The Asterisk.org development team has released Asterisk versions 1.2.30.3, 1.4.23-rc2, 1.6.0.2, 1.6.1-beta3, as well as Asterisk-Addons versions 1.6.0.1 and 1.6.1-rc2. These releases are available for immediate download from http://downloads.digium.com/. This update for Asterisk includes a fix for a regression introduced in Asterisk 1.2.30 and Asterisk 1.4.21.2 and has existed in the Asterisk 1.6 branch since release. All releases with the exception of Asterisk 1.2.30.3 also contain a vast assortment of bugfixes in these releases. For a full list of changes, see the ChangeLogs: http://svn.digium.com/view/asterisk/tags/1.2.30.3/ChangeLog?view=markup http://svn.digium.com/view/asterisk/tags/1.4.23-rc2/ChangeLog?view=markup http://svn.digium.com/view/asterisk/tags/1.6.0.2/ChangeLog?view=markup http://svn.digium.com/view/asterisk/tags/1.6.1-beta3/ChangeLog?view=markup http://svn.digium.com/view/asterisk-addons/tags/1.6.0.1/ChangeLog?view=markup http://svn.digium.com/view/asterisk-addons/tags/1.6.1-rc2/ChangeLog?view=markup Thank you for your continued support of Asterisk!
Here's the changelog: 2008-12-01 Tilghman Lesher <tlesher@digium.com> * Asterisk 1.2.30.3 released 2008-11-25 21:37 +0000 [r159245] Tilghman Lesher <tlesher@digium.com> * channels/chan_iax2.c: Regression fix for last security fix. Set the iseqno correctly. (closes issue #13918) Reported by: ffloimair Patches: 20081119__bug13918.diff.txt uploaded by Corydon76 (license 14) Tested by: ffloimair 2008-08-09 Tilghman Lesher <tlesher@digium.com> * Asterisk 1.2.30.2 released 2008-08-09 15:24 +0000 [r136945] Tilghman Lesher <tlesher@digium.com> * include/asterisk/compat.h, include/asterisk/astobj2.h: Regression fixes for Solaris 2008-07-25 15:00 +0000 [r133577] Russell Bryant <russell@digium.com> * LICENSE: Fix the IAX2 URI for calling Digium 2008-07-23 Tilghman Lesher <tlesher@digium.com> * Asterisk 1.2.30.1 released 2008-07-24 03:46 +0000 [r133360] Tilghman Lesher <tlesher@digium.com> * channels/chan_iax2.c: This part was not correctly patched for AST-2008-010. 2008-07-22 Russell Bryant <russell@digium.com> * Asterisk 1.2.30 released 2008-07-22 21:14 +0000 [r132711] Tilghman Lesher <tlesher@digium.com> * configs/iax.conf.sample, channels/chan_iax2.c: Fixes for AST-2008-010 and AST-2008-011 2008-06-03 Russell Bryant <russell@digium.com> * Asterisk 1.2.29 released 2008-06-03 19:30 +0000 [r120109] Joshua Colp <jcolp@digium.com> * channels/chan_sip.c: Copy the From header into a variable so that pedantic SIP handling does not try to mess with a NULL pointer. (AST-2008-008) (closes issue #12607) Reported by: hooi 2008-05-30 12:49 +0000 [r119008-119237] Russell Bryant <russell@digium.com> * channels/chan_iax2.c: - Instead of only enforcing destination call number checking on an ACK, check all full frames except for PING and LAGRQ, which may be sent by older versions too quickly to contain the destination call number. (As suggested by Tim Panton on the asterisk-dev list) - Merge changes from team/russell/iax2-frame-race, which prevents PING and LAGRQ from being sent before the destination call number is known. * channels/chan_iax2.c: Merge changes from team/russell/iax2-another-fix-to-the-fix As described in the following post to the asterisk-dev mailing list, only enforce destination call numbers when processing an ACK. http://lists.digium.com/pipermail/asterisk-dev/2008-May/033217.html 2008-05-21 Russell Bryant <russell@digium.com> * Asterisk 1.2.28.1 released 2008-05-08 19:14 +0000 [r115564] Russell Bryant <russell@digium.com> * channels/chan_iax2.c: Fix a race condition that bbryant just found while doing some IAX2 testing. He was running Asterisk trunk running IAX2 calls through a few Asterisk boxes, however, the audio was extremely choppy. We looked at a packet trace and saw a storm of INVAL and VNAK frames being sent from one box to another. It turned out that what had happened was that one box tried to send a CONTROL frame before the 3 way handshake had completed. So, that frame did not include the destination call number, because it didn't have it yet. Part of our recent work for security issues included an additional check to ensure that frames that are supposed to include the destination call number have the correct one. This caused the frame to be rejected with an INVAL. The frame would get retransmitted for forever, rejected every time ... This race condition exists in all versions that got the security changes, in theory. However, it is really only likely that this would cause a problem in Asterisk trunk. There was a control frame being sent (SRCUPDATE) at the _very_ beginning of the call, which does not exist in 1.2 or 1.4. However, I am fixing all versions that could potentially be affected by the introduced race condition. These changes are what bbryant and I came up with to fix the issue. Instead of simply dropping control frames that get sent before the handshake is complete, the code attempts to wait a little while, since in most cases, the handshake will complete very quickly. If it doesn't complete after yielding for a little while, then the frame gets dropped. 