Update for 14.7.7

.version

@@ -1 +1 @@
-14.7.6
+14.7.7

ChangeLog

@@ -1,3 +1,30 @@
+2018-06-11 21:11 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 14.7.7 Released.
+
+2018-06-11 16:11 +0000 [a562192fa4]  Kevin Harwell <kharwell@digium.com>
+
+	* Update for 14.7.7
+
+2018-04-30 17:38 +0000 [b67fe624c6]  Richard Mudgett <rmudgett@digium.com>
+
+	* AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
+
+	  When endpoint specific ACL rules block a SIP request they respond with a
+	  403 forbidden.  However, if an endpoint is not identified then a 401
+	  unauthorized response is sent.  This vulnerability just discloses which
+	  requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
+	  access to the disclosed endpoints.
+
+	  * Made endpoint specific ACL rules now respond with a 401 unauthorized
+	  which is the same as if an endpoint were not identified.  The fix is
+	  accomplished by replacing the found endpoint with the artificial endpoint
+	  which always fails authentication.
+
+	  ASTERISK-27818
+
+	  Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
+
 2018-02-21 18:53 +0000  Asterisk Development Team <asteriskteam@digium.com>
 
 	* asterisk 14.7.6 Released.

asterisk-14.7.6-summary.html

@@ -1,31 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-14.7.6</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-14.7.6</h3><h3 align="center">Date: 2018-02-21</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
-<li><a href="#summary">Summary</a></li>
-<li><a href="#contributors">Contributors</a></li>
-<li><a href="#closed_issues">Closed Issues</a></li>
-<li><a href="#diffstat">Diffstat</a></li>
-</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
-<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005.html">AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005</a></li>
-</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-14.7.5.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
-<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
-<tr valign="top"><td width="33%">3 George Joseph <gjoseph@digium.com><br/>2 Kevin Harwell <kharwell@digium.com><br/>1 Joshua Colp <jcolp@digium.com><br/></td><td width="33%"><td width="33%">6 Sandro Gauci <sandro@enablesecurity.com><br/>4 Sandro Gauci<br/></td></tr>
-</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27583">ASTERISK-27583</a>: Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=4e9849c4bc706f6c1ca8c7866402e732c322df6f">[4e9849c4bc]</a> Kevin Harwell -- AST-2018-003: Crash with an invalid SDP fmtp attribute</li>
-</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27582">ASTERISK-27582</a>: Segmentation fault occurs in Asterisk with an invalid SDP media format description<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=37eb30e1d26c1c10063c7d01ca8fa26de1bfa297">[37eb30e1d2]</a> Kevin Harwell -- AST-2018-002: Crash with an invalid SDP media format description</li>
-</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27640">ASTERISK-27640</a>: SUBSCRIBE message with a large Accept value causes stack corruption<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=dd3e3153ea1c161569e93bc87fbf788cfd0c1de7">[dd3e3153ea]</a> Joshua Colp -- AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.</li>
-</ul><br><h4>Category: pjproject/pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27618">ASTERISK-27618</a>: Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=45db14178f3840deb24662ff3bb45636fccfb9d8">[45db14178f]</a> George Joseph -- AST-2018-005: res_pjsip_transport_management:  Move to core</li>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=de0b026c4d6b34a6d174e82a0e400f4391d07b0e">[de0b026c4d]</a> George Joseph -- AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)</li>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=b5657daf8b3e9d2dfa4ab7bf034b92a17a2d3cf3">[b5657daf8b]</a> George Joseph -- AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request</li>
-</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>b/CHANGES                                                |   11
-b/UPGRADE.txt                                            |    8
-b/res/res_pjsip.c                                        |   17
-b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
-b/res/res_pjsip/pjsip_distributor.c                      |    8
-b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
-b/res/res_pjsip_pubsub.c                                 |    5
-b/res/res_pjsip_session.c                                |    8
-b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
-res/res_pjsip_transport_management.c                     |  400 ---------------
-10 files changed, 472 insertions(+), 408 deletions(-)</pre><br></html>

asterisk-14.7.7-summary.html

@@ -0,0 +1,24 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-14.7.7</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-14.7.7</h3><h3 align="center">Date: 2018-06-11</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#commits">Other Changes</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-008.html">AST-2018-008</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-14.7.6.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">1 Kevin Harwell <kharwell@digium.com><br/>1 Richard Mudgett <rmudgett@digium.com><br/></td><td width="33%"><td width="33%">1 John <john@antme.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Resources/res_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27818">ASTERISK-27818</a>: Username bruteforce is possible when using ACL with PJSIP<br/>Reported by: John<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=b67fe624c6174b394e821c6b0c6d33fbcd88aa26">[b67fe624c6]</a> Richard Mudgett -- AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.</li>
+</ul><br><hr><a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all changes that went into this release that did not reference a JIRA issue.</p><table width="100%" border="1">
+<tr><th>Revision</th><th>Author</th><th>Summary</th></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=a562192fa4cad6f6bbac11a90a9633214a8ad9d0">a562192fa4</a></td><td>Kevin Harwell</td><td>Update for 14.7.7</td></tr>
+</table><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>asterisk-14.7.6-summary.html        |   31 ---------
+asterisk-14.7.6-summary.txt         |  118 ------------------------------------
+b/.version                          |    2
+b/ChangeLog                         |   23 +++++++
+b/asterisk-14.7.7-summary.html      |   13 +++
+b/asterisk-14.7.7-summary.txt       |   83 +++++++++++++++++++++++++
+b/res/res_pjsip/pjsip_distributor.c |   20 ++++++
+7 files changed, 140 insertions(+), 150 deletions(-)</pre><br></html>

asterisk-14.7.7-summary.txt

@@ -1,8 +1,8 @@
                                 Release Summary
 
-                                asterisk-14.7.6
+                                asterisk-14.7.7
 
