* [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2
@ 2025-11-06 20:47 Bernd Kuhls
2025-11-12 20:44 ` Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Bernd Kuhls @ 2025-11-06 20:47 UTC (permalink / raw)
To: buildroot; +Cc: Titouan Christophe
Fixes CVE-2025-1131:
https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
Acked-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: updated subject to reflect that this is a security bump (Titouan)
package/asterisk/asterisk.hash | 2 +-
package/asterisk/asterisk.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
index f11ed08ef4..26175667c3 100644
--- a/package/asterisk/asterisk.hash
+++ b/package/asterisk/asterisk.hash
@@ -1,5 +1,5 @@
# Locally computed
-sha256 4cc403c8885d4aed3956dfb75d315d3e5bcc129eb9cd47c156d3b12ecceed1ba asterisk-22.3.0.tar.gz
+sha256 8a94650b6f348af1f1c9cce7ed3585d280f3a31b0d3820084a42b03712df95d5 asterisk-22.5.2.tar.gz
# Locally computed
sha256 58bb83cec4d431f48d006e455d821668450f8cf6b6c95f090def47062fa3a60c pjproject-2.15.1.tar.bz2
diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
index e7e802aa45..9a071fb8e0 100644
--- a/package/asterisk/asterisk.mk
+++ b/package/asterisk/asterisk.mk
@@ -4,7 +4,7 @@
#
################################################################################
-ASTERISK_VERSION = 22.3.0
+ASTERISK_VERSION = 22.5.2
# Use the github mirror: it's an official mirror maintained by Digium, and
# provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
--
2.47.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2
2025-11-06 20:47 [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2 Bernd Kuhls
@ 2025-11-12 20:44 ` Peter Korsgaard
2025-11-27 19:53 ` Arnout Vandecappelle via buildroot
2025-12-09 8:39 ` Thomas Petazzoni via buildroot
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2025-11-12 20:44 UTC (permalink / raw)
To: Bernd Kuhls; +Cc: buildroot, Titouan Christophe
>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:
> Fixes CVE-2025-1131:
> https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
From the advisories page it looks as if (at least) CVE-2025-57767,
CVE-2025-49832, CVE-2025-47780 and CVE-2025-47779 are also fixed since
22.3.0, so I have updated the commit message and applied - Thanks.
> Acked-by: Titouan Christophe <titouan.christophe@mind.be>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> ---
> v2: updated subject to reflect that this is a security bump (Titouan)
> package/asterisk/asterisk.hash | 2 +-
> package/asterisk/asterisk.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
> diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
> index f11ed08ef4..26175667c3 100644
> --- a/package/asterisk/asterisk.hash
> +++ b/package/asterisk/asterisk.hash
> @@ -1,5 +1,5 @@
> # Locally computed
> -sha256 4cc403c8885d4aed3956dfb75d315d3e5bcc129eb9cd47c156d3b12ecceed1ba asterisk-22.3.0.tar.gz
> +sha256 8a94650b6f348af1f1c9cce7ed3585d280f3a31b0d3820084a42b03712df95d5 asterisk-22.5.2.tar.gz
> # Locally computed
> sha256 58bb83cec4d431f48d006e455d821668450f8cf6b6c95f090def47062fa3a60c pjproject-2.15.1.tar.bz2
> diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
> index e7e802aa45..9a071fb8e0 100644
> --- a/package/asterisk/asterisk.mk
> +++ b/package/asterisk/asterisk.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
> -ASTERISK_VERSION = 22.3.0
> +ASTERISK_VERSION = 22.5.2
> # Use the github mirror: it's an official mirror maintained by Digium, and
> # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
> ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
> --
> 2.47.3
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2
2025-11-06 20:47 [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2 Bernd Kuhls
2025-11-12 20:44 ` Peter Korsgaard
@ 2025-11-27 19:53 ` Arnout Vandecappelle via buildroot
2025-12-09 8:39 ` Thomas Petazzoni via buildroot
2 siblings, 0 replies; 5+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2025-11-27 19:53 UTC (permalink / raw)
To: Bernd Kuhls, buildroot; +Cc: Titouan Christophe
On 06/11/2025 21:47, Bernd Kuhls wrote:
> Fixes CVE-2025-1131:
> https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
>
> Acked-by: Titouan Christophe <titouan.christophe@mind.be>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Applied to 2025.02.x and 2025.08.x, thanks.
