• http://downloads.digium.com/pub/telephony/asterisk/releases/ (Download)
• http://downloads.digium.com/pub/telephony/asterisk/old-releases/ (Download)
• ftp://ftp.openbsd.org/pub/OpenBSD/distfiles// (Download)
• ftp://ftp.usa.openbsd.org/pub/OpenBSD/distfiles// (Download)

• h323
• no_odbc
• no_snmp
• no_curl
• no_pgsql
• no_jabber
• no_ldap
• no_fax

• (2010-02-03) Updated to version: asterisk-1.6.0.22
• (2010-01-17) Updated to version: asterisk-1.6.0.21
• (2009-12-19) Updated to version: asterisk-1.6.0.20
• (2009-12-13) Updated to version: asterisk-1.6.0.19
• (2009-12-01) Updated to version: asterisk-1.4.27.1
• (2009-11-19) Updated to version: asterisk-1.4.27
• (2009-11-05) Updated to version: asterisk-1.4.26.3
• (2009-09-09) Updated to version: asterisk-1.4.26.2
• (2009-08-11) Updated to version: asterisk-1.4.26.1
• (2009-07-22) Updated to version: asterisk-1.4.26

Log message:
SECURITY update to 1.6.0.22, fixing CVE-2010-0441, an unauthenticated
crash in SIP (and only this, thanks to Asterisk developers for pushing
security fixes separately from other changes).
Does not affect Asterisk 1.4 in -stable (it's in the T.38 support,
which was added in 1.6).
ok ajacoutot@

Log message:
Update to 1.6.0.21, various bugs (including some crashes) fixed.
This also has a small change in CDR generation, it's been well tested
upstream but still this can be a touchy area to change, so it's
going in now so the first OpenBSD release with Asterisk 1.6
packages has the change already made.
ok ajacoutot@

Log message:
MFC:
SECURITY update to 1.4.27.1 for unauthenticated remote crash in RTP.
http://downloads.digium.com/pub/security/AST-2009-010.html
and
Switch to using supplied bootstrap.sh (plus a patch to stop it
from overriding supplied AUTOfoo_VERSION variables) instead of the
custom Makefile target to run autoconf.
ok sthen@ okidoki jasper@

Log message:
Allow asterisk to change the vm password by tweaking the perms. Bump.
sthen@ ok.

Log message:
update to 1.6.0.20

Log message:
install chan_h323.so and put h323 fragment after confdir is created.
remove extraunexec and bump. sthen@ ok.

Log message:
missing an app_conference @conflict

Log message:
Major version update to 1.6.0.19. For more information about the
upgrade, see /usr/local/share/doc/asterisk/UPGRADE-1.6.txt
Particular thanks to fgsch@, ian@ and Michiel van Baak for help and testing.

Log message:
SECURITY update to 1.4.27.1 for unauthenticated remote crash in RTP.
http://downloads.digium.com/pub/security/AST-2009-010.html

Log message:
MFC:
SECURITY UPDATE
asterisk-1.4.27
Resolves multiple security issues
ok sthen@ jasper@

Log message:
update to 1.4.27, I'll soon be committing a 1.6.0 version but first let's
have the latest 1.4 for people who don't want to move yet.

Log message:
Switch to using supplied bootstrap.sh (plus a patch to stop it
from overriding supplied AUTOfoo_VERSION variables) instead of the
custom Makefile target to run autoconf.
No package change -> no bump. Discussed with fgsch in relation
to 1.6, but it makes sense here too.

Log message:
SECURITY update to 1.4.26.3;
AST-2009-008: SIP responses expose valid usernames
AST-2009-009: Cross-site AJAX request (ajamdemo.html/prototype.js)

Log message:
Update to 1.4.26.2; mitigates IAX2 denial of service AST-2009-006.
This makes an non-backwards-compatible change to the IAX2 protocol.
It can be disabled with various options, but is on by default.
IAX2 users, read http://downloads.digium.com/pub/security/AST-2009-006.html
and the new /usr/local/share/doc/asterisk/IAX2-security.pdf (available
online in http://svn.digium.com/svn/asterisk/tags/1.4.26.2/doc/).

Log message:
Distfiles rerolled with different music-on-hold files.
See http://blogs.digium.com/2009/08/18/asterisk-music-on-hold-changes/

Log message:
SECURITY; http://downloads.asterisk.org/pub/security/AST-2009-005.html
Fixes sscanf without size bounds. The biggest problem affects SIP in
Asterisk 1.6.1+ (i.e. not OpenBSD ports/packages) but the update makes
sense anyway...

Log message:
bugfix update to 1.4.26; see http://www.asterisk.org/node/48610

Log message:
- actually comment-out the (broken) speex subpackage rather than
just disable by setting the default FLAVOR; the asterisk,h323 entry
in ../Makefile picked it up. the unused pkg/*-speex files don't hurt,
so keep them around. bump PKGNAME (most likely gratuitous, but it's
cheap).

Log message:
update to 1.4.25.1; revised fix for SECURITY issue CVE-2009-0041

Log message:
maintenance update to 1.4.25. disable building the speex plugin by default
for now, it causes a SIGBUS at startup (and also did in the previous version)
which hasn't been tracked down yet.

Log message:
switch to external gsm library, bump package.

Log message:
Minor security update to 1.4.24.1 for AST-2009-003 "SIP responses
expose valid usernames". This update changes "alwaysauthreject" to
return the same response for invalid username as it does for invalid
password.

Log message:
maintenance update to 1.4.24

Log message:
SECURITY; patch AST-2009-002, remote *unauthenticated* crash in SIP
where the "pedantic" option is enabled (disabled by default).
Backported rather than updated until I sort out the H323 autoconf
breakage in newer versions.

Log message:
SECURITY update to 1.4.22.2; updated fix for CVE-2009-0041 in IAX

Log message:
better license marker; asterisk-core-sounds is now available under
CC-BY-SA. bump not necessary.

Log message:
SECURITY update to 1.4.22.1, fixing CVE-2009-0041: remote unauthenticated
users with access to the IAX port can use it to verify validity of usernames.
No other code changes in this version.
While there, remove spurious @user from PLIST.

Log message:
Change "${SYSCONFDIR}" to "/etc" for files that are *always* in the
latter location.

Log message:
maintenance update to 1.4.22; many fixes.

Log message:
SECURITY update fixing several problems in IAX, both remotely
exploitable without authentication.
AST-2008-010: Asterisk IAX 'POKE' resource exhaustion (DoS)
AST-2008-011: Traffic amplification in IAX2, 40->1040 bytes

Log message:
- bugfix update to 1.4.21.1, fixing a fairly major problem
introduced in 1.4.21 by correcting the order of lock and unlock
in a deadlock avoidance macro... No other changes. Not security,
but if you're running 1.4.21, you definitely want this.
- regen PLIST to remove @bin from a symlink.

Log message:
Update Asterisk to 1.4.21, lots of quality-control fixes
ok ian

Log message:
- speex needs to be at least 1.2beta3 since the library was
split in two: add pkgspec, bump -speex package version
- adjust FULLPKGNAME handling so overrides can be shown clearly
at the top of the Makefile
- add space before assignment operator "FULLPKGNAME$i=" to avoid
potential ambiguity with bad values of $i
speex problem reported by jolan@, thanks!

Log message:
update to 1.4.20.1; thanks to Pedro la Peu for additional testing.

Log message:
clean whitespace (spaces->tabs); "cvs di -w" shows no change

Log message:
- fix WANTLIB after pwlib FLAVORs merge
- bump

Log message:
Update to 1.4.19.2, fixing an IAX performance problem introduced
by the security fix in the previous update. No change to other code.
Non-IAX users are unaffected.

Log message:
SECURITY update, fixes remote amplification attack in IAX.
http://downloads.digium.com/pub/security/AST-2008-006.html
ok ian@

Log message:
update to 1.4.19
ok ian@

Log message:
SECURITY update to 1.4.18.1, fixes AST-2008-002 (buffer overflows
in RTP codec payload type handling) and AST-2008-003 (SIP channel
can make a call into the context specified in the general section
of sip.conf).  Affects all Asterisk users with SIP enabled.
This is a security update only, no changes other than these fixes.

Log message:
- make the h323 FLAVOR build correctly with new pwlib/h323
- add a pre-build target so that we can remove IS_INTERACTIVE
(from sthen@)
ok sthen@

Log message:
update asterisk to 1.4.18 (following testing during RC period)
ok jolan

Log message:
SECURITY update, AST-2008-001, fixes remote crash triggerable by anyone
permitted to transfer SIP calls (possibly unauthenticated, depending on
config).
ok ian

Log message:
update to the asterisk release-du-jour.
ok ian's asterisk-ok-bot

Log message:
Update to today's asterisk release. ok ian

Log message:
SECURITY update to 1.4.17, fixes AST-2007-027 (passwordless sip/iax peers,
configured from "realtime" database rather than static .conf files, are not
subject to IP address restrictions).
ok ian

Log message:
SECURITY update to Asterisk 1.4.15, fixes SQL problems with
PostgreSQL drivers. AST-2007-025 (pgsql realtime) and AST-2007-026
(pgsql CDR logging).
ok jolan@

Log message:
update Asterisk to 1.4.14 (with many bug fixes), and h323 flavor
(for interactive builds only).
ok jolan, ian

Log message:
SECURITY update for 1.4 versions (doesn't affect OpenBSD before 4.2);
fixes an overflow in IMAP voicemail storage reachable by anyone who can
send email to a VM box accessed from the phone. AST-2007-022, found by
sprintf audit.
ok ian@

Log message:
bug-fix update to 1.4.12
ok ian@

Log message:
major version update to 1.4.11, ok ian@ jolan@

Log message:
update my email address
ok mbalmer@

Log message:
- backport some security fixes for
ASA-2007-014 - Stack Buffer Overflow in IAX2 channel driver
ASA-2007-015 - Remote Crash Vulnerability in IAX2 Channel Driver
ASA-2007-016 - Remote Crash Vulnerability in Skinny channel driver from version 1.2.22
All work and testing by Stuart Henderson
ok sturm@

Log message:
MFC (original commit naddy@):
- upgrade to 1.2.22 to fix several remote exploits
ok sturm@

Log message:
remove empty patch; noticed by Stuart Henderson <stu@spacehopper.org>

Log message:
Upgrade to 1.2.22 to fix several remote exploits, from Stuart, tested by me

Log message:
backport a fix for ASA-2007-013:
chan_iax2.c assumes strings are null-terminated without validating them,
potential buffer overrun/information disclosure

Log message:
MFC:
SECURITY: update to 1.2.19, from maintainer stuart henderson
ASA-2007-013: chan_iax2.c assumes strings are null-terminated without
validating them, potential buffer overrun/information disclosure

Log message:
SECURITY: update to 1.2.19, from maintainer stuart henderson
ASA-2007-013: chan_iax2.c assumes strings are null-terminated without
validating them, potential buffer overrun/information disclosure

Log message:
MFC:
SECURITY: update to 1.2.18 from maintainer stuart henderson
ASA-2007-011: Multiple problems in SIP channel parser handling response
codes
ASA-2007-012: Remote Crash Vulnerability in Manager Interface

Log message:
Security fixes:
ASA-2007-011, http://bugs.digium.com/view.php?id=9313:
Multiple problems in SIP channel parser handling response codes
ASA-2007-012:
Remote Crash Vulnerability in Manager Interface

Log message:
SECURITY: update to 1.2.18 from maintainer stuart henderson
ASA-2007-011: Multiple problems in SIP channel parser handling response
codes
ASA-2007-012: Remote Crash Vulnerability in Manager Interface

Log message:
MFC:
SECURITY: update to 1.2.16 which fixes a remote DoS in chan_sip
---
SECURITY: update to 1.2.17, fixes a(nother) remote DoS in chan_sip:
http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html

