Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 relax badshell tilde test

Makefile.moddir_rules | 2 1 + 1 - 0 !
apps/Makefile | 21 21 + 0 - 0 !
2 files changed, 22 insertions(+), 1 deletion(-)

 build multiple versions of app_voicemail.so

contrib/scripts/astgenkey | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 astgenkey should generate a private key that is not world-readable

sounds/sounds.xml | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 avoid downloading extra sound files

addons/mp3/MPGLIB_README | 39 39 + 0 - 0 !
addons/mp3/MPGLIB_TODO | 2 2 + 0 - 0 !
addons/mp3/Makefile | 24 24 + 0 - 0 !
addons/mp3/README | 1 1 + 0 - 0 !
addons/mp3/common.c | 267 267 + 0 - 0 !
addons/mp3/dct64_i386.c | 335 335 + 0 - 0 !
addons/mp3/decode_i386.c | 153 153 + 0 - 0 !
addons/mp3/decode_ntom.c | 219 219 + 0 - 0 !
addons/mp3/huffman.h | 332 332 + 0 - 0 !
addons/mp3/interface.c | 323 323 + 0 - 0 !
addons/mp3/layer3.c | 2029 2029 + 0 - 0 !
addons/mp3/mpg123.h | 132 132 + 0 - 0 !
addons/mp3/mpglib.h | 75 75 + 0 - 0 !
addons/mp3/tabinit.c | 81 81 + 0 - 0 !
14 files changed, 4012 insertions(+)

 mpglib code originally in asterisk-addons

addons/app_mysql.c | 1 0 + 1 - 0 !
addons/app_saycountpl.c | 1 0 + 1 - 0 !
addons/cdr_mysql.c | 1 0 + 1 - 0 !
addons/chan_mobile.c | 1 0 + 1 - 0 !
addons/chan_ooh323.c | 1 0 + 1 - 0 !
addons/format_mp3.c | 1 0 + 1 - 0 !
addons/res_config_mysql.c | 1 0 + 1 - 0 !
7 files changed, 7 deletions(-)

 enable modules formly from asterisk-addons

bootstrap.sh | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

---

codecs/Makefile | 1 0 + 1 - 0 !
codecs/codec_ilbc.c | 1 1 + 0 - 0 !
2 files changed, 1 insertion(+), 1 deletion(-)

---

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

build_tools/menuselect-deps.in | 1 1 + 0 - 0 !
configure.ac | 3 3 + 0 - 0 !
include/asterisk/autoconfig.h.in | 3 3 + 0 - 0 !
makeopts.in | 3 3 + 0 - 0 !
res/Makefile | 22 0 + 22 - 0 !
res/res_rtp_asterisk.c | 10 5 + 5 - 0 !
6 files changed, 15 insertions(+), 27 deletions(-)

 switch to using external pjproject libraries.

ICE/STUN/TURN support in res_rtp_asterisk is also now optional.

(With minor backport adjustments for branch 11)

channels/chan_dahdi.c | 322 261 + 61 - 0 !
1 file changed, 261 insertions(+), 61 deletions(-)

 [patch] chan_dahdi: create channels at run-time

channels/chan_dahdi.c | 82 79 + 3 - 0 !
1 file changed, 79 insertions(+), 3 deletions(-)

 defer destructions of pri spans
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-23554

Fixes a deadlock in destruction of PRI spans

See also: https://reviewboard.asterisk.org/r/3548

channels/chan_dahdi.c | 3 2 + 1 - 0 !
channels/sig_pri.c | 8 8 + 0 - 0 !
channels/sig_pri.h | 2 2 + 0 - 0 !
3 files changed, 12 insertions(+), 1 deletion(-)

 handle enodev on sig_pri
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-23554

Handle ENODEV error in libpri following a device removal.

See also: https://reviewboard.asterisk.org/r/3548

channels/chan_vpb.cc | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 reenable some drivers, currently chan_vpb

channels/chan_dahdi.c | 1 1 + 0 - 0 !
configs/chan_dahdi.conf.sample | 11 5 + 6 - 0 !
2 files changed, 6 insertions(+), 6 deletions(-)

 ignore failed dahdi channels at startup

utils/utils.xml | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

doc/asterisk.8 | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix groff error in asterisk manpage
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-23768

Fix an unescaped hyphen in the asterisk manpage.

utils/utils.xml | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

res/res_fax.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 out of bounds error in update_modem_bits
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24357

res/res_calendar_ews.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 relax neon version check
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24325

Relax the neon version check to also accept version 0.30.x

main/acl.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 mixed ip address families in access control lists may permit unwanted traffic

main/bridging.c | 26 21 + 5 - 0 !
1 file changed, 21 insertions(+), 5 deletions(-)

 high call load may result in hung channels in confbridge
CVE: CVE-2014-8414

apps/app_confbridge.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 permission escalation through confbridge actions/dialplan functions
CVE: CVE-2014-8417

funcs/func_db.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 ami permission escalation through db dialplan function
CVE: CVE-2014-8418

channels/chan_sip.c | 6 5 + 1 - 0 !
res/res_http_websocket.c | 27 16 + 11 - 0 !
2 files changed, 21 insertions(+), 12 deletions(-)

 remote crash vulnerability in websocket server
CVE: CVE-2014-9374

main/tcptls.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

---

configs/http.conf.sample | 21 21 + 0 - 0 !
include/asterisk/tcptls.h | 10 9 + 1 - 0 !
main/http.c | 7 4 + 3 - 0 !
main/tcptls.c | 30 26 + 4 - 0 !
4 files changed, 60 insertions(+), 8 deletions(-)

---

channels/chan_sip.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

---

main/udptl.c | 15 7 + 8 - 0 !
1 file changed, 7 insertions(+), 8 deletions(-)

---

channels/chan_sip.c | 61 39 + 22 - 0 !
1 file changed, 39 insertions(+), 22 deletions(-)

 [patch] prevent leak of dialog rtp/srtp instances.

