[Buildroot] [git commit branch/2022.02.x] package/asterisk: security bump to version 16.28.0
Peter Korsgaard
peter at korsgaard.com
Wed Nov 23 09:52:58 UTC 2022
commit: https://git.buildroot.net/buildroot/commit/?id=03798ced12d8c8e7c561caa956897ce2d277ad2b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Asterisk 16.26.0 fixed the following security issues:
- [ASTERISK-29476] â res_stir_shaken: Blind SSRF vulnerabilities
https://issues.asterisk.org/jira/browse/ASTERISK-29476
- [ASTERISK-29838] â ${SQL_ESC()} not correctly escaping a terminating \
https://issues.asterisk.org/jira/browse/ASTERISK-29838
- [ASTERISK-29872] â res_stir_shaken: Resource exhaustion with large files
https://issues.asterisk.org/jira/browse/ASTERISK-29872
https://www.asterisk.org/asterisk-news/asterisk-16-26-0-now-available/
It unfortunately also introduced a change to chan_iax2, breaking builds
without OpenSSL:
https://github.com/asterisk/asterisk/commit/59a8cdaca2dbb5eeb7382dfbe78c0c1cbed8ce6d
Which was again fixed in 16.28.0:
https://github.com/asterisk/asterisk/commit/f812dfb68c6ed7ae55b4c163716fd1ddc063ff54
So bump to 16.28.0:
https://www.asterisk.org/asterisk-news/asterisk-16-28-0-now-available/
The libxml2 support now uses pkg-config, so drop the libxml2-config handling:
https://github.com/asterisk/asterisk/commit/bf9dafa7c22302b2f1a12b8216da63102116d9c9
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
[yann.morin.1998 at free.fr:
- add host-pkgconf dep, don't rely on implicit dep from host-asterisk
]
Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
(cherry picked from commit bd42aa1d0a3ed7a5845c7b5e7c8aeb82d899699c)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
package/asterisk/asterisk.hash | 2 +-
package/asterisk/asterisk.mk | 8 +++-----
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
index 880d67562d..9792d82ac5 100644
--- a/package/asterisk/asterisk.hash
+++ b/package/asterisk/asterisk.hash
@@ -1,5 +1,5 @@
# Locally computed
-sha256 0fb817943a276f5e540c2a9432e8841cd3393e7c1bd1250055c620902f6eafc8 asterisk-16.25.2.tar.gz
+sha256 6e9c2f350db018df854b1301687ced8993facb2787698336e55cd19e0ae3ebfe asterisk-16.28.0.tar.gz
# sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
# sha256 locally computed
diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
index 9b59997b80..e0f28ae7ee 100644
--- a/package/asterisk/asterisk.mk
+++ b/package/asterisk/asterisk.mk
@@ -4,7 +4,7 @@
#
################################################################################
-ASTERISK_VERSION = 16.25.2
+ASTERISK_VERSION = 16.28.0
# Use the github mirror: it's an official mirror maintained by Digium, and
# provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
@@ -31,6 +31,7 @@ ASTERISK_AUTORECONF_OPTS = -Iautoconf -Ithird-party -Ithird-party/pjproject -Ith
ASTERISK_DEPENDENCIES = \
host-asterisk \
+ host-pkgconf \
jansson \
libcurl \
libedit \
@@ -115,8 +116,7 @@ ASTERISK_CONF_OPTS += --without-avcodec
ASTERISK_CONF_OPTS += --without-spandsp
ASTERISK_CONF_ENV = \
- ac_cv_file_bridges_bridge_softmix_include_hrirs_h=true \
- ac_cv_path_CONFIG_LIBXML2=$(STAGING_DIR)/usr/bin/xml2-config
+ ac_cv_file_bridges_bridge_softmix_include_hrirs_h=true
# Uses __atomic_fetch_add_4
ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
@@ -314,8 +314,6 @@ HOST_ASTERISK_LICENSE_FILES = COPYING
# so do not inherit the target setup.
HOST_ASTERISK_AUTORECONF = NO
-HOST_ASTERISK_CONF_ENV = CONFIG_LIBXML2=$(HOST_DIR)/bin/xml2-config
-
HOST_ASTERISK_CONF_OPTS = \
--without-newt \
--without-curses \
More information about the buildroot
mailing list