2008-05-07 16:22 +0000 [r115511] Russell Bryant <russell@digium.com> * include/asterisk/dlinkedlists.h (removed), channels/chan_iax2.c: Remove remnants of dlinkedlists. I didn't actually use them in the final version of my IAX2 improvements. 2008-05-06 19:54 +0000 [r115421] Jason Parker <jparker@digium.com> * contrib/scripts/get_ilbc_source.sh: read requires an argument on some non-bash shells (closes issue #12593) Reported by: bkruse Patches: getilbc.sh_12593_v1.diff uploaded by bkruse (license 132) 2008-05-05 17:53 +0000 [r115296] Russell Bryant <russell@digium.com> * Makefile, include/asterisk/astobj2.h (added), astobj2.c (added), include/asterisk/dlinkedlists.h (added), channels/chan_iax2.c: Merge changes from team/russell/iax2_find_callno_1.2 These changes address a critical performance issue introduced in the latest release. The fix for the latest security issue included a change that made Asterisk randomly choose call numbers to make them more difficult to guess by attackers. However, due to some inefficient (this is by far, an understatement) code, when Asterisk chose high call numbers, chan_iax2 became unusable after just a small number of calls. On a small embedded platform, it would not be able to handle a single call. On my Intel Core 2 Duo @ 2.33 GHz, I couldn't run more than about 16 IAX2 channels. Ouch. These changes address some performance issues of the find_callno() function that have bothered me for a very long time. On every incoming media frame, it iterated through every possible call number trying to find a matching active call. This involved a mutex lock and unlock for each call number checked. So, if the random call number chosen was 20000, then every media frame would cause 20000 locks and unlocks. Previously, this problem was not as obvious since Asterisk always chose the lowest call number it could. A second container for IAX2 pvt structs has been added. It is an astobj2 hash table. When we know the remote side's call number, the pvt goes into the hash table with a hash value of the remote side's call number. Then, lookups for incoming media frames are a very fast hash lookup instead of an absolutely insane array traversal. In a quick test, I was able to get more than 3600% more IAX2 channels on my machine with these changes. 2008-04-29 12:52 +0000 [r114822] Kevin P. Fleming <kpfleming@digium.com> * contrib/scripts/get_ilbc_source.sh: stop script from appending source code if run multiple times 2008-04-22 Russell Bryant <russell@digium.com> * Asterisk 1.2.28 released 2008-04-22 22:20 +0000 [r114561] Russell Bryant <russell@digium.com> * channels/chan_iax2.c: When we receive a full frame that is supposed to contain our call number, ensure that it has the correct one. (closes issue #10078) (AST-2008-006) 2008-03-26 19:49 +0000 [r110869-111125] Kevin P. Fleming <kpfleming@digium.com> * UPGRADE.txt: update UPGRADE notes to document usage of the script * contrib/scripts/get_ilbc_source.sh (added), codecs/ilbc: add a script to make getting the iLBC source code simple for end users * codecs/ilbc/StateConstructW.h (removed), codecs/ilbc/packing.h (removed), codecs/ilbc/getCBvec.c (removed), codecs/ilbc/LPCdecode.c (removed), codecs/ilbc/enhancer.c (removed), codecs/ilbc/lsf.c (removed), codecs/ilbc/iLBC_encode.c (removed), codecs/ilbc/getCBvec.h (removed), codecs/ilbc/LPCdecode.h (removed), codecs/ilbc/enhancer.h (removed), codecs/ilbc/FrameClassify.c (removed), codecs/ilbc/iLBC_define.h (removed), codecs/ilbc/lsf.h (removed), codecs/ilbc/iLBC_encode.h (removed), codecs/ilbc/FrameClassify.h (removed), codecs/ilbc/helpfun.c (removed), codecs/ilbc/doCPLC.c (removed), codecs/ilbc/anaFilter.c (removed), codecs/ilbc/helpfun.h (removed), codecs/ilbc/createCB.c (removed), codecs/ilbc/doCPLC.h (removed), codecs/ilbc/anaFilter.h (removed), UPGRADE.txt, codecs/ilbc/iLBC_decode.c (removed), codecs/ilbc/constants.c (removed), codecs/ilbc/createCB.h (removed), codecs/ilbc/iLBC_decode.h (removed), codecs/ilbc/constants.h (removed), codecs/ilbc/iCBSearch.c (removed), codecs/ilbc/filter.c (removed), codecs/ilbc/gainquant.c (removed), codecs/ilbc/hpInput.c (removed), codecs/ilbc/hpOutput.c (removed), codecs/ilbc/iCBSearch.h (removed), codecs/ilbc/filter.h (removed), codecs/ilbc/hpInput.h (removed), codecs/ilbc/gainquant.h (removed), codecs/ilbc/LPCencode.c (removed), codecs/ilbc/hpOutput.h (removed), codecs/ilbc/StateSearchW.c (removed), codecs/ilbc/LPCencode.h (removed), codecs/ilbc/StateSearchW.h (removed), codecs/ilbc/iCBConstruct.c (removed), codecs/ilbc/syntFilter.c (removed), codecs/ilbc/iCBConstruct.h (removed), codecs/ilbc/syntFilter.h (removed), codecs/ilbc/StateConstructW.c (removed), codecs/ilbc/packing.c (removed): due to licensing restrictions, we cannot distribute the source code for iLBC encoding and decoding... so remove it, and add instructions on how the user can obtain it themselves 2008-03-20 21:53 +0000 [r110335] Russell Bryant <russell@digium.com> * channels/chan_sip.c, channels/chan_iax2.c: Fix some very broken code that was introduced in 1.2.26 as a part of the security fix. The dnsmgr is not appropriate here. The dnsmgr takes a pointer to an address structure that a background thread continuously updates. However, in these cases, a stack variable was passed. That means that the dnsmgr thread would be continuously writing to bogus memory. Looking forward to a bump on this in-tree (though long deprecated) branch of Asterisk. Thanks!
Should bump to 1.2.30.4 because bug 250748. Changelog for 1.2.30.4: 2008-12-10 Tilghman Lesher <tlesher@digium.com> * Asterisk 1.2.30.4 released 2008-12-10 21:06 +0000 [r162868] Tilghman Lesher <tlesher@digium.com> * channels/chan_iax2.c: Fix for AST-2008-012 2008-12-05 20:50 +0000 [r161421] Sean Bright <sean.bright@gmail.com> * include/asterisk/astobj2.h, astobj2.c: Fix build errors on FreeBSD (uint -> unsigned int). (closes issue #14006) Reported by: alphaque Patches: astobj2.h-patch uploaded by alphaque (license 259) (Slightly modified by seanbright)
Created attachment 177069 [details, diff] use external dev-libs/ilbc-rfc3951
Created attachment 177070 [details] quick ebuild without any gentoo patches Need to review all previous patches, so it's disabled for now.
There is now 1.2.31.1 (http://www.asterisk.org/node/48562) Version bump is quite important as it should fix some security bugs.
It seems that support for 1.2.x is over, the source code has been moved to http://downloads.digium.com/pub/asterisk/old-releases/ I would vote for marking this bug absolute, hardmasking current "stable" 1.2.x ebuild in the portage and moving on to the next version(s). ps. just rename my ebuild and fix src path if you still want to use 1.2
In response to Comment 6, I agree in principle - it is abundantly clear that the newer versions of asterisk need to make it out of the overlay ghetto and that 1.2 is destined is due for retirement and a well-earned pension. However, I personally don't think that 1.2 should be removed until: 1) All asterisk-related components of the voip overlay are rendered current 2) The ebuilds are reviewed, fully tested, subjected to QA procedures and committed to the portage tree As this is presumably not going to happen overnight, I think that it would be in our best interests to have the final 1.2 release committed and the older versions removed. We should assume that some users have it operational in production, in which case we would do well to be supportive of their immediate needs. Not to mention that having security bugs drag out is never a good thing. Although I use 1.4, I will try to allocate some time to test the revised 1.2 ebuild during the week ahead.
chainsaw added net-misc/asterisk-1.2.31.1 to the tree. +*asterisk-1.2.31.1 (11 Mar 2009) + + 11 Mar 2009; <chainsaw@gentoo.org> + +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff, + +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff, + +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild: + Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix + that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in + open call, a comma is not a pipe sign. Used EAPI 2 for USE-based + dependencies instead of calling die. Patch from Mounir Lamouri adding + -lspeexdsp closes bug #206463 filed by John Read.