pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/comms/asterisk23



Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Mon Jul 13 05:09:27 UTC 2026

Modified Files:
        pkgsrc/comms/asterisk23: Makefile PLIST distinfo

Log Message:
Update to Asterisk 23.4.1:

## Change Log for Release asterisk-23.4.1

### Links:

 - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-23.4.1.html)
 - [GitHub Diff](https://github.com/asterisk/asterisk/compare/23.4.0...23.4.1)

### Summary:

- Commits: 19
- Commit Authors: 6
- Issues Resolved: 0
- Security Advisories Resolved: 20
  - [GHSA-3g56-cgrh-95p5](https://github.com/asterisk/asterisk/security/advisories/GHSA-3g56-cgrh-95p5): chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  - [GHSA-3rhj-hhw7-m6fw](https://github.com/asterisk/asterisk/security/advisories/GHSA-3rhj-hhw7-m6fw): NULL Pointer Dereference in HTTP AMI Digest Authentication
  - [GHSA-4pgv-j3mr-3rcp](https://github.com/asterisk/asterisk/security/advisories/GHSA-4pgv-j3mr-3rcp): Reflected XSS in Phone Provisioning HTTP Error Pages
  - [GHSA-589g-qgf8-m6mx](https://github.com/asterisk/asterisk/security/advisories/GHSA-589g-qgf8-m6mx): Stack buffer overflow in MWI NOTIFY Message-Account parsing
  - [GHSA-746q-794h-cc7f](https://github.com/asterisk/asterisk/security/advisories/GHSA-746q-794h-cc7f): Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  - [GHSA-8jhw-m2hg-vp3h](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jhw-m2hg-vp3h): Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  - [GHSA-8jw3-ccr9-xrmf](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jw3-ccr9-xrmf): Buffer over-read in Asterisk PJSIP MWI body parser
  - [GHSA-g8q2-p36q-94f6](https://github.com/asterisk/asterisk/security/advisories/GHSA-g8q2-p36q-94f6): Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP 
processing
  - [GHSA-h5hv-jmgj-92q2](https://github.com/asterisk/asterisk/security/advisories/GHSA-h5hv-jmgj-92q2): CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  - [GHSA-j2mm-57pq-jh94](https://github.com/asterisk/asterisk/security/advisories/GHSA-j2mm-57pq-jh94): Possible RED T.140 Generation Accumulation OOB Write
  - [GHSA-mxgm-8c6f-5p8f](https://github.com/asterisk/asterisk/security/advisories/GHSA-mxgm-8c6f-5p8f): Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  - [GHSA-ph27-3m5q-mj5m](https://github.com/asterisk/asterisk/security/advisories/GHSA-ph27-3m5q-mj5m): SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  - [GHSA-q9fr-m7g8-6ph5](https://github.com/asterisk/asterisk/security/advisories/GHSA-q9fr-m7g8-6ph5): Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  - [GHSA-qf8j-jp7h-c5hx](https://github.com/asterisk/asterisk/security/advisories/GHSA-qf8j-jp7h-c5hx): Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  - [GHSA-r6c2-hwc2-j4mp](https://github.com/asterisk/asterisk/security/advisories/GHSA-r6c2-hwc2-j4mp): LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information 
Disclosure)
  - [GHSA-vfhr-r9x9-c687](https://github.com/asterisk/asterisk/security/advisories/GHSA-vfhr-r9x9-c687): Possible RED T.140 Heap Buffer Overflow
  - [GHSA-vrfp-mg3q-3959](https://github.com/asterisk/asterisk/security/advisories/GHSA-vrfp-mg3q-