Log message:
more base64 checksums

Log message:
SECURITY: fixes a(nother) remote DoS in chan_sip:
http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html
from maintainer stuart henderson

Log message:
SECURITY: fixes a(nother) remote DoS in chan_sip:
http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html
from maintainer stuart henderson

Log message:
SECURITY: update to 1.2.17, fixes a(nother) remote DoS in chan_sip:
http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html
from maintainer stuart henderson

Log message:
security fix for a remote DoS in chan_sip
from maintainer Stuart Henderson

Log message:
security fix for a remote DoS in chan_sip
from maintainer Stuart Henderson

Log message:
SECURITY: update to 1.2.16 which fixes a remote DoS in chan_sip
from maintainer stuart henderson

Log message:
1.2.14->1.2.15 from maintainer, tested on i386 & amd64.

Log message:
conflicts with asterisk-sounds-<=1.2.1p2

Log message:
update to 1.2.14, from stuart henderson

Log message:
sync patches and fix a vulnerability in the chan_skinny module
for more details see: http://www.asterisk.org/node/109

Log message:
SECURITY: fix a vulnerability in the chan_skinny module.
for more details see:
http://www.asterisk.org/node/109

Log message:
SECURITY: update to 1.0.12 which fixes a vulnerability in the
chan_skinny module.  for more details see:
http://www.asterisk.org/node/109

Log message:
SECURITY: update to 1.2.13 which fixes a vulnerability in the
chan_skinny module.  for more details see:
http://www.asterisk.org/node/109
from maintainer

Log message:
- install IAXy firmware in order to silence warning messages, prompted
by jcs@
ok MAINTAINER

Log message:
- update to 1.2.12.1
- be careful not to pick up odbc/popt if they happened to be installed
from maintainer stuart henderson

Log message:
- Don't build res_config_odbc if databases/iodbc is installed
- Don't build smsq if devel/popt is installed
ok maintainer

Log message:
MFC:
SECURITY:
Update to 1.0.11.1 which addresses a security vulnerability in the IAX2
channel driver (chan_iax2). The vulnerability affects all users with
IAX2 clients that might be compromised or used by a malicious user, and
can lead to denial of service attacks and random Asterisk server crashes
via a relatively trivial exploit.

Log message:
MFC:
SECURITY:
Update to 1.2.9.1 which addresses a security vulnerability in the IAX2
channel driver (chan_iax2). The vulnerability affects all users with
IAX2 clients that might be compromised or used by a malicious user, and
can lead to denial of service attacks and random Asterisk server crashes
via a relatively trivial exploit.

Log message:
fix sample config file.
from maintainer Stuart Henderson, found by Steve, murdoch-technology
at bigpond dot com.

Log message:
SECURITY:
Update to 1.2.9.1 which addresses a security vulnerability in the IAX2
channel driver (chan_iax2). The vulnerability affects all users with
IAX2 clients that might be compromised or used by a malicious user, and
can lead to denial of service attacks and random Asterisk server crashes
via a relatively trivial exploit.
From: maintainer Stuart Henderson <stu@spacehopper.org>

Log message:
use bcopy instead of memcpy to work around a gcc optimizer bug resulting
in unaligned accesses on sparc64
fix WANTLIB
honour CC, CFLAGS more or less
from Stuart Henderson <stu at spacehopper.org>
ok ian, jolan

Log message:
bison is no longer a BUILD_DEPENDS

Log message:
Work by and tested by ian@ and Stuart Henderson, comments by jolan@

Log message:
catch up with header changes that have brought us in line with Free/NetBSD

Log message:
update to 1.0.9, ok jcs pval
most notably fixes an overflow in the management interface (which is not
enabled by default)

Log message:
- drop to _asterisk user/group by default
- move some files around and change file/directory owners to support
this
- bump pkgname
ok mr. jolan@

Log message:
update to asterisk-1.0.7
- put jolan's mirror second
- RUN_DEPENDS on sox and mpg123 for music on hold
- install example indications.conf so ringing works
ok jolan@

Log message:
SIZE

Log message:
Add WANTLIB marker
ok espie@