handle failures
    in main/tcptls.c.
  - CVE-2011-1175
* SECURITY UPDATE: denial of service via a series of TCP connections
  - debian/patches/AST-2011-005-1.6.2.diff: add timeouts and session
    limits to main/manager.c, configs/manager.conf.sample,
    channels/chan_sip.c, channels/chan_skinny.c, main/http.c,
    configs/{skinny,sip,http}.conf.sample.
  - CVE-2011-1507
* SECURITY UPDATE: remote command execution via incomplete system
  privilege check
  - debian/patches/AST-2011-006-1.6.2.diff: correctly check privileges in
    main/manager.c.
  - CVE-2011-1599
* SECURITY UPDATE: denial of service via crafted packet and SIP channel
  driver
  - debian/patches/AST-2011-008.diff: set proper length in
    channels/chan_sip.c.
  - CVE-2011-2529
* SECURITY UPDATE: denial of service and possible code execution via
  IAX2 channel driver crafted frame
  - debian/patches/AST-2011-010-1.6.2.diff: validate options in
    channels/chan_iax2.c, main/features.c.
  - CVE-2011-2535
* SECURITY UPDATE: account name enumeration
  - debian/patches/AST-2011-011-1.6.2.diff: adjust responses in
    channels/chan_sip.c.
  - CVE-2011-2536

Author: Marc Deslauriers
Revision Date: 2011-07-12 15:49:26 UTC

* SECURITY UPDATE: denial of service and possible code exection via
  crafted UDPTL packet
  - debian/patches/AST-2011-002-1.6.2.diff: properly calculate lengths in
    main/udptl.c.
  - CVE-2011-1147
* SECURITY UPDATE: denial of service via manager session with invalid
  data
  - debian/patches/AST-2011-003-1.6.2.diff: check for errors in
    main/manager.c.
  - CVE-2011-1174
* SECURITY UPDATE: denial of service via many short TLS sessions
  - debian/patches/AST-2011-004-1.6.2.diff: gracefully handle failures
    in main/tcptls.c.
  - CVE-2011-1175
* SECURITY UPDATE: denial of service via a series of TCP connections
  - debian/patches/AST-2011-005-1.6.2.diff: add timeouts and session
    limits to main/manager.c, configs/manager.conf.sample,
    channels/chan_sip.c, channels/chan_skinny.c, main/http.c,
    configs/{skinny,sip,http}.conf.sample.
  - CVE-2011-1507
* SECURITY UPDATE: remote command execution via incomplete system
  privilege check
  - debian/patches/AST-2011-006-1.6.2.diff: correctly check privileges in
    main/manager.c.
  - CVE-2011-1599
* SECURITY UPDATE: denial of service via crafted packet and SIP channel
  driver
  - debian/patches/AST-2011-008.diff: set proper length in
    channels/chan_sip.c.
  - CVE-2011-2529
* SECURITY UPDATE: denial of service and possible code execution via
  IAX2 channel driver crafted frame
  - debian/patches/AST-2011-010-1.6.2.diff: validate options in
    channels/chan_iax2.c, main/features.c.
  - CVE-2011-2535
* SECURITY UPDATE: account name enumeration
  - debian/patches/AST-2011-011-1.6.2.diff: adjust responses in
    channels/chan_sip.c.
  - CVE-2011-2536

Author: Marc Deslauriers
Revision Date: 2011-07-12 15:49:26 UTC

* SECURITY UPDATE: denial of service and possible code exection via
  crafted UDPTL packet
  - debian/patches/AST-2011-002-1.6.2.diff: properly calculate lengths in
    main/udptl.c.
  - CVE-2011-1147
* SECURITY UPDATE: denial of service via manager session with invalid
  data
  - debian/patches/AST-2011-003-1.6.2.diff: check for errors in
    main/manager.c.
  - CVE-2011-1174
* SECURITY UPDATE: denial of service via many short TLS sessions
  - debian/patches/AST-2011-004-1.6.2.diff: gracefully handle failures
    in main/tcptls.c.
  - CVE-2011-1175
* SECURITY UPDATE: denial of service via a series of TCP connections
  - debian/patches/AST-2011-005-1.6.2.diff: add timeouts and session
    limits to main/manager.c, configs/manager.conf.sample,
    channels/chan_sip.c, channels/chan_skinny.c, main/http.c,
    configs/{skinny,sip,http}.conf.sample.
  - CVE-2011-1507
* SECURITY UPDATE: remote command execution via incomplete system
  privilege check
  - debian/patches/AST-2011-006-1.6.2.diff: correctly check privileges in
    main/manager.c.
  - CVE-2011-1599
* SECURITY UPDATE: denial of service via crafted packet and SIP channel
  driver
  - debian/patches/AST-2011-008.diff: set proper length in
    channels/chan_sip.c.
  - CVE-2011-2529
* SECURITY UPDATE: denial of service and possible code execution via
  IAX2 channel driver crafted frame
  - debian/patches/AST-2011-010-1.6.2.diff: validate options in
    channels/chan_iax2.c, main/features.c.
  - CVE-2011-2535
* SECURITY UPDATE: account name enumeration
  - debian/patches/AST-2011-011-1.6.2.diff: adjust responses in
    channels/chan_sip.c.
  - CVE-2011-2536

