Re: [Buildroot] [PATCH] package/asterisk: security bump to version 16.30.1

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/asterisk: security bump to version 16.30.1
Date: Sun, 17 Sep 2023 14:43:45 +0200	[thread overview]
Message-ID: <20230917124345.GR415981@scaer> (raw)
In-Reply-To: <20230917090221.2767084-1-peter@korsgaard.com>

Peter, All,

On 2023-09-17 11:02 +0200, Peter Korsgaard spake thusly:
> Fixes the following security vulnerabilities:
> 
> CVE-2022-23537: Heap buffer overflow when decoding STUN message in pjproject

When I read "pjproject", I thnk "libpjsip". Is it realated? If so, is it
impacted? If so, should we get a fix for it too?

Applied to master, thanks.

Regards,
Yann E. MORIN.

> Possible buffer overread when parsing a specially crafted STUN message with
> unknown attribute.  The vulnerability affects Asterisk users using ICE
> and/or WebRTC.
> 
> https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/asterisk/asterisk.hash | 2 +-
>  package/asterisk/asterisk.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
> index 98ee3bdc71..41e1da2962 100644
> --- a/package/asterisk/asterisk.hash
> +++ b/package/asterisk/asterisk.hash
> @@ -1,5 +1,5 @@
>  # Locally computed
> -sha256  9b93006a87be9c29492299118200e4f66c8369851c66a50fdef5b15dfc4eb2c2  asterisk-16.29.1.tar.gz
> +sha256  ef1ddc07dc02bb0c5f5ba58a5e42e42bcb63e55ac94199be8e3b5d3910f43736  asterisk-16.30.1.tar.gz
>  
>  # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
>  # sha256 locally computed
> diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
> index 22ac0334fd..4f1a80ba8b 100644
> --- a/package/asterisk/asterisk.mk
> +++ b/package/asterisk/asterisk.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -ASTERISK_VERSION = 16.29.1
> +ASTERISK_VERSION = 16.30.1
>  # Use the github mirror: it's an official mirror maintained by Digium, and
>  # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
>  ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
> -- 
> 2.30.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot