lp:ubuntu/hardy-updates/asterisk

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

39. By Brian Thomason on 2009-03-16

* SECURITY UPDATE: ACK response spoofing
  - added debian/patches/CVE-2008-1897: Adjust chan_iax2.c to use a special
    id to prevent ACK response spoofing. Based on upstream patch.
  - CVE-2008-1897
  - AST-2008-006
* SECURITY UPDATE: POKE request flooding
  - added debian/patches/CVE-2008-3263: Adjust chan_iax2.c to prevent
    'POKE' request flooding. Based on upstream patch.
  - CVE-2008-3263
  - AST-2008-010
* SECURITY UPDATE: firmware packet flooding
  - added debian/patches/CVE-2008-3264: Adjust chan_iax2.c to prevent
    firmware packet flooding. Based on upstream patch.
  - CVE-2008-3264
  - AST-2008-011
* SECURITY UPDATE: information leak in IAX2 authentication
  - added debian/patches/CVE-2009-0041: Adjust chan_iax2.c to fix
    information leak in IAX2 authentication. Based on upstream patch.
  - CVE-2009-0041
  - AST-2009-001
* SECURITY UPDATE: SIP responses expose valid usernames
  - added debian/patches/CVE-2008-3903: Adjust chan_sip.c to make
    it more difficult to scan for available usernames.
  - CVE-2008-3903
  - AST-2009-003
* SECURITY UPDATE: An attacker could hijack a manager session
  - added debian/patches/CVE-2008-1390: Adjust manager.c to
    never assign an invalid id of 0
  - CVE-2008-1390
  - AST-2008-005

38. By William Grant on 2008-04-05

* SECURITY UPDATE: arbitrary code execution and authentication bypass.
  (LP: #210124)
  - debian/patches/CVE-2008-1289: Check that incoming RTP payloads are
    within buffer limits. Patch from Debian.
  - debian/patches/CVE-2008-1332: Ensure that allowguest has been enabled
    before deciding that authentication isn't required. Patch from Debian.
  - debian/patches/CVE-2008-1333: Interpret logging output as a character
    string, not a format string. Patch from Debian.
  - References:
    + CVE-2008-1289
    + CVE-2008-1332
    + CVE-2008-1333
    + AST-2008-002
    + AST-2008-003
    + AST-2008-004
* Modify Maintainer value to match the DebianMaintainerField
  specification.

37. By Andrea Colangelo on 2008-02-16

Rebuild for libc-client2006j2 -> libc-client2007 transition (LP: #192415).

36. By Tzafrir Cohen <email address hidden> on 2008-01-03

Allow building vs. libc-client2007 (Closes: #458877).

35. By Faidon Liambotis on 2007-12-06

* New upstream release (Closes: #452054)
  - Fix a potential corrupt of voicemail.conf on simultaneous PIN updates
    (Closes: #353227)

[ Tzafrir Cohen ]
* Add some sample/reference config files as documentation.
* Provide asterisk-bristuff for upgrading from Etch.
* Move libc-client to not be last, so debian/backports/xorcom.etch would
  still work.

[ Faidon Liambotis ]
* Really enable the libcap/ToS functionality; the previous patch didn't
  enable the functionality, even though the code and the libcap.so
  dependency were there. (Closes: #454342)
* Fix a minor issue with init script's stop target when running with
  safe_asterisk.
* Add chan_vpb, adding support for VoiceTronix OpenSwitch and OpenLine
  cards. (Closes: #396499)
* Fix debian/watch by using a pkg-voip wrapper to avoid upstream's silly
  redirections. (Closes: #449706)
* Use DEBVERSION as asterisk's version string.
* Disable the MD5 build sum that breaks all out-of-tree plugins (duh!).
* Create /usr/local/share/asterisk/sounds to put all site-specific
  non-modifiable sounds.
* Add a note about bugs.debian.org to the banner.
* Add noload for res_config_* since loading them results in errors and
  doesn't provide any functionality.
* News entries were added but we never shipped the file; ship NEWS.Debian.
* Add an entry to NEWS.Debian warning users about app_voicemail_*.so
  (Closes: #452596)
* Provide options in /etc/default/asterisk for configuring safe_asterisk.
  (Closes: #381786)

[ Tzafrir Cohen ]
* Provide a custom sounds directory under /var/lib - user-modifieble at
  runtime and hence not under /usr. (Closes: #337209)

34. By Faidon Liambotis on 2007-10-10

* New upstream release.
  - Implemented Dynamic DUNDi peering support (Closes: #439331)
  - Removed merged patches: bashism-safeasterisk, ast_key_dir,
    h323-add-missing-ptrace-guard, CVE-2007-4521.
  - Adapted patches: make-clean-fixes, h323-no-deps-on-asterisk.
  - Adapted bristuff 0.4.0-test4 to apply to 1.4.12 (bristuff.notice,
    xagi, app-dial-c-callback, app-dial-priority-202)
* When DFSG-ing the tarball, create a fake codecs/ilbc/Makefile so that
  make doesn't fail on clean.
* Pass NOISY_BUILD to make so that the GCC arguments can be examined in
  build logs.
* Remove versioned dependency on dpkg-dev since that particular version is
  present since etch (sarge is not supported as a backport target anymore).
* Backport a patch from trunk so that Asterisk can set the IP ToS bits when
  it is run as a simple user (as we do).
* Re-enable IMAP support and enable ODBC support; this time they are
  provided as app_voicemail_imap.so and _odbc.so so that they don't break
  existing setups.
* Build with -O1 on hppa to workaround gcc-4.2 ICE (#445336).
* Zaptel package added support for Voicetronix OpenPCI cards, mention it on
  asterisk's description.

33. By Faidon Liambotis on 2007-08-22

[ Tzafrir Cohen ]
* Remove libgtk2.0-dev from Build-Depends since the GTK+ console was not
  getting built anyway.

[ Kilian Krause ]
* Add dpkg-dev (>= 1.13.19) to Build-Depends for binary:Version and
  source:Version.

[ Faidon Liambotis ]
* New upstream release. (Closes: #439062)
  - AST-2007-020 Resource Exhaustion vulnerability in SIP channel driver
* Switch to quilt as a patch management system instead of dpatch.
* Add bristuff 0.4.0-test4
  - Split into smaller, individual patches (bristuff/).
  - Mention HFC-S/HFC-4S support in the Description.
  - Use libpri-bristuffed.so.1 and its respective header
    (use-libpri-bristuffed).
  - Ship xagi-test.c as an example.
  - Add a news item to NEWS.Debian stating bristuff's inclusion.
* Major overhaul of the postinst scripts, completely replacing asterisk_fix.
  - Create Asterisk's directories on asterisk.dirs to track them using dpkg.
  - Add asterisk.postinst which calls adduser, chown, chmod. Improve error
    handling.
  - Don't do unnecessary stuff on asterisk-config postinst.
    (Closes: #431506)
  - chmod /etc/asterisk on build-time to allow the user to modify the
    permissions; this required a lintian override.
  - Honor dpkg-statoverride on all the chowned/chmoded directories and
    configuration files under /etc/asterisk.
  - Handle asterisk-config -> asterisk installation order properly
    (Closes: #408708)
  - Don't add asterisk user to audio and dialout groups if existed before.
    This allows the administrator to remove the membership.
  - Don't depend on adduser from asterisk-config.
* Remove Suggests to gnomemeeting (it's a dummy package nowdays),
  asterisk-rate-engine and add one for twinkle.
* Remove Conflicts for an old version of asterisk-oh323 which was only
  present until sarge.
* Remove versioned dependencies on ancient (pre-sarge) versions of sed and
  adduser.
* Patch channels/h323/ast_h323.cxx to add some missing PTRACING #ifdef
  (h323-add-missing-ptrace-guard).
* h323-workaround-openh323-segfault patch: workaround a libopenh323 bug
  (#438815) which causes Asterisk to segfault on startup. (Closes: #435146)
* Remove -XCVS from dh_installexamples arguments. Upstream doesn't use CVS
  anymore.
* Add a README.Debian for asterisk-h323 that explains the differences
  between the different H.323 channel drivers, taken from the asterisk-oh323
  package.
* Clarify asterisk-h323's description and mention the other channel drivers.
* Suggest asterisk-h323 from asterisk.

