pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/comms/asterisk21
Module Name: pkgsrc
Committed By: jnemeth
Date: Mon Jul 13 04:13:31 UTC 2026
Modified Files:
pkgsrc/comms/asterisk21: Makefile PLIST distinfo
Log Message:
Update to Asterisk 21.12.3:
## Change Log for Release asterisk-21.12.3
### Links:
- [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.12.3.html)
- [GitHub Diff](https://github.com/asterisk/asterisk/compare/21.12.2...21.12.3)
### Summary:
- Commits: 21
- Commit Authors: 7
- Issues Resolved: 0
- Security Advisories Resolved: 20
- [GHSA-3g56-cgrh-95p5](https://github.com/asterisk/asterisk/security/advisories/GHSA-3g56-cgrh-95p5): chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
- [GHSA-3rhj-hhw7-m6fw](https://github.com/asterisk/asterisk/security/advisories/GHSA-3rhj-hhw7-m6fw): NULL Pointer Dereference in HTTP AMI Digest Authentication
- [GHSA-4pgv-j3mr-3rcp](https://github.com/asterisk/asterisk/security/advisories/GHSA-4pgv-j3mr-3rcp): Reflected XSS in Phone Provisioning HTTP Error Pages
- [GHSA-589g-qgf8-m6mx](https://github.com/asterisk/asterisk/security/advisories/GHSA-589g-qgf8-m6mx): Stack buffer overflow in MWI NOTIFY Message-Account parsing
- [GHSA-746q-794h-cc7f](https://github.com/asterisk/asterisk/security/advisories/GHSA-746q-794h-cc7f): Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
- [GHSA-8jhw-m2hg-vp3h](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jhw-m2hg-vp3h): Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
- [GHSA-8jw3-ccr9-xrmf](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jw3-ccr9-xrmf): Buffer over-read in Asterisk PJSIP MWI body parser
- [GHSA-g8q2-p36q-94f6](https://github.com/asterisk/asterisk/security/advisories/GHSA-g8q2-p36q-94f6): Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP
processing
- [GHSA-h5hv-jmgj-92q2](https://github.com/asterisk/asterisk/security/advisories/GHSA-h5hv-jmgj-92q2): CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
- [GHSA-j2mm-57pq-jh94](https://github.com/asterisk/asterisk/security/advisories/GHSA-j2mm-57pq-jh94): Possible RED T.140 Generation Accumulation OOB Write
- [GHSA-mxgm-8c6f-5p8f](https://github.com/asterisk/asterisk/security/advisories/GHSA-mxgm-8c6f-5p8f): Stack buffer overflow in res_xmpp XMPP namespace prefix handling
- [GHSA-ph27-3m5q-mj5m](https://github.com/asterisk/asterisk/security/advisories/GHSA-ph27-3m5q-mj5m): SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
- [GHSA-q9fr-m7g8-6ph5](https://github.com/asterisk/asterisk/security/advisories/GHSA-q9fr-m7g8-6ph5): Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
- [GHSA-qf8j-jp7h-c5hx](https://github.com/asterisk/asterisk/security/advisories/GHSA-qf8j-jp7h-c5hx): Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
- [GHSA-r6c2-hwc2-j4mp](https://github.com/asterisk/asterisk/security/advisories/GHSA-r6c2-hwc2-j4mp): LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information
Disclosure)
- [GHSA-vfhr-r9x9-c687](https://github.com/asterisk/asterisk/security/advisories/GHSA-vfhr-r9x9-c687): Possible RED T.140 Heap Buffer Overflow
- [GHSA-vrfp-mg3q-3959](https://github.com/asterisk/asterisk/security/advisories/GHSA-vrfp-mg3q-3959): ARI setChannelVar bypasses live_dangerously and permits FILE() writes
- [GHSA-wcvv-g26m-wx5c](https://github.com/asterisk/asterisk/security/advisories/GHSA-wcvv-g26m-wx5c): ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
- [GHSA-x348-j6c9-77f3](https://github.com/asterisk/asterisk/security/advisories/GHSA-x348-j6c9-77f3): Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
- [GHSA-xgj6-2gc5-5x9c](https://github.com/asterisk/asterisk/security/advisories/GHSA-xgj6-2gc5-5x9c): ast_loggrabber executes python script in world writable directory(`/tmp`) leading to potential
privilege escalation And RCE
### User Notes:
- #### acl: Add ACL support to http and ari
A new section, type=restriction has been added to http.conf
to allow an uri prefix based acl to be configured. See
http.conf.sample for examples and more information.
The user section of ari.conf can now contain an acl configuration
to restrict users access. See ari.conf.sample for examples and more
information
### Developer Notes:
- #### ARI: Make ARI applications respect live_dangerously.
ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.
Resolves: #GHSA-vrfp-mg3q-3959
### Commit Authors:
- George Joseph: (6)
- Joshua C. Colp: (1)
- Mike Bradeen: (4)
- Milan Kyselica: (7)
- Pengpeng Hou: (1)
- Roberto Paleari: (1)
- ThatTotallyRealMyth: (1)
## Issue and Commit Detail:
### Closed Issues:
- !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
- !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
- !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
- !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
- !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
- !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
- !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
- !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
- !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
- !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
- !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
- !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
- !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
- !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
- !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
- !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
- !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
- !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
- !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
- !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(`/tmp`) leading to potential privilege escalation And RCE
### Commit List:
- ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
- chan_unistim.c: Prevent overrun of phone_number field.
- ooh323c: not checking for IE minimum length
- res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
- pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
- ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
- ARI: Make ARI applications respect live_dangerously.
- res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
- res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
- manager: Use remote address in user error logging
- ooh323: Prevent potential buffer overflow in trace logging
- app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
- res_xmpp: Fix stack buffer overflow in namespace prefix handling
- res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
- res_config_ldap: Escape LDAP filter values per RFC 4515
- cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
- http: Escape error page text to prevent reflected XSS
- codec_codec2: Only process complete Codec2 frames in decoder
- format_ogg_speex: Add bounds check to prevent heap buffer overflow
- acl: Add ACL support to http and ari
- build: Fix GCC discarded-qualifiers const errors.
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 pkgsrc/comms/asterisk21/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/comms/asterisk21/PLIST
cvs rdiff -u -r1.12 -r1.13 pkgsrc/comms/asterisk21/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/comms/asterisk21/Makefile
diff -u pkgsrc/comms/asterisk21/Makefile:1.27 pkgsrc/comms/asterisk21/Makefile:1.28
--- pkgsrc/comms/asterisk21/Makefile:1.27 Thu May 14 16:40:32 2026
+++ pkgsrc/comms/asterisk21/Makefile Mon Jul 13 04:13:31 2026
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.27 2026/05/14 16:40:32 ryoon Exp $
+# $NetBSD: Makefile,v 1.28 2026/07/13 04:13:31 jnemeth Exp $
#
# NOTE: when updating this package, there are two places that sound
# tarballs need to be checked; look in ${WRKSRC}/sounds/Makefile
# to find out the current sound file versions
# Also look in ${WRKSRC}/third-party/versions.mak for pjproject
-DISTNAME= asterisk-21.12.2
-PKGREVISION= 1
+DISTNAME= asterisk-21.12.3
CATEGORIES= comms net audio
MASTER_SITES= https://downloads.asterisk.org/pub/telephony/asterisk/
MASTER_SITES+= https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/
@@ -278,6 +277,7 @@ post-install:
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.0.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.1.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.2.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+ ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.3.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.8.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.9.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.10.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
@@ -287,6 +287,7 @@ post-install:
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.1.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.2.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+ ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-21.12.3.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/historical/CHANGES ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/LICENSE ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/README-SERIOUSLY.bestpractices.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
Index: pkgsrc/comms/asterisk21/PLIST
diff -u pkgsrc/comms/asterisk21/PLIST:1.11 pkgsrc/comms/asterisk21/PLIST:1.12
--- pkgsrc/comms/asterisk21/PLIST:1.11 Mon Mar 30 02:38:39 2026
+++ pkgsrc/comms/asterisk21/PLIST Mon Jul 13 04:13:31 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.11 2026/03/30 02:38:39 jnemeth Exp $
+@comment $NetBSD: PLIST,v 1.12 2026/07/13 04:13:31 jnemeth Exp $
lib/asterisk/libasteriskpj.so
lib/asterisk/libasteriskpj.so.2
lib/asterisk/modules/app_adsiprog.so
@@ -2335,6 +2335,8 @@ share/doc/asterisk/ChangeLog-21.12.1.htm
share/doc/asterisk/ChangeLog-21.12.1.md
share/doc/asterisk/ChangeLog-21.12.2.html
share/doc/asterisk/ChangeLog-21.12.2.md
+share/doc/asterisk/ChangeLog-21.12.3.html
+share/doc/asterisk/ChangeLog-21.12.3.md
share/doc/asterisk/ChangeLog-21.2.0.md
share/doc/asterisk/ChangeLog-21.3.0.md
share/doc/asterisk/ChangeLog-21.3.1.md
Index: pkgsrc/comms/asterisk21/distinfo
diff -u pkgsrc/comms/asterisk21/distinfo:1.12 pkgsrc/comms/asterisk21/distinfo:1.13
--- pkgsrc/comms/asterisk21/distinfo:1.12 Mon Mar 30 02:38:39 2026
+++ pkgsrc/comms/asterisk21/distinfo Mon Jul 13 04:13:31 2026
@@ -1,17 +1,17 @@
-$NetBSD: distinfo,v 1.12 2026/03/30 02:38:39 jnemeth Exp $
+$NetBSD: distinfo,v 1.13 2026/07/13 04:13:31 jnemeth Exp $
-BLAKE2s (asterisk-21.12.2/asterisk-21.12.2.tar.gz) = ee55a88bf1c85c068dbfc4346ef2cda11cb6ecf61916e046a78cee411f4fe90f
-SHA512 (asterisk-21.12.2/asterisk-21.12.2.tar.gz) = 821a78ea484fc43d2745a4e261663fcfd776d699df99bc5c995507aacab8c0f852952b217b877d9897f4308e9528d08a4009acb9717eec538ee693e9e9d8eac4
-Size (asterisk-21.12.2/asterisk-21.12.2.tar.gz) = 26608590 bytes
-BLAKE2s (asterisk-21.12.2/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
-SHA512 (asterisk-21.12.2/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
-Size (asterisk-21.12.2/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
-BLAKE2s (asterisk-21.12.2/pjproject-2.15.1.md5) = 1bdb00828816aff69f43eaacd084bd7d0a48670af33110bd0cd6325ead45aa48
-SHA512 (asterisk-21.12.2/pjproject-2.15.1.md5) = 75963b64e702a5810fd5b8b574a07396cab1a87543d806135e7a9b9762d35129354f99283252f40ad75a6a94cd1921f164ed8e63174de0c5430e5c6913d21744
-Size (asterisk-21.12.2/pjproject-2.15.1.md5) = 172 bytes
-BLAKE2s (asterisk-21.12.2/pjproject-2.15.1.tar.bz2) = 2bcb38884531f0be966c78b6bac45ac63d8c612c060da91c584d192fe0fdf9cd
-SHA512 (asterisk-21.12.2/pjproject-2.15.1.tar.bz2) = c080eb44b49fccadb1c76ff2b3221935b0d531a1e2087b47c21b4ec2cdd8ee0e62b13c334495c9c759b348a0792204611987089a6aa6264999f0116aec8dbdfd
-Size (asterisk-21.12.2/pjproject-2.15.1.tar.bz2) = 8492214 bytes
+BLAKE2s (asterisk-21.12.3/asterisk-21.12.3.tar.gz) = d452b02fd4388980f444dd0740e451f5194589decbc350786a0d18792231821d
+SHA512 (asterisk-21.12.3/asterisk-21.12.3.tar.gz) = 85745610143582bf0c144d675ed1ecdc9a64a2ccf3de4498375ebabfee33f09d8f48d3ffe5509bff3b2da8fad449fa309af2199a14fdc7153c87a71cc24bf6a6
+Size (asterisk-21.12.3/asterisk-21.12.3.tar.gz) = 26622723 bytes
+BLAKE2s (asterisk-21.12.3/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
+SHA512 (asterisk-21.12.3/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
+Size (asterisk-21.12.3/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
+BLAKE2s (asterisk-21.12.3/pjproject-2.15.1.md5) = 1bdb00828816aff69f43eaacd084bd7d0a48670af33110bd0cd6325ead45aa48
+SHA512 (asterisk-21.12.3/pjproject-2.15.1.md5) = 75963b64e702a5810fd5b8b574a07396cab1a87543d806135e7a9b9762d35129354f99283252f40ad75a6a94cd1921f164ed8e63174de0c5430e5c6913d21744
+Size (asterisk-21.12.3/pjproject-2.15.1.md5) = 172 bytes
+BLAKE2s (asterisk-21.12.3/pjproject-2.15.1.tar.bz2) = 2bcb38884531f0be966c78b6bac45ac63d8c612c060da91c584d192fe0fdf9cd
+SHA512 (asterisk-21.12.3/pjproject-2.15.1.tar.bz2) = c080eb44b49fccadb1c76ff2b3221935b0d531a1e2087b47c21b4ec2cdd8ee0e62b13c334495c9c759b348a0792204611987089a6aa6264999f0116aec8dbdfd
+Size (asterisk-21.12.3/pjproject-2.15.1.tar.bz2) = 8492214 bytes
SHA1 (patch-Makefile) = 5cf3b6937ec23a82e4d056b91e493a36bc1089b9
SHA1 (patch-addons_chan__ooh323.c) = 1775da7ca2129a962ed460bd1e78ba3ce6afa62c
SHA1 (patch-apps_app__adsiprog.c) = 031139e5cd1ef6bb2afb0a74fee3d752eded0a2c
Home |
Main Index |
Thread Index |
Old Index