Author: Marc Deslauriers
Revision Date: 2011-07-12 15:44:59 UTC

* SECURITY UPDATE: denial of service and possible code exection via
  crafted UDPTL packet
  - debian/patches/AST-2011-002-1.6.2.diff: properly calculate lengths in
    main/udptl.c.
  - CVE-2011-1147
* SECURITY UPDATE: denial of service via manager session with invalid
  data
  - debian/patches/AST-2011-003-1.6.2.diff: check for errors in
    main/manager.c.
  - CVE-2011-1174
* SECURITY UPDATE: denial of service via many short TLS sessions
  - debian/patches/AST-2011-004-1.6.2.diff: gracefully handle failures
    in main/tcptls.c.
  - CVE-2011-1175
* SECURITY UPDATE: denial of service via a series of TCP connections
  - debian/patches/AST-2011-005-1.6.2.diff: add timeouts and session
    limits to main/manager.c, configs/manager.conf.sample,
    channels/chan_sip.c, channels/chan_skinny.c, main/http.c,
    configs/{skinny,sip,http}.conf.sample.
  - CVE-2011-1507
* SECURITY UPDATE: remote command execution via incomplete system
  privilege check
  - debian/patches/AST-2011-006-1.6.2.diff: correctly check privileges in
    main/manager.c.
  - CVE-2011-1599
* SECURITY UPDATE: denial of service via crafted packet and SIP channel
  driver
  - debian/patches/AST-2011-008.diff: set proper length in
    channels/chan_sip.c.
  - CVE-2011-2529
* SECURITY UPDATE: denial of service and possible code execution via
  IAX2 channel driver crafted frame
  - debian/patches/AST-2011-010-1.6.2.diff: validate options in
    channels/chan_iax2.c, main/features.c.
  - CVE-2011-2535
* SECURITY UPDATE: account name enumeration
  - debian/patches/AST-2011-011-1.6.2.diff: adjust responses in
    channels/chan_sip.c.
  - CVE-2011-2536

Author: Marc Deslauriers
Revision Date: 2011-07-12 15:44:59 UTC

* SECURITY UPDATE: denial of service and possible code exection via
  crafted UDPTL packet
  - debian/patches/AST-2011-002-1.6.2.diff: properly calculate lengths in
    main/udptl.c.
  - CVE-2011-1147
* SECURITY UPDATE: denial of service via manager session with invalid
  data
  - debian/patches/AST-2011-003-1.6.2.diff: check for errors in
    main/manager.c.
  - CVE-2011-1174
* SECURITY UPDATE: denial of service via many short TLS sessions
  - debian/patches/AST-2011-004-1.6.2.diff: gracefully handle failures
    in main/tcptls.c.
  - CVE-2011-1175
* SECURITY UPDATE: denial of service via a series of TCP connections
  - debian/patches/AST-2011-005-1.6.2.diff: add timeouts and session
    limits to main/manager.c, configs/manager.conf.sample,
    channels/chan_sip.c, channels/chan_skinny.c, main/http.c,
    configs/{skinny,sip,http}.conf.sample.
  - CVE-2011-1507
* SECURITY UPDATE: remote command execution via incomplete system
  privilege check
  - debian/patches/AST-2011-006-1.6.2.diff: correctly check privileges in
    main/manager.c.
  - CVE-2011-1599
* SECURITY UPDATE: denial of service via crafted packet and SIP channel
  driver
  - debian/patches/AST-2011-008.diff: set proper length in
    channels/chan_sip.c.
  - CVE-2011-2529
* SECURITY UPDATE: denial of service and possible code execution via
  IAX2 channel driver crafted frame
  - debian/patches/AST-2011-010-1.6.2.diff: validate options in
    channels/chan_iax2.c, main/features.c.
  - CVE-2011-2535
* SECURITY UPDATE: account name enumeration
  - debian/patches/AST-2011-011-1.6.2.diff: adjust responses in
    channels/chan_sip.c.
  - CVE-2011-2536

Author: Dave Walker
Revision Date: 2011-01-20 21:19:46 UTC

* SECURITY UPDATE: Stack buffer overflow in SIP channel driver. (LP: #705014)
  - debian/patches/AST-2011-001-1.6.2: The size of the output buffer passed
    to the ast_uri_encode function is now properly respected in main/utils.c.
    Patch courtesy of upstream.
  - CVE-2011-0495

Author: Dave Walker
Revision Date: 2011-01-20 23:37:31 UTC

* SECURITY UPDATE: Stack buffer overflow in SIP channel driver. (LP: #705014)
  - debian/patches/AST-2011-001-1.6.2: The size of the output buffer passed
    to the ast_uri_encode function is now properly respected in main/utils.c.
    Patch courtesy of upstream.
  - CVE-2011-0495

Author: Dave Walker
Revision Date: 2011-01-20 23:33:45 UTC

* SECURITY UPDATE: Stack buffer overflow in SIP channel driver. (LP: #705014)
  - debian/patches/AST-2011-001-1.6.2: The size of the output buffer passed
    to the ast_uri_encode function is now properly respected in main/utils.c.
    Patch courtesy of upstream.
  - CVE-2011-0495

Author: Dave Walker
Revision Date: 2011-01-20 21:20:56 UTC

* SECURITY UPDATE: Stack buffer overflow in SIP channel driver. (LP: #705014)
  - debian/patches/AST-2011-001-1.6.2: The size of the output buffer passed
    to the ast_uri_encode function is now properly respected in main/utils.c.
    Patch courtesy of upstream.
  - CVE-2011-0495

Author: Lionel Porcheron
Revision Date: 2010-12-06 16:56:12 UTC

debian/patches/unattended_fix: Fix attended transfer call in 1.2.6.5
Patch based on Asterisk project's upstream patch (between 1.2.6.5 and
1.2.6.6 where issue is declared to be fixed see issue 16816 on Asterisk
bug tracker). (LP: #686625)

Author: Dave Walker
Revision Date: 2010-07-16 10:15:05 UTC

Added .pc quilt meta files for completness

Author: Lorenzo De Liso
Revision Date: 2010-06-23 19:37:50 UTC

* Merge from debian unstable (LP: #597792), remaining changes:
  - debian/control:
    + Build-depend on hardening-wrapper
    + Change Maintainer
    + Removed Uploaders field.
    + Removed Debian Vcs-Svn entry and replaced with ubuntu-voip Vcs-Bzr,
      to reflect divergence in packages.
  - debian/rules: Make use of hardening-wrapper
  - debian/asterisk.init: chown /dev/dahdi
  - debian/backports/hardy: add file
  - debian/backports/asterisk.init.hardy: add file

Author: Jean-Michel Dault
Revision Date: 2010-04-13 16:27:27 UTC

* New upstream bugfix release (1.6.2.5)
 * Security Fixes:
  - AST-2010-003: Invalid parsing of ACL rules can compromise security
  - AST-2010-002: Dialplan injection vulnerability

* Remaining Ubuntu-specific changes:
  - debian/control: Build-depend on hardening-wrapper
  - debian/rules: Make use of hardening-wrapper
  - debian/control: Change Maintainer
  - debian/control: Removed Uploaders field.
  - debian/control: Removed Debian Vcs-Svn entry and replaced with
      ubuntu-voip Vcs-Bzr, to reflect divergence in packages.
  - debian/asterisk.init : chown /dev/dahdi
  - debian/backports/hardy : add file
  - debian/backports/asterisk.init.hardy : add file

Author: Steve Beattie
Revision Date: 2010-03-02 19:08:36 UTC

debian/{control,rules}: re-enable hardened options to gain PIE build
(Debian bug 542741, LP: #527538)

