Message ID | 20221211093716.1149172-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/asterisk: security bump to version 16.29.1 | expand |
On Sun, 11 Dec 2022 10:37:16 +0100 Peter Korsgaard <peter@korsgaard.com> wrote: > Fixes the following security issues: > > - CVE-2022-37325: A zero length Called or Calling Party Number can cause a > buffer under-run and Asterisk crash. > > https://downloads.asterisk.org/pub/security/AST-2022-007.html > > - CVE-2022-42705: Use after free in res_pjsip_pubsub.c may allow a remote > authenticated attacker to crash Asterisk (denial of service) by performing > activity on a subscription via a reliable transport at the same time > Asterisk is also performing activty on that subscription. > > https://downloads.asterisk.org/pub/security/AST-2022-008.html > > - CVE-2022-42706: AMI Users with “config” permissions may read files outside > of Asterisk directory via GetConfig AMI Action even if “live_dangerously" > is set to "no" > > https://downloads.asterisk.org/pub/security/AST-2022-009.html > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/asterisk/asterisk.hash | 2 +- > package/asterisk/asterisk.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash index 9792d82ac5..98ee3bdc71 100644 --- a/package/asterisk/asterisk.hash +++ b/package/asterisk/asterisk.hash @@ -1,5 +1,5 @@ # Locally computed -sha256 6e9c2f350db018df854b1301687ced8993facb2787698336e55cd19e0ae3ebfe asterisk-16.28.0.tar.gz +sha256 9b93006a87be9c29492299118200e4f66c8369851c66a50fdef5b15dfc4eb2c2 asterisk-16.29.1.tar.gz # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases # sha256 locally computed diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk index e0f28ae7ee..22ac0334fd 100644 --- a/package/asterisk/asterisk.mk +++ b/package/asterisk/asterisk.mk @@ -4,7 +4,7 @@ # ################################################################################ -ASTERISK_VERSION = 16.28.0 +ASTERISK_VERSION = 16.29.1 # Use the github mirror: it's an official mirror maintained by Digium, and # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not. ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
Fixes the following security issues: - CVE-2022-37325: A zero length Called or Calling Party Number can cause a buffer under-run and Asterisk crash. https://downloads.asterisk.org/pub/security/AST-2022-007.html - CVE-2022-42705: Use after free in res_pjsip_pubsub.c may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time Asterisk is also performing activty on that subscription. https://downloads.asterisk.org/pub/security/AST-2022-008.html - CVE-2022-42706: AMI Users with “config” permissions may read files outside of Asterisk directory via GetConfig AMI Action even if “live_dangerously" is set to "no" https://downloads.asterisk.org/pub/security/AST-2022-009.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/asterisk/asterisk.hash | 2 +- package/asterisk/asterisk.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)