branches with status:
Name Status Last Modified Last Commit
lp:asterisk 1 Development 2015-04-11 15:27:08 UTC 2015-04-11
26158. clang compiler warnings: Fix various ...

Author: mjordan
Revision Date: 2015-04-11 15:27:08 UTC

clang compiler warnings: Fix various warnings for tests

This patch fixes a variety of clang compiler warnings for unit tests. This
includes autological comparison issues, ignored return values, and
interestingly enough, one embedded function. Fun!

Review: https://reviewboard.asterisk.org/r/4555

ASTERISK-24917
Reported by: dkdegroot
patches:
  rb4555.patch submitted by dkdegroot (License 6600)
........

Merged revisions 434705 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 434706 from http://svn.asterisk.org/svn/asterisk/branches/13

lp:asterisk/1.8 1 Development 2015-04-08 15:54:38 UTC 2015-04-08
22823. Security/tcptls: MitM Attack potentia...

Author: jrose
Revision Date: 2015-04-08 15:54:38 UTC

Security/tcptls: MitM Attack potential from certificate with NULL byte in CN.

When registering to a SIP server with TLS, Asterisk will accept CA signed
certificates with a common name that was signed for a domain other than the
one requested if it contains a null character in the common name portion of
the cert. This patch fixes that by checking that the common name length
matches the the length of the content we actually read from the common name
segment. Some certificate authorities automatically sign CA requests when
the requesting CN isn't already taken, so an attacker could potentially
register a CN with something like www.google.com\x00www.secretlyevil.net
and have their certificate signed and Asterisk would accept that certificate
as though it had been for www.google.com - this is a security fix and is
noted in AST-2015-003.

ASTERISK-24847 #close
Reported by: Maciej Szmigiero
Patches:
 asterisk-null-in-cn.patch submitted by mhej (license 6085)

lp:asterisk/10 1 Development 2013-12-16 17:02:01 UTC 2013-12-16
22648. security: Inhibit execution of privil...

Author: dlee
Revision Date: 2013-12-16 17:02:01 UTC

security: Inhibit execution of privilege escalating functions

This patch allows individual dialplan functions to be marked as
'dangerous', to inhibit their execution from external sources.

A 'dangerous' function is one which results in a privilege escalation.
For example, if one were to read the channel variable SHELL(rm -rf /)
Bad Things(TM) could happen; even if the external source has only read
permissions.

Execution from external sources may be enabled by setting
'live_dangerously' to 'yes' in the [options] section of asterisk.conf.
Although doing so is not recommended.

(closes issue ASTERISK-22905)
Review: http://reviewboard.digium.internal/r/432/
........

Merged revisions 403913 from http://svn.asterisk.org/svn/asterisk/branches/1.8

13 of 3 results