Author: Roberto D'Auria
Revision Date: 2009-12-29 22:42:00 UTC

debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
heavy traffic on iax2 channel, editing channels/chan_iax2.c.
Based on upstream patch. (LP: #501116)

Author: Roberto D'Auria
Revision Date: 2009-12-29 22:42:00 UTC

debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
heavy traffic on iax2 channel, editing channels/chan_iax2.c.
Based on upstream patch. (LP: #501116)

Author: Dave Walker
Revision Date: 2009-12-07 12:23:36 UTC

* SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
  - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
    check ACL for handling SIP INVITEs. This blocks calls on networks
    intended to be prohibited, by configuration. Based on upstream patch.
  - AST-2009-007
  - CVE-2009-3723
* SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
  - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
    to stop a specially crafted series of requests returning valid usernames.
    Based on upstream patch.
  - AST-2009-008
  - CVE-2009-3727
* SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
  - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
    comfort noise payload containing 24 bytes or greater is recieved.
  - AST-2009-010
  - CVE-2009-4055

Author: Brian Thomason
Revision Date: 2009-10-06 15:49:28 UTC

* SECURITY UPDATE: information leak in IAX2 authentication
  - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
    information leak in IAX2 authentication. Based on upstream patch.
  - CVE-2009-0041
  - AST-2009-001

Author: Brian Thomason
Revision Date: 2009-10-06 15:49:28 UTC

* SECURITY UPDATE: information leak in IAX2 authentication
  - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
    information leak in IAX2 authentication. Based on upstream patch.
  - CVE-2009-0041
  - AST-2009-001

Author: Brian Thomason
Revision Date: 2009-10-07 14:31:11 UTC

* SECURITY UPDATE: information leak in IAX2 authentication
  - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
    information leak in IAX2 authentication. Based on upstream patch.
  - CVE-2009-0041
  - AST-2009-001

Author: Brian Thomason
Revision Date: 2009-10-07 14:31:11 UTC

* SECURITY UPDATE: information leak in IAX2 authentication
  - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
    information leak in IAX2 authentication. Based on upstream patch.
  - CVE-2009-0041
  - AST-2009-001

Author: Brian Thomason
Revision Date: 2009-03-16 17:52:11 UTC

* SECURITY UPDATE: ACK response spoofing
  - added debian/patches/CVE-2008-1897: Adjust chan_iax2.c to use a special
    id to prevent ACK response spoofing. Based on upstream patch.
  - CVE-2008-1897
  - AST-2008-006
* SECURITY UPDATE: POKE request flooding
  - added debian/patches/CVE-2008-3263: Adjust chan_iax2.c to prevent
    'POKE' request flooding. Based on upstream patch.
  - CVE-2008-3263
  - AST-2008-010
* SECURITY UPDATE: firmware packet flooding
  - added debian/patches/CVE-2008-3264: Adjust chan_iax2.c to prevent
    firmware packet flooding. Based on upstream patch.
  - CVE-2008-3264
  - AST-2008-011
* SECURITY UPDATE: information leak in IAX2 authentication
  - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
    information leak in IAX2 authentication. Based on upstream patch.
  - CVE-2009-0041
  - AST-2009-001
* SECURITY UPDATE: SIP responses expose valid usernames
  - added debian/patches/CVE-2008-3903: Adjust chan_sip.c to make
    it more difficult to scan for available usernames.
  - CVE-2008-3903
  - AST-2009-003
* SECURITY UPDATE: An attacker could hijack a manager session
  - added debian/patches/CVE-2008-1390: Adjust manager.c to
    never assign an invalid id of 0
  - CVE-2008-1390
  - AST-2008-005

Author: Dave Walker
Revision Date: 2009-09-22 16:22:14 UTC

* New upstream version, upstream is now DFSG compliant.
  - ilibc has been removed upstream.
  - Music on Hold is now cc-by-sa.
  - binary firmware iaxy.bin has been removed upstream.
* debian/rules: Santitised UPSTREAM variable for compatiability
  with Ubuntu and other variants.
* debian/control: Removed Debian Vcs-Svn entry and replaced
  with ubuntu-voip Vcs-Bzr, to reflect divergence in packages.
* patches/makefile_appdocs_dtd: Removed, merged upstream.
* patches/disable_moh: Previosly disabled, removed from pool.
* patches/ubuntu-banner: Ported debian-banner to display Ubuntu
  centric bug report information.
* Refresh quilt patches