32. By Mark Purcell on 2007-08-09

* New upstream release
  - Fwd: [asterisk-announce] ASA-2007-019: Remote crash vulnerability in
  Skinny channel driver (Closes: #436808)

[ Mark Purcell ]
* debhelper(1) states Build-Depends: debhelper (>= 5)
  - aids backports
* Update debian/backports for etch, edgy, dapper and feisty
  - http://status.buildserver.net/packages/status.php?package=asterisk&subdist=pkg-voip

[ Faidon Liambotis ]
* Refer to /usr/share/common-licenses/GPL-2 instead of GPL. The code is
  -for now- GPLv2-only and in light of GPLv3, pointing to GPL is misleading.
* Add ast_key_dir patch to move keys from /var/lib/asterisk/keys to
  /usr/share/asterisk/keys where they should be.
* Actually ship keys, including Junction Networks' by fixing pubkey_jnctn
  patch.
* Handle space/newline-delimited directories on /etc/asterisk when doing
  chmod on postinst.
* Correct descriptions of packages in debian/control, adapting them to the
  present and correcting some spelling mistakes. (Closes: #428671)
* Add a noload directive for cdr_sqlite.so in the default modules.conf since
  it writes unconditionally to the database file without being rotated,
  resulting in unexpected waste of disk space. (Closes: #301883)
* Delete duplicated creation of /var/run/asterisk in the init script.

31. By Mark Purcell on 2007-07-26

[ Tzafrir Cohen ]
* New upstream release.
  - ASA-2007-018 - DoS Resource Exhaustion vulnerability in IAX2

[ Faidon Liambotis ]
* Add myself to Uploaders.
* Fix "debian/rules clean" to cleanup correctly the tree by calling "make
  distclean" instead of "make clean". Also, fix some stuff in the upstream
  Makefiles (debian/patches/make-clean-fixes). Fixes a lintian warning.
* Add XS-Vcs-Svn and XS-Vcs-Browser to debian/control.
* Move examples from all packages (debian/examples) to asterisk-config only.
* Add eagi-test.c, eagi-sphinx-test.c, fastagi-test and static-http to
  examples.
* Remove Conflicts/Replaces/Depends to pre-sarge versions, they're useless
  even for backports.

[ Mark Purcell ]
* Include asterisk.init changes from Martin
  - Asterisk does not create /var/run/asterisk directory if not existent
  (Closes: #413541)
* Backout asterisk-h323 Suggests:/ Recommends: asterisk-oh323. The former
  works, the latter does not with asterisk-1.4.x
* Upstream fixes from 1.4.x branch:
  - Multiple security flaws in Asterisk (Closes: #421467)
  - Debug switch wrong in /etc/default/asterisk (Closes: #413544)
  - Upgrading destroys astdb (Closes: #354132)
  - Upgrading destroys astdb (Closes: #354132)
  - asterisk bindaddr in sip and iax config is to fixed ip not
    Interfaces (Closes: #316443)
  - Incorrect callerid syntax in sip.conf causes incorrect error
  (Closes: #323275)
  - dropouts (Closes: #335079)
  - Does not include cdr_sqlite userfield support by default (Closes:
  #344097)
  - Asterisk crashes on sparc when playing &#39;demo-moreinfo&#39;
  (Closes: #344484)
  - fresh install - crash after dialing IAX test (Closes: #350001)
  - asterisk_fix script fails to set variables for adduser, user
  creation fails (Closes: #383075)
  - Debug switch wrong in /etc/default/asterisk (Closes: #413544)
  - When using L option on Dial, instead of warning asterisk disconnects
  the call (Closes: #419894)
  - Patch for fastagi handling (Closes: #368948)
  - bristuff patch breaks cause codes in Hangup() (Closes: #320350)
* add debian/patches/basim-safeasterisk.dpatch
  - contrib/scripts/safe_asterisk should explicitly link to a cli
  (Closes: #413543)
* Adding a restart when convenient in Asterisk (Closes: #413816)
* asterisk-h323: libpt.so.1.10.2 => not found (Closes: #434076)

30. By Lionel Porcheron on 2007-07-22

* Merge from Debian unstable. Remaining Ubuntu changes:
  - Modify Maintainer value to match Debian-Maintainer-Field Spec
  - debian/patches/ubuntu_safe_asterisk.dpatch: use /bin/bash instead of
    /bin/sh as specific bash functions are used in safe_asterisk script.