-                                Date: 2018-02-21
+                                Date: 2018-06-11
 
                            <asteriskteam@digium.com>
 
@@ -13,7 +13,8 @@
     1. Summary
     2. Contributors
     3. Closed Issues
-    4. Diffstat
+    4. Other Changes
+    5. Diffstat
 
      ----------------------------------------------------------------------
 
@@ -30,10 +31,10 @@
 
    Security Advisories:
 
-     * AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005
+     * AST-2018-008
 
    The data in this summary reflects changes that have been made since the
-   previous release, asterisk-14.7.5.
+   previous release, asterisk-14.7.6.
 
      ----------------------------------------------------------------------
 
@@ -51,9 +52,8 @@
    this release.
 
    Coders                   Testers                  Reporters                
-   3 George Joseph                                   6 Sandro Gauci           
-   2 Kevin Harwell                                   4 Sandro Gauci           
-   1 Joshua Colp            
+   1 Kevin Harwell                                   1 John                   
+   1 Richard Mudgett        
 
      ----------------------------------------------------------------------
 
@@ -66,35 +66,27 @@
 
   Security
 
-    Category: Channels/chan_pjsip
+    Category: Resources/res_pjsip
 
-   ASTERISK-27583: Segmentation fault occurs in asterisk with an invalid SDP
-   fmtp attribute
-   Reported by: Sandro Gauci
-     * [4e9849c4bc] Kevin Harwell -- AST-2018-003: Crash with an invalid SDP
-       fmtp attribute
-   ASTERISK-27582: Segmentation fault occurs in Asterisk with an invalid SDP
-   media format description
-   Reported by: Sandro Gauci
-     * [37eb30e1d2] Kevin Harwell -- AST-2018-002: Crash with an invalid SDP
-       media format description
-   ASTERISK-27640: SUBSCRIBE message with a large Accept value causes stack
-   corruption
-   Reported by: Sandro Gauci
-     * [dd3e3153ea] Joshua Colp -- AST-2018-004: Restrict the number of
-       Accept headers in a SUBSCRIBE.
+   ASTERISK-27818: Username bruteforce is possible when using ACL with PJSIP
+   Reported by: John
+     * [b67fe624c6] Richard Mudgett -- AST-2018-008: Fix enumeration of
+       endpoints from ACL rejected addresses.
 
-    Category: pjproject/pjsip
+     ----------------------------------------------------------------------
 
-   ASTERISK-27618: Crash occurs when sending a repeated number of INVITE
-   messages over TCP or TLS transport
-   Reported by: Sandro Gauci
-     * [45db14178f] George Joseph -- AST-2018-005:
-       res_pjsip_transport_management: Move to core
-     * [de0b026c4d] George Joseph -- AST-2018-005: Fix tdata leaks when
-       calling pjsip_endpt_send_response(2)
-     * [b5657daf8b] George Joseph -- AST-2018-005: Add a check for NULL tdata
-       in ast_sip_failover_request
+                      Commits Not Associated with an Issue
+
+                                 [Back to Top]
+
+   This is a list of all changes that went into this release that did not
+   reference a JIRA issue.
+
+   +------------------------------------------------------------------------+
+   | Revision           | Author                | Summary                   |
+   |--------------------+-----------------------+---------------------------|
+   | a562192fa4         | Kevin Harwell         | Update for 14.7.7         |
+   +------------------------------------------------------------------------+
 
      ----------------------------------------------------------------------
 
@@ -105,14 +97,11 @@
    This is a summary of the changes to the source code that went into this
    release that was generated using the diffstat utility.
 
- b/CHANGES                                                |   11
- b/UPGRADE.txt                                            |    8
- b/res/res_pjsip.c                                        |   17
- b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
- b/res/res_pjsip/pjsip_distributor.c                      |    8
- b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
- b/res/res_pjsip_pubsub.c                                 |    5
- b/res/res_pjsip_session.c                                |    8
- b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
- res/res_pjsip_transport_management.c                     |  400 ---------------
- 10 files changed, 472 insertions(+), 408 deletions(-)
+ asterisk-14.7.6-summary.html        |   31 ---------
+ asterisk-14.7.6-summary.txt         |  118 ------------------------------------
+ b/.version                          |    2
+ b/ChangeLog                         |   23 +++++++
+ b/asterisk-14.7.7-summary.html      |   13 +++
+ b/asterisk-14.7.7-summary.txt       |   83 +++++++++++++++++++++++++
+ b/res/res_pjsip/pjsip_distributor.c |   20 ++++++
+ 7 files changed, 140 insertions(+), 150 deletions(-)