Author: François Marier
Revision Date: 2009-03-29 17:45:27 UTC

Fix for IAX2 encrypted channels dropping out due to normal packet loss
(LP: #350732)

Author: Thierry Carrez
Revision Date: 2008-09-29 14:21:59 UTC

* debian/asterisk.init: Fix status action so that it returns the
  LSB-compliant return codes (LP: #248947)
* debian/control: added lsb-base dependency for using status_of_proc

Author: Brian Thomason
Revision Date: 2009-03-16 17:52:11 UTC

* SECURITY UPDATE: ACK response spoofing
  - added debian/patches/CVE-2008-1897: Adjust chan_iax2.c to use a special
    id to prevent ACK response spoofing. Based on upstream patch.
  - CVE-2008-1897
  - AST-2008-006
* SECURITY UPDATE: POKE request flooding
  - added debian/patches/CVE-2008-3263: Adjust chan_iax2.c to prevent
    'POKE' request flooding. Based on upstream patch.
  - CVE-2008-3263
  - AST-2008-010
* SECURITY UPDATE: firmware packet flooding
  - added debian/patches/CVE-2008-3264: Adjust chan_iax2.c to prevent
    firmware packet flooding. Based on upstream patch.
  - CVE-2008-3264
  - AST-2008-011
* SECURITY UPDATE: information leak in IAX2 authentication
  - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
    information leak in IAX2 authentication. Based on upstream patch.
  - CVE-2009-0041
  - AST-2009-001
* SECURITY UPDATE: SIP responses expose valid usernames
  - added debian/patches/CVE-2008-3903: Adjust chan_sip.c to make
    it more difficult to scan for available usernames.
  - CVE-2008-3903
  - AST-2009-003
* SECURITY UPDATE: An attacker could hijack a manager session
  - added debian/patches/CVE-2008-1390: Adjust manager.c to
    never assign an invalid id of 0
  - CVE-2008-1390
  - AST-2008-005

Author: William Grant
Revision Date: 2008-04-05 11:32:12 UTC

* SECURITY UPDATE: arbitrary code execution and authentication bypass.
  (LP: #210124)
  - debian/patches/CVE-2008-1289: Check that incoming RTP payloads are
    within buffer limits. Patch from Debian.
  - debian/patches/CVE-2008-1332: Ensure that allowguest has been enabled
    before deciding that authentication isn't required. Patch from Debian.
  - debian/patches/CVE-2008-1333: Interpret logging output as a character
    string, not a format string. Patch from Debian.
  - References:
    + CVE-2008-1289
    + CVE-2008-1332
    + CVE-2008-1333
    + AST-2008-002
    + AST-2008-003
    + AST-2008-004
* Modify Maintainer value to match the DebianMaintainerField
  specification.

Author: Faidon Liambotis
Revision Date: 2007-08-22 20:55:12 UTC

[ Tzafrir Cohen ]
* Remove libgtk2.0-dev from Build-Depends since the GTK+ console was not
  getting built anyway.

[ Kilian Krause ]
* Add dpkg-dev (>= 1.13.19) to Build-Depends for binary:Version and
  source:Version.

[ Faidon Liambotis ]
* New upstream release. (Closes: #439062)
  - AST-2007-020 Resource Exhaustion vulnerability in SIP channel driver
* Switch to quilt as a patch management system instead of dpatch.
* Add bristuff 0.4.0-test4
  - Split into smaller, individual patches (bristuff/).
  - Mention HFC-S/HFC-4S support in the Description.
  - Use libpri-bristuffed.so.1 and its respective header
    (use-libpri-bristuffed).
  - Ship xagi-test.c as an example.
  - Add a news item to NEWS.Debian stating bristuff's inclusion.
* Major overhaul of the postinst scripts, completely replacing asterisk_fix.
  - Create Asterisk's directories on asterisk.dirs to track them using dpkg.
  - Add asterisk.postinst which calls adduser, chown, chmod. Improve error
    handling.
  - Don't do unnecessary stuff on asterisk-config postinst.
    (Closes: #431506)
  - chmod /etc/asterisk on build-time to allow the user to modify the
    permissions; this required a lintian override.
  - Honor dpkg-statoverride on all the chowned/chmoded directories and
    configuration files under /etc/asterisk.
  - Handle asterisk-config -> asterisk installation order properly
    (Closes: #408708)
  - Don't add asterisk user to audio and dialout groups if existed before.
    This allows the administrator to remove the membership.
  - Don't depend on adduser from asterisk-config.
* Remove Suggests to gnomemeeting (it's a dummy package nowdays),
  asterisk-rate-engine and add one for twinkle.
* Remove Conflicts for an old version of asterisk-oh323 which was only
  present until sarge.
* Remove versioned dependencies on ancient (pre-sarge) versions of sed and
  adduser.
* Patch channels/h323/ast_h323.cxx to add some missing PTRACING #ifdef
  (h323-add-missing-ptrace-guard).
* h323-workaround-openh323-segfault patch: workaround a libopenh323 bug
  (#438815) which causes Asterisk to segfault on startup. (Closes: #435146)
* Remove -XCVS from dh_installexamples arguments. Upstream doesn't use CVS
  anymore.
* Add a README.Debian for asterisk-h323 that explains the differences
  between the different H.323 channel drivers, taken from the asterisk-oh323
  package.
* Clarify asterisk-h323's description and mention the other channel drivers.
* Suggest asterisk-h323 from asterisk.

Author: magilus
Revision Date: 2007-04-28 14:34:02 UTC

* SECURITY UPDATE: Fix ASA-2007-011 and ASA-2007-012
* Add ASA-2007-011+012.dpatch: upstream fixes.
* References:
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053967.html
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053968.html
  CVE-2007-2294 CVE-2007-2297

Author: magilus
Revision Date: 2007-04-28 14:34:02 UTC

* SECURITY UPDATE: Fix ASA-2007-011 and ASA-2007-012
* Add ASA-2007-011+012.dpatch: upstream fixes.
* References:
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053967.html
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053968.html
  CVE-2007-2294 CVE-2007-2297

Author: magilus
Revision Date: 2007-03-22 22:27:15 UTC

* SECURITY UPDATE: Fix SIP DoS vulnerability
* References:
  https://launchpad.net/ubuntu/+source/asterisk/+bug/94792
  http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579
  http://www.asterisk.org/node/48339
  CVE-2007-1561

Author: magilus
Revision Date: 2007-04-28 14:46:52 UTC

* SECURITY UPDATE: Fix ASA-2007-011 and ASA-2007-012
* Add ASA-2007-011+012.dpatch: upstream fixes.
* References:
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053967.html
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053968.html
  CVE-2007-2294 CVE-2007-2297

Author: magilus
Revision Date: 2007-04-28 14:46:52 UTC

* SECURITY UPDATE: Fix ASA-2007-011 and ASA-2007-012
* Add ASA-2007-011+012.dpatch: upstream fixes.
* References:
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053967.html
  http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053968.html
  CVE-2007-2294 CVE-2007-2297

Author: Soren Hansen
Revision Date: 2006-09-28 18:15:25 UTC

* Merge from Debian sid.
* debian/asterisk.init:
  - create /var/run/ directory if necessary and set proper permissions
* Remove dependency on linux/compiler.h

Author: Kees Cook
Revision Date: 2007-03-24 15:11:14 UTC

* SECURITY UPDATE: Fix SIP DoS vulnerability
* References:
  https://launchpad.net/ubuntu/+source/asterisk/+bug/94792
  http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579
  http://www.asterisk.org/node/48339
  CVE-2007-1561

Author: Kees Cook
Revision Date: 2007-03-24 15:11:14 UTC

* SECURITY UPDATE: Fix SIP DoS vulnerability
* References:
  https://launchpad.net/ubuntu/+source/asterisk/+bug/94792
  http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579
  http://www.asterisk.org/node/48339
  CVE-2007-1561

Author: Chuck Short
Revision Date: 2006-05-25 20:27:00 UTC

* debian/*.init:
  - Change the ownership of the pid file again.
    (Closes: Malone ##45952).

Author: Mark Purcell
Revision Date: 2005-07-01 22:38:24 UTC

* New upstream release
  - Closes: #315578: New version of asterisk and bristuff released
* Remove BRI patch while we work on it, to allow 1.0.9 to unstable

Author: Kilian Krause
Revision Date: 2005-03-09 22:09:05 UTC

fixed location of sounds dir in addmailbox (Closes: #298769)

Author: Mark Purcell
Revision Date: 2004-05-31 21:51:18 UTC

New upstream release