[asterisk-commits] bebuild: tag certified-1.8.28-cert3 r428436 - in /certified/tags/1.8.28-cert3...

[SVN commits to the Asterisk project]

Author: bebuild
Date: Thu Nov 20 10:52:16 2014
New Revision: 428436

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428436
Log:
Merge r428430 for AST-2014-012, r428393 for AST-2014-018

Modified:
    certified/tags/1.8.28-cert3/   (props changed)
    certified/tags/1.8.28-cert3/ChangeLog
    certified/tags/1.8.28-cert3/funcs/func_db.c
    certified/tags/1.8.28-cert3/main/acl.c

Propchange: certified/tags/1.8.28-cert3/
------------------------------------------------------------------------------
--- branch-1.8-merged (original)
+++ branch-1.8-merged Thu Nov 20 10:52:16 2014
@@ -1,1 +1,1 @@
-/branches/1.8:1-415260,415841,416066,419630,420434,425985
+/branches/1.8:1-415260,415841,416066,419630,420434,425985,428331

Propchange: certified/tags/1.8.28-cert3/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Nov 20 10:52:16 2014
@@ -1,3 +1,3 @@
 /certified/branches/1.8.15:370667,418367
-/certified/branches/1.8.28:426052
+/certified/branches/1.8.28:426052,428393,428430
 /trunk:394552,394567

Modified: certified/tags/1.8.28-cert3/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert3/ChangeLog?view=diff&rev=428436&r1=428435&r2=428436
==============================================================================
--- certified/tags/1.8.28-cert3/ChangeLog (original)
+++ certified/tags/1.8.28-cert3/ChangeLog Thu Nov 20 10:52:16 2014
@@ -1,3 +1,29 @@
+2014-11-20  Asterisk Development Team <asteriskteam at digium.com>
+
+	* Certified Asterisk 1.8.28-cert3 Released.
+
+	* AST-2014-012: Fix error with mixed address family ACLs.
+
+	  Prior to this commit, the address family of the first item in an ACL
+	  was used to compare all incoming traffic. This could lead to traffic
+	  of other IP address families bypassing ACLs.
+
+	  ASTERISK-24469 #close
+	  Reported by Matt Jordan
+
+	* AST-2014-018 - func_db: DB Dialplan function permission escalation
+	  via AMI.
+
+	  The DB dialplan function when executed from an external protocol
+	  (for instance AMI), could result in a privilege escalation.
+
+	  Asterisk now inhibits the DB function from being executed from an
+	  external interface if the live_dangerously option is set to no.
+
+	  ASTERISK-24534
+	  Reported by: Gareth Palmer
+	  patches: submitted by Gareth Palmer (license 5169)
+
 2014-10-20  Asterisk Development Team <asteriskteam at digium.com>
 
 	* Certified Asterisk 1.8.28-cert2 Released.

Modified: certified/tags/1.8.28-cert3/funcs/func_db.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert3/funcs/func_db.c?view=diff&rev=428436&r1=428435&r2=428436
==============================================================================
--- certified/tags/1.8.28-cert3/funcs/func_db.c (original)
+++ certified/tags/1.8.28-cert3/funcs/func_db.c Thu Nov 20 10:52:16 2014
@@ -282,7 +282,7 @@
 {
 	int res = 0;
 
-	res |= ast_custom_function_register(&db_function);
+	res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH);
 	res |= ast_custom_function_register(&db_exists_function);
 	res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);
 

Modified: certified/tags/1.8.28-cert3/main/acl.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert3/main/acl.c?view=diff&rev=428436&r1=428435&r2=428436
==============================================================================
--- certified/tags/1.8.28-cert3/main/acl.c (original)
+++ certified/tags/1.8.28-cert3/main/acl.c Thu Nov 20 10:52:16 2014
@@ -533,7 +533,7 @@
 		ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
 		ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
 #endif
-		if (ast_sockaddr_is_ipv4(&ha->addr)) {
+		if (ast_sockaddr_is_ipv4(&current_ha->addr)) {
 			if (ast_sockaddr_is_ipv6(addr)) {
 				if (ast_sockaddr_is_ipv4_mapped(addr)) {
 					/* IPv4 ACLs apply to IPv4-mapped addresses */