[asterisk-commits] r428331 - svn:log
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Thu Nov 20 09:39:15 CST 2014
Author: kharwell
Revision: 428331
Modified property: svn:log
Modified: svn:log at Thu Nov 20 09:39:15 2014
------------------------------------------------------------------------------
--- svn:log (original)
+++ svn:log Thu Nov 20 09:39:15 2014
@@ -1,16 +1,11 @@
-AST-2014-017 - app_confbridge: permission escalation/ class authorization.
+AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI.
-Confbridge dialplan function permission escalation via AMI and inappropriate
-class authorization on the ConfbridgeStartRecord action. The CONFBRIDGE dialplan
-function when executed from an external protocol (for instance AMI), could
-result in a privilege escalation. Also, the AMI action “ConfbridgeStartRecord”
-could also be used to execute arbitrary system commands without first checking
-for system access.
+The DB dialplan function when executed from an external protocol (for instance
+AMI), could result in a privilege escalation.
-Asterisk now inhibits the CONFBRIDGE function from being executed from an
-external interface if the live_dangerously option is set to no. Also, the
-“ConfbridgeStartRecord” AMI action is now only allowed to execute under a
-user with system level access.
+Asterisk now inhibits the DB function from being executed from an external
+interface if the live_dangerously option is set to no.
-ASTERISK-24490
+ASTERISK-24534
Reported by: Gareth Palmer
+patches: submitted by Gareth Palmer (license 5169)
More information about the asterisk-commits
mailing list