[Asterisk-bsd] upgrade path for 1.2

Graham Todd gtodd at bellanet.org
Thu Mar 22 10:57:05 MST 2007


Stuart Henderson wrote:
> On 2007/03/21 17:27, Graham Todd wrote:
>> I noticed that the ports version is at 1.2.13, but asterisk-1.2 source
>> is at 1.2.17 - should I just jump to a test port of 1.4 or try to get
>> 1.2.17 building/installing via ports? (patches need realigning it looks
>> like).
> 
> You could just patch the vuln's if you don't care about the other fixes
> brought in by 1.2.{14-17}. (that's what OpenBSD has been doing for Asterisk
> versions from older OS releases' ports trees; -current has 1.2.17, 3.9 and
> 4.0 have 1.2.9 with the security fixes from 1.2.13 and 1.2.16 and the fix
> for the new one to follow).

Thanks for that information.

> Really, you want these bugs fixed; exploiting the problem fixed in 1.2.16
> is a one-liner at the shell. The newer one is a little more typing but
> doesn't look like highly complicated.

Yes, worrisome.  A lot of Asterisk is "turned off" in our installation
(e.g. we have no public SIP) but inside the firewall security is
important too!

> Here are the two fixes together, this is against 1.2.9 but should apply
> with little trouble to newer code.
> 
> --- channels/chan_sip.c.orig	Thu May 25 18:18:01 2006
> +++ channels/chan_sip.c	Wed Mar 21 15:03:09 2007
... [snip] ...

Thanks a lot for these.

I'm also going to try to spend some time trying to get 1.2.17 to build
as a port.

-- 
Graham Todd - bellanet.org
613.236.6163 #2443



More information about the Asterisk-BSD mailing list