In some scenarios dialog_initialize_rtp can be called multiple times on
the same dialog.  This can cause RTP instances to be leaked along with
multiple file descriptors for each instance.

ASTERISK-26272 #close

channels/chan_sip.c | 8 3 + 5 - 0 !
1 file changed, 3 insertions(+), 5 deletions(-)

---

res/res_rtp_asterisk.c | 79 46 + 33 - 0 !
1 file changed, 46 insertions(+), 33 deletions(-)

 [patch] res_rtp_asterisk: only learn a new source in learn state.

This change moves the logic which learns a new source address
for RTP so it only occurs in the learning state. The learning
state is entered on initial allocation of RTP or if we are
told that the remote address for the media has changed. While
in the learning state if we continue to receive media from
the original source we restart the learning process. It is
only once we receive a sufficient number of RTP packets from
the new source that we will switch to it. Once this is done
the closed state is entered where all packets that do not
originate from the expected source are dropped.

The learning process has also been improved to take into
account the time between received packets so a flood of them
while in the learning state does not cause media to be switched.

Finally RTCP now drops packets which are not for the learned
SSRC if strict RTP is enabled.

ASTERISK-27013

README-SERIOUSLY.bestpractices.txt | 7 7 + 0 - 0 !
apps/app_minivm.c | 36 25 + 11 - 0 !
apps/app_mixmonitor.c | 10 10 + 0 - 0 !
apps/app_system.c | 10 10 + 0 - 0 !
configs/minivm.conf.sample | 2 1 + 1 - 0 !
funcs/func_shell.c | 5 5 + 0 - 0 !
include/asterisk/app.h | 31 28 + 3 - 0 !
main/asterisk.c | 93 79 + 14 - 0 !
res/res_monitor.c | 13 10 + 3 - 0 !
9 files changed, 175 insertions(+), 32 deletions(-)

 [patch] ast-2017-006: fix app_minivm application minivmnotify command injection

An admin can configure app_minivm with an externnotify program to be run
when a voicemail is received.  The app_minivm application MinivmNotify
uses ast_safe_system() for this purpose which is vulnerable to command
injection since the Caller-ID name and number values given to externnotify
can come from an external untrusted source.

* Add ast_safe_execvp() function.  This gives modules the ability to run
external commands with greater safety compared to ast_safe_system().
Specifically when some parameters are filled by untrusted sources the new
function does not allow malicious input to break argument encoding.  This
may be of particular concern where CALLERID(name) or CALLERID(num) may be
used as a parameter to a script run by ast_safe_system() which could
potentially allow arbitrary command execution.

* Changed app_minivm.c:run_externnotify() to use the new ast_safe_execvp()
instead of ast_safe_system() to avoid command injection.

* Document code injection potential from untrusted data sources for other
shell commands that are under user control.

ASTERISK-27103

res/res_rtp_asterisk.c | 531 430 + 101 - 0 !
1 file changed, 430 insertions(+), 101 deletions(-)

 [patch] ast-2017-008: improve rtp and rtcp packet processing.

Validate RTCP packets before processing them.

* Validate that the received packet is of a minimum length and apply the
RFC3550 RTCP packet validation checks.

* Fixed potentially reading garbage beyond the received RTCP record data.

* Fixed rtp->themssrc only being set once when the remote could change
the SSRC.  We would effectively stop handling the RTCP statistic records.

* Fixed rtp->themssrc to not treat a zero value as special by adding
rtp->themssrc_valid to indicate if rtp->themssrc is available.

ASTERISK-27274

Make strict RTP learning more flexible.

Direct media can cause strict RTP to attempt to learn a remote address
again before it has had a chance to learn the remote address the first
time.  Because of the rapid relearn requests, strict RTP could latch onto
the first remote address and fail to latch onto the direct media remote
address.  As a result, you have one way audio until the call is placed on
and off hold.

The new algorithm learns remote addresses for a set time (1.5 seconds)
before locking the remote address.  In addition, we must see a configured
number of remote packets from the same address in a row before switching.

* Fixed strict RTP learning from always accepting the first new address
packet as the new stream.

* Fixed strict RTP to initialize the expected sequence number with the
last received sequence number instead of the last transmitted sequence
number.

* Fixed the predicted next sequence number calculation in
rtp_learning_rtp_seq_update() to handle overflow.

ASTERISK-27252

channels/chan_skinny.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [patch] ast-2017-013: chan_skinny: call pthread_detach when sess
 threads end

chan_skinny creates a new thread for each new session.  In trying
to be a good cleanup citizen, the threads are joinable and the
unload_module function does a pthread_cancel() and a pthread_join()
on any sessions that are active at that time.  This has an
unintended side effect though. Since you can call pthread_join on a
thread that's already terminated, pthreads keeps the thread's
storage around until you explicitly call pthread_join (or
pthread_detach()).   Since only the module_unload function was
calling pthread_join, and even then only on the ones active at the
tme, the storage for every thread/session ever created sticks
around until asterisk exits.

* A thread can detach itself so the session_destroy() function
  now calls pthread_detach() just before it frees the session
  memory allocation.  The module_unload function still takes care
  of the ones that are still active should the module be unloaded.

ASTERISK-27452
Reported by: Juan Sacco