Regards,
Arnout
> ---
> v2: updated subject to reflect that this is a security bump (Titouan)
>
> package/asterisk/asterisk.hash | 2 +-
> package/asterisk/asterisk.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
> index f11ed08ef4..26175667c3 100644
> --- a/package/asterisk/asterisk.hash
> +++ b/package/asterisk/asterisk.hash
> @@ -1,5 +1,5 @@
> # Locally computed
> -sha256 4cc403c8885d4aed3956dfb75d315d3e5bcc129eb9cd47c156d3b12ecceed1ba asterisk-22.3.0.tar.gz
> +sha256 8a94650b6f348af1f1c9cce7ed3585d280f3a31b0d3820084a42b03712df95d5 asterisk-22.5.2.tar.gz
>
> # Locally computed
> sha256 58bb83cec4d431f48d006e455d821668450f8cf6b6c95f090def47062fa3a60c pjproject-2.15.1.tar.bz2
> diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
> index e7e802aa45..9a071fb8e0 100644
> --- a/package/asterisk/asterisk.mk
> +++ b/package/asterisk/asterisk.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -ASTERISK_VERSION = 22.3.0
> +ASTERISK_VERSION = 22.5.2
> # Use the github mirror: it's an official mirror maintained by Digium, and
> # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
> ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2
2025-11-06 20:47 [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2 Bernd Kuhls
2025-11-12 20:44 ` Peter Korsgaard
2025-11-27 19:53 ` Arnout Vandecappelle via buildroot
@ 2025-12-09 8:39 ` Thomas Petazzoni via buildroot
2026-01-10 11:46 ` Waldemar Brodkorb
2 siblings, 1 reply; 5+ messages in thread
From: Thomas Petazzoni via buildroot @ 2025-12-09 8:39 UTC (permalink / raw)
To: Bernd Kuhls; +Cc: buildroot, Titouan Christophe
Hello Bernd,
On Thu, 6 Nov 2025 21:47:37 +0100
Bernd Kuhls <bernd@kuhls.net> wrote:
> Fixes CVE-2025-1131:
> https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
>
> Acked-by: Titouan Christophe <titouan.christophe@mind.be>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
I'm not sure it's been introduced by this version bump, but Asterisk is
still causing quite a few build failures in the autobuilders.
I briefly looked into two of them:
- https://autobuild.buildroot.net/results/426/426336052c50768b06dd047ce4b8283e6da377d4/build-end.log
menuselect/menuselect: error while loading shared libraries: libxml2.so.16: cannot open shared object file: No such file or directory
The target asterisk package builds "menuselect" as a host tool, but
our $(HOST_LDFLAGS) are not passed when building menuselect, so it
doesn't have the right -Wl,-rpath flag passed, and therefore when it
tries to *run* menuselect, it doesn't find libxml2 in $(HOST_DIR)/lib
Not sure how to pass our HOST_LDFLAGS.
Also, since it builds menuselect for the host, is it still needed for
the target asterisk to depend on host-asterisk ?
- https://autobuild.buildroot.net/results/af9/af9c127965260044095f1fa98db88e1d1d762646/build-end.log
Invalid configuration `or1k-buildroot-linux-gnu': machine `or1k-buildroot' not recognized
The config.sub part of the pjsip code (downloaded as EXTRA_DOWNLOADS)
is very old, and doesn't know about or1k. It would have to be
overridden by our copy in support/gnuconfig/ (also config.guess).
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2
2025-12-09 8:39 ` Thomas Petazzoni via buildroot
@ 2026-01-10 11:46 ` Waldemar Brodkorb
0 siblings, 0 replies; 5+ messages in thread
From: Waldemar Brodkorb @ 2026-01-10 11:46 UTC (permalink / raw)
To: Thomas Petazzoni; +Cc: Bernd Kuhls, buildroot, Titouan Christophe
Hi Thomas,
Thomas Petazzoni via buildroot wrote,
> Hello Bernd,
>
> On Thu, 6 Nov 2025 21:47:37 +0100
> Bernd Kuhls <bernd@kuhls.net> wrote:
>
> > Fixes CVE-2025-1131:
> > https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
> >
> > Acked-by: Titouan Christophe <titouan.christophe@mind.be>
> > Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
>
> I'm not sure it's been introduced by this version bump, but Asterisk is
> still causing quite a few build failures in the autobuilders.
>
> I briefly looked into two of them:
>
> - https://autobuild.buildroot.net/results/426/426336052c50768b06dd047ce4b8283e6da377d4/build-end.log
>
> menuselect/menuselect: error while loading shared libraries: libxml2.so.16: cannot open shared object file: No such file or directory
>
> The target asterisk package builds "menuselect" as a host tool, but
> our $(HOST_LDFLAGS) are not passed when building menuselect, so it
> doesn't have the right -Wl,-rpath flag passed, and therefore when it
> tries to *run* menuselect, it doesn't find libxml2 in $(HOST_DIR)/lib
>
> Not sure how to pass our HOST_LDFLAGS.
>
> Also, since it builds menuselect for the host, is it still needed for
> the target asterisk to depend on host-asterisk ?
The problem here is that somehow newer versions of Asterisk do
trigger sometimes a make clean before the build and then our
host-asterisk mechanism is useless, because menuselect is build
again without our HOST_LDFLAGS. I can reproduce the issue and have a
ugly one-liner patch preventing the cleanup.
Should I sent a patch?
best regards
Waldemar
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-01-10 11:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-06 20:47 [Buildroot] [PATCH v2 1/1] package/asterisk: security bump version to 22.5.2 Bernd Kuhls
2025-11-12 20:44 ` Peter Korsgaard
2025-11-27 19:53 ` Arnout Vandecappelle via buildroot
2025-12-09 8:39 ` Thomas Petazzoni via buildroot
2026-01-10 11:46 ` Waldemar Brodkorb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox