[Buildroot] [PATCH] package/asterisk: security bump to version 16.28.0
Peter Korsgaard
peter at korsgaard.com
Wed Nov 23 09:53:11 UTC 2022
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Asterisk 16.26.0 fixed the following security issues:
> - [ASTERISK-29476] – res_stir_shaken: Blind SSRF vulnerabilities
> https://issues.asterisk.org/jira/browse/ASTERISK-29476
> - [ASTERISK-29838] – ${SQL_ESC()} not correctly escaping a terminating \
> https://issues.asterisk.org/jira/browse/ASTERISK-29838
> - [ASTERISK-29872] – res_stir_shaken: Resource exhaustion with large files
> https://issues.asterisk.org/jira/browse/ASTERISK-29872
> https://www.asterisk.org/asterisk-news/asterisk-16-26-0-now-available/
> It unfortunately also introduced a change to chan_iax2, breaking builds
> without OpenSSL:
> https://github.com/asterisk/asterisk/commit/59a8cdaca2dbb5eeb7382dfbe78c0c1cbed8ce6d
> Which was again fixed in 16.28.0:
> https://github.com/asterisk/asterisk/commit/f812dfb68c6ed7ae55b4c163716fd1ddc063ff54
> So bump to 16.28.0:
> https://www.asterisk.org/asterisk-news/asterisk-16-28-0-now-available/
> The libxml2 support now uses pkg-config, so drop the libxml2-config handling:
> https://github.com/asterisk/asterisk/commit/bf9dafa7c22302b2f1a12b8216da63102116d9c9
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list