Message ID | 20221120141721.1068907-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/asterisk: security bump to version 16.28.0 | expand |
Peter, All, On 2022-11-20 15:17 +0100, Peter Korsgaard spake thusly: > Asterisk 16.26.0 fixed the following security issues: > > - [ASTERISK-29476] – res_stir_shaken: Blind SSRF vulnerabilities > https://issues.asterisk.org/jira/browse/ASTERISK-29476 > > - [ASTERISK-29838] – ${SQL_ESC()} not correctly escaping a terminating \ > https://issues.asterisk.org/jira/browse/ASTERISK-29838 > > - [ASTERISK-29872] – res_stir_shaken: Resource exhaustion with large files > https://issues.asterisk.org/jira/browse/ASTERISK-29872 > > https://www.asterisk.org/asterisk-news/asterisk-16-26-0-now-available/ > > It unfortunately also introduced a change to chan_iax2, breaking builds > without OpenSSL: > https://github.com/asterisk/asterisk/commit/59a8cdaca2dbb5eeb7382dfbe78c0c1cbed8ce6d > > Which was again fixed in 16.28.0: > https://github.com/asterisk/asterisk/commit/f812dfb68c6ed7ae55b4c163716fd1ddc063ff54 > > So bump to 16.28.0: > https://www.asterisk.org/asterisk-news/asterisk-16-28-0-now-available/ > > The libxml2 support now uses pkg-config, so drop the libxml2-config handling: > https://github.com/asterisk/asterisk/commit/bf9dafa7c22302b2f1a12b8216da63102116d9c9 As seen on IRC, I've added an explicit dependency to host-pkgconf, rather than implicitly inherit the dependency from the host variant. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/asterisk/asterisk.hash | 2 +- > package/asterisk/asterisk.mk | 7 ++----- > 2 files changed, 3 insertions(+), 6 deletions(-) > > diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash > index 880d67562d..9792d82ac5 100644 > --- a/package/asterisk/asterisk.hash > +++ b/package/asterisk/asterisk.hash > @@ -1,5 +1,5 @@ > # Locally computed > -sha256 0fb817943a276f5e540c2a9432e8841cd3393e7c1bd1250055c620902f6eafc8 asterisk-16.25.2.tar.gz > +sha256 6e9c2f350db018df854b1301687ced8993facb2787698336e55cd19e0ae3ebfe asterisk-16.28.0.tar.gz > > # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases > # sha256 locally computed > diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk > index 9b59997b80..184f40031f 100644 > --- a/package/asterisk/asterisk.mk > +++ b/package/asterisk/asterisk.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -ASTERISK_VERSION = 16.25.2 > +ASTERISK_VERSION = 16.28.0 > # Use the github mirror: it's an official mirror maintained by Digium, and > # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not. > ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION)) > @@ -115,8 +115,7 @@ ASTERISK_CONF_OPTS += --without-avcodec > ASTERISK_CONF_OPTS += --without-spandsp > > ASTERISK_CONF_ENV = \ > - ac_cv_file_bridges_bridge_softmix_include_hrirs_h=true \ > - ac_cv_path_CONFIG_LIBXML2=$(STAGING_DIR)/usr/bin/xml2-config > + ac_cv_file_bridges_bridge_softmix_include_hrirs_h=true > > # Uses __atomic_fetch_add_4 > ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y) > @@ -314,8 +313,6 @@ HOST_ASTERISK_LICENSE_FILES = COPYING > # so do not inherit the target setup. > HOST_ASTERISK_AUTORECONF = NO > > -HOST_ASTERISK_CONF_ENV = CONFIG_LIBXML2=$(HOST_DIR)/bin/xml2-config > - > HOST_ASTERISK_CONF_OPTS = \ > --without-newt \ > --without-curses \ > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Asterisk 16.26.0 fixed the following security issues: > - [ASTERISK-29476] – res_stir_shaken: Blind SSRF vulnerabilities > https://issues.asterisk.org/jira/browse/ASTERISK-29476 > - [ASTERISK-29838] – ${SQL_ESC()} not correctly escaping a terminating \ > https://issues.asterisk.org/jira/browse/ASTERISK-29838 > - [ASTERISK-29872] – res_stir_shaken: Resource exhaustion with large files > https://issues.asterisk.org/jira/browse/ASTERISK-29872 > https://www.asterisk.org/asterisk-news/asterisk-16-26-0-now-available/ > It unfortunately also introduced a change to chan_iax2, breaking builds > without OpenSSL: > https://github.com/asterisk/asterisk/commit/59a8cdaca2dbb5eeb7382dfbe78c0c1cbed8ce6d > Which was again fixed in 16.28.0: > https://github.com/asterisk/asterisk/commit/f812dfb68c6ed7ae55b4c163716fd1ddc063ff54 > So bump to 16.28.0: > https://www.asterisk.org/asterisk-news/asterisk-16-28-0-now-available/ > The libxml2 support now uses pkg-config, so drop the libxml2-config handling: > https://github.com/asterisk/asterisk/commit/bf9dafa7c22302b2f1a12b8216da63102116d9c9 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.08.x and 2022.02.x, thanks.
diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash index 880d67562d..9792d82ac5 100644 --- a/package/asterisk/asterisk.hash +++ b/package/asterisk/asterisk.hash @@ -1,5 +1,5 @@ # Locally computed -sha256 0fb817943a276f5e540c2a9432e8841cd3393e7c1bd1250055c620902f6eafc8 asterisk-16.25.2.tar.gz +sha256 6e9c2f350db018df854b1301687ced8993facb2787698336e55cd19e0ae3ebfe asterisk-16.28.0.tar.gz # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases # sha256 locally computed diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk index 9b59997b80..184f40031f 100644 --- a/package/asterisk/asterisk.mk +++ b/package/asterisk/asterisk.mk @@ -4,7 +4,7 @@ # ################################################################################ -ASTERISK_VERSION = 16.25.2 +ASTERISK_VERSION = 16.28.0 # Use the github mirror: it's an official mirror maintained by Digium, and # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not. ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION)) @@ -115,8 +115,7 @@ ASTERISK_CONF_OPTS += --without-avcodec ASTERISK_CONF_OPTS += --without-spandsp ASTERISK_CONF_ENV = \ - ac_cv_file_bridges_bridge_softmix_include_hrirs_h=true \ - ac_cv_path_CONFIG_LIBXML2=$(STAGING_DIR)/usr/bin/xml2-config + ac_cv_file_bridges_bridge_softmix_include_hrirs_h=true # Uses __atomic_fetch_add_4 ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y) @@ -314,8 +313,6 @@ HOST_ASTERISK_LICENSE_FILES = COPYING # so do not inherit the target setup. HOST_ASTERISK_AUTORECONF = NO -HOST_ASTERISK_CONF_ENV = CONFIG_LIBXML2=$(HOST_DIR)/bin/xml2-config - HOST_ASTERISK_CONF_OPTS = \ --without-newt \ --without-curses \
Asterisk 16.26.0 fixed the following security issues: - [ASTERISK-29476] – res_stir_shaken: Blind SSRF vulnerabilities https://issues.asterisk.org/jira/browse/ASTERISK-29476 - [ASTERISK-29838] – ${SQL_ESC()} not correctly escaping a terminating \ https://issues.asterisk.org/jira/browse/ASTERISK-29838 - [ASTERISK-29872] – res_stir_shaken: Resource exhaustion with large files https://issues.asterisk.org/jira/browse/ASTERISK-29872 https://www.asterisk.org/asterisk-news/asterisk-16-26-0-now-available/ It unfortunately also introduced a change to chan_iax2, breaking builds without OpenSSL: https://github.com/asterisk/asterisk/commit/59a8cdaca2dbb5eeb7382dfbe78c0c1cbed8ce6d Which was again fixed in 16.28.0: https://github.com/asterisk/asterisk/commit/f812dfb68c6ed7ae55b4c163716fd1ddc063ff54 So bump to 16.28.0: https://www.asterisk.org/asterisk-news/asterisk-16-28-0-now-available/ The libxml2 support now uses pkg-config, so drop the libxml2-config handling: https://github.com/asterisk/asterisk/commit/bf9dafa7c22302b2f1a12b8216da63102116d9c9 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/asterisk/asterisk.hash | 2 +- package/asterisk/asterisk.mk | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-)