pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/comms/asterisk22
Module Name: pkgsrc
Committed By: jnemeth
Date: Mon Jul 13 04:56:57 UTC 2026
Modified Files:
pkgsrc/comms/asterisk22: Makefile PLIST distinfo
Log Message:
Update to Asterisk 22.10.1:
## Change Log for Release asterisk-22.10.1
### Links:
- [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.10.1.html)
- [GitHub Diff](https://github.com/asterisk/asterisk/compare/22.10.0...22.10.1)
### Summary:
- Commits: 19
- Commit Authors: 6
- Issues Resolved: 0
- Security Advisories Resolved: 20
- [GHSA-3g56-cgrh-95p5](https://github.com/asterisk/asterisk/security/advisories/GHSA-3g56-cgrh-95p5): chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
- [GHSA-3rhj-hhw7-m6fw](https://github.com/asterisk/asterisk/security/advisories/GHSA-3rhj-hhw7-m6fw): NULL Pointer Dereference in HTTP AMI Digest Authentication
- [GHSA-4pgv-j3mr-3rcp](https://github.com/asterisk/asterisk/security/advisories/GHSA-4pgv-j3mr-3rcp): Reflected XSS in Phone Provisioning HTTP Error Pages
- [GHSA-589g-qgf8-m6mx](https://github.com/asterisk/asterisk/security/advisories/GHSA-589g-qgf8-m6mx): Stack buffer overflow in MWI NOTIFY Message-Account parsing
- [GHSA-746q-794h-cc7f](https://github.com/asterisk/asterisk/security/advisories/GHSA-746q-794h-cc7f): Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
- [GHSA-8jhw-m2hg-vp3h](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jhw-m2hg-vp3h): Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
- [GHSA-8jw3-ccr9-xrmf](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jw3-ccr9-xrmf): Buffer over-read in Asterisk PJSIP MWI body parser
- [GHSA-g8q2-p36q-94f6](https://github.com/asterisk/asterisk/security/advisories/GHSA-g8q2-p36q-94f6): Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP
processing
- [GHSA-h5hv-jmgj-92q2](https://github.com/asterisk/asterisk/security/advisories/GHSA-h5hv-jmgj-92q2): CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
- [GHSA-j2mm-57pq-jh94](https://github.com/asterisk/asterisk/security/advisories/GHSA-j2mm-57pq-jh94): Possible RED T.140 Generation Accumulation OOB Write
- [GHSA-mxgm-8c6f-5p8f](https://github.com/asterisk/asterisk/security/advisories/GHSA-mxgm-8c6f-5p8f): Stack buffer overflow in res_xmpp XMPP namespace prefix handling
- [GHSA-ph27-3m5q-mj5m](https://github.com/asterisk/asterisk/security/advisories/GHSA-ph27-3m5q-mj5m): SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
- [GHSA-q9fr-m7g8-6ph5](https://github.com/asterisk/asterisk/security/advisories/GHSA-q9fr-m7g8-6ph5): Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
- [GHSA-qf8j-jp7h-c5hx](https://github.com/asterisk/asterisk/security/advisories/GHSA-qf8j-jp7h-c5hx): Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
- [GHSA-r6c2-hwc2-j4mp](https://github.com/asterisk/asterisk/security/advisories/GHSA-r6c2-hwc2-j4mp): LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information
Disclosure)
- [GHSA-vfhr-r9x9-c687](https://github.com/asterisk/asterisk/security/advisories/GHSA-vfhr-r9x9-c687): Possible RED T.140 Heap Buffer Overflow
- [GHSA-vrfp-mg3q-3959](https://github.com/asterisk/asterisk/security/advisories/GHSA-vrfp-mg3q-3959): ARI setChannelVar bypasses live_dangerously and permits FILE() writes
- [GHSA-wcvv-g26m-wx5c](https://github.com/asterisk/asterisk/security/advisories/GHSA-wcvv-g26m-wx5c): ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
- [GHSA-x348-j6c9-77f3](https://github.com/asterisk/asterisk/security/advisories/GHSA-x348-j6c9-77f3): Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
- [GHSA-xgj6-2gc5-5x9c](https://github.com/asterisk/asterisk/security/advisories/GHSA-xgj6-2gc5-5x9c): ast_loggrabber executes python script in world writable directory(`/tmp`) leading to potential
privilege escalation And RCE
### Upgrade Notes:
### Developer Notes:
- #### ARI: Make ARI applications respect live_dangerously.
ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.
Resolves: #GHSA-vrfp-mg3q-3959
### Commit Authors:
- George Joseph: (6)
- Mike Bradeen: (3)
- Milan Kyselica: (7)
- Pengpeng Hou: (1)
- Roberto Paleari: (1)
- ThatTotallyRealMyth: (1)
## Issue and Commit Detail:
### Closed Issues:
- !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
- !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
- !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
- !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
- !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
- !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
- !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
- !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
- !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
- !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
- !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
- !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
- !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
- !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
- !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
- !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
- !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
- !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
- !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
- !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(`/tmp`) leading to potential privilege escalation And RCE
### Commit List:
- ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
- chan_unistim.c: Prevent overrun of phone_number field.
- ooh323c: not checking for IE minimum length
- res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
- pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
- ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
- ARI: Make ARI applications respect live_dangerously.
- res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
- res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
- manager: Use remote address in user error logging
- ooh323: Prevent potential buffer overflow in trace logging
- app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
- res_xmpp: Fix stack buffer overflow in namespace prefix handling
- res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
- res_config_ldap: Escape LDAP filter values per RFC 4515
- cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
- http: Escape error page text to prevent reflected XSS
- codec_codec2: Only process complete Codec2 frames in decoder
- format_ogg_speex: Add bounds check to prevent heap buffer overflow
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 pkgsrc/comms/asterisk22/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/comms/asterisk22/PLIST
cvs rdiff -u -r1.10 -r1.11 pkgsrc/comms/asterisk22/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/comms/asterisk22/Makefile
diff -u pkgsrc/comms/asterisk22/Makefile:1.23 pkgsrc/comms/asterisk22/Makefile:1.24
--- pkgsrc/comms/asterisk22/Makefile:1.23 Mon Jun 22 02:21:18 2026
+++ pkgsrc/comms/asterisk22/Makefile Mon Jul 13 04:56:57 2026
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.23 2026/06/22 02:21:18 jnemeth Exp $
+# $NetBSD: Makefile,v 1.24 2026/07/13 04:56:57 jnemeth Exp $
#
# NOTE: when updating this package, there are two places that sound
# tarballs need to be checked; look in ${WRKSRC}/sounds/Makefile
# to find out the current sound file versions
# Also look in ${WRKSRC}/third-party/versions.mak for pjproject
-DISTNAME= asterisk-22.10.0
+DISTNAME= asterisk-22.10.1
CATEGORIES= comms net audio
MASTER_SITES= https://downloads.asterisk.org/pub/telephony/asterisk/
MASTER_SITES+= https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/
@@ -269,6 +269,7 @@ post-install:
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.8.2.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.9.0.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.10.0.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+ ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.10.1.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.3.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.4.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.5.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
@@ -281,6 +282,7 @@ post-install:
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.8.2.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.9.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.10.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+ ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-22.10.1.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/LICENSE ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/README-SERIOUSLY.bestpractices.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
${INSTALL_DATA} ${WRKSRC}/README.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
Index: pkgsrc/comms/asterisk22/PLIST
diff -u pkgsrc/comms/asterisk22/PLIST:1.9 pkgsrc/comms/asterisk22/PLIST:1.10
--- pkgsrc/comms/asterisk22/PLIST:1.9 Mon Jun 22 02:21:18 2026
+++ pkgsrc/comms/asterisk22/PLIST Mon Jul 13 04:56:57 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2026/06/22 02:21:18 jnemeth Exp $
+@comment $NetBSD: PLIST,v 1.10 2026/07/13 04:56:57 jnemeth Exp $
lib/asterisk/libasteriskpj.so
lib/asterisk/libasteriskpj.so.2
lib/asterisk/modules/app_adsiprog.so
@@ -2325,6 +2325,8 @@ share/doc/asterisk/ChangeLog-22.1.0.md
share/doc/asterisk/ChangeLog-22.1.1.md
share/doc/asterisk/ChangeLog-22.10.0.html
share/doc/asterisk/ChangeLog-22.10.0.md
+share/doc/asterisk/ChangeLog-22.10.1.html
+share/doc/asterisk/ChangeLog-22.10.1.md
share/doc/asterisk/ChangeLog-22.2.0.md
share/doc/asterisk/ChangeLog-22.3.0.html
share/doc/asterisk/ChangeLog-22.3.0.md
Index: pkgsrc/comms/asterisk22/distinfo
diff -u pkgsrc/comms/asterisk22/distinfo:1.10 pkgsrc/comms/asterisk22/distinfo:1.11
--- pkgsrc/comms/asterisk22/distinfo:1.10 Mon Jun 22 02:21:18 2026
+++ pkgsrc/comms/asterisk22/distinfo Mon Jul 13 04:56:57 2026
@@ -1,17 +1,17 @@
-$NetBSD: distinfo,v 1.10 2026/06/22 02:21:18 jnemeth Exp $
+$NetBSD: distinfo,v 1.11 2026/07/13 04:56:57 jnemeth Exp $
-BLAKE2s (asterisk-22.10.0/asterisk-22.10.0.tar.gz) = d572a794d2aadfa480b2a1efb0b3bca1b4bb5db5fe81f901412ad53eb1acfed2
-SHA512 (asterisk-22.10.0/asterisk-22.10.0.tar.gz) = c05ff7b6c58fce5627fa71306f0cd1976c65828d590992331d34946f5437c6019fdcbc2621445d4a10f6dbdadec371d1d0fb41cc0a0250b94de92e0f8f668f91
-Size (asterisk-22.10.0/asterisk-22.10.0.tar.gz) = 26662183 bytes
-BLAKE2s (asterisk-22.10.0/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
-SHA512 (asterisk-22.10.0/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
-Size (asterisk-22.10.0/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
-BLAKE2s (asterisk-22.10.0/pjproject-2.17.md5) = 40b4cd26a5101f81b6d57f5d8b8a74fe4b296292b21677e02a1bcc73d0d3a3c3
-SHA512 (asterisk-22.10.0/pjproject-2.17.md5) = 8946eebc9d7d472e001d03602a8a6b12632734dbc665acb5aca60c0f83ebbd4d69d31c06096fde44907ce2040be5fd4145ff7fcaaa2f681f90600faa0ed5f294
-Size (asterisk-22.10.0/pjproject-2.17.md5) = 166 bytes
-BLAKE2s (asterisk-22.10.0/pjproject-2.17.tar.bz2) = 3909b745c89a119f41126ee49ea196d5bf6889fdcbeb22d266dabc3fd339dd96
-SHA512 (asterisk-22.10.0/pjproject-2.17.tar.bz2) = b523b3761aab8931ad2a940d107861caf346e3c5cf9b12d23b5b267b8f3b4758ee842b401f1199c3ceb7e78bbaf0d2a167d2574222c51e6016586eb2caa1e33d
-Size (asterisk-22.10.0/pjproject-2.17.tar.bz2) = 8975382 bytes
+BLAKE2s (asterisk-22.10.1/asterisk-22.10.1.tar.gz) = 56ddcac1f067faeb879506ea7d924c8096b56d7b61069fd847fb080f99566645
+SHA512 (asterisk-22.10.1/asterisk-22.10.1.tar.gz) = d2ffc95d6e8e3f5ea3ccb5cd40ead62323978b1af563c338b53a03ba45d4f40cee4eabd6f7aa4cd48e59c5741f4fa05dea5905593d1971371f77205ebe4bd967
+Size (asterisk-22.10.1/asterisk-22.10.1.tar.gz) = 26672088 bytes
+BLAKE2s (asterisk-22.10.1/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
+SHA512 (asterisk-22.10.1/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
+Size (asterisk-22.10.1/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
+BLAKE2s (asterisk-22.10.1/pjproject-2.17.md5) = 40b4cd26a5101f81b6d57f5d8b8a74fe4b296292b21677e02a1bcc73d0d3a3c3
+SHA512 (asterisk-22.10.1/pjproject-2.17.md5) = 8946eebc9d7d472e001d03602a8a6b12632734dbc665acb5aca60c0f83ebbd4d69d31c06096fde44907ce2040be5fd4145ff7fcaaa2f681f90600faa0ed5f294
+Size (asterisk-22.10.1/pjproject-2.17.md5) = 166 bytes
+BLAKE2s (asterisk-22.10.1/pjproject-2.17.tar.bz2) = 3909b745c89a119f41126ee49ea196d5bf6889fdcbeb22d266dabc3fd339dd96
+SHA512 (asterisk-22.10.1/pjproject-2.17.tar.bz2) = b523b3761aab8931ad2a940d107861caf346e3c5cf9b12d23b5b267b8f3b4758ee842b401f1199c3ceb7e78bbaf0d2a167d2574222c51e6016586eb2caa1e33d
+Size (asterisk-22.10.1/pjproject-2.17.tar.bz2) = 8975382 bytes
SHA1 (patch-Makefile) = 5cf3b6937ec23a82e4d056b91e493a36bc1089b9
SHA1 (patch-addons_chan__ooh323.c) = 1775da7ca2129a962ed460bd1e78ba3ce6afa62c
SHA1 (patch-apps_app__adsiprog.c) = 031139e5cd1ef6bb2afb0a74fee3d752eded0a2c
Home |
Main Index |
Thread Index |
Old Index