| Message ID | 20230917090221.2767084-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/asterisk: security bump to version 16.30.1 | expand |
Peter, All, On 2023-09-17 11:02 +0200, Peter Korsgaard spake thusly: > Fixes the following security vulnerabilities: > > CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject When I read "pjproject", I thnk "libpjsip". Is it realated? If so, is it impacted? If so, should we get a fix for it too? Applied to master, thanks. Regards, Yann E. MORIN. > Possible buffer overread when parsing a specially crafted STUN message with > unknown attribute. The vulnerability affects Asterisk users using ICE > and/or WebRTC. > > https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/asterisk/asterisk.hash | 2 +- > package/asterisk/asterisk.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash > index 98ee3bdc71..41e1da2962 100644 > --- a/package/asterisk/asterisk.hash > +++ b/package/asterisk/asterisk.hash > @@ -1,5 +1,5 @@ > # Locally computed > -sha256 9b93006a87be9c29492299118200e4f66c8369851c66a50fdef5b15dfc4eb2c2 asterisk-16.29.1.tar.gz > +sha256 ef1ddc07dc02bb0c5f5ba58a5e42e42bcb63e55ac94199be8e3b5d3910f43736 asterisk-16.30.1.tar.gz > > # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases > # sha256 locally computed > diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk > index 22ac0334fd..4f1a80ba8b 100644 > --- a/package/asterisk/asterisk.mk > +++ b/package/asterisk/asterisk.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -ASTERISK_VERSION = 16.29.1 > +ASTERISK_VERSION = 16.30.1 > # Use the github mirror: it's an official mirror maintained by Digium, and > # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not. > ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION)) > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: > Peter, All, > On 2023-09-17 11:02 +0200, Peter Korsgaard spake thusly: >> Fixes the following security vulnerabilities: >> >> CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject > When I read "pjproject", I thnk "libpjsip". Is it realated? If so, is it > impacted? If so, should we get a fix for it too? Yes, good point - I'll send a patch: https://github.com/pjsip/pjproject/releases/tag/2.13.1
diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash index 98ee3bdc71..41e1da2962 100644 --- a/package/asterisk/asterisk.hash +++ b/package/asterisk/asterisk.hash @@ -1,5 +1,5 @@ # Locally computed -sha256 9b93006a87be9c29492299118200e4f66c8369851c66a50fdef5b15dfc4eb2c2 asterisk-16.29.1.tar.gz +sha256 ef1ddc07dc02bb0c5f5ba58a5e42e42bcb63e55ac94199be8e3b5d3910f43736 asterisk-16.30.1.tar.gz # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases # sha256 locally computed diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk index 22ac0334fd..4f1a80ba8b 100644 --- a/package/asterisk/asterisk.mk +++ b/package/asterisk/asterisk.mk @@ -4,7 +4,7 @@ # ################################################################################ -ASTERISK_VERSION = 16.29.1 +ASTERISK_VERSION = 16.30.1 # Use the github mirror: it's an official mirror maintained by Digium, and # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not. ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
Fixes the following security vulnerabilities: CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject Possible buffer overread when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects Asterisk users using ICE and/or WebRTC. https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/asterisk/asterisk.hash | 2 +- package/asterisk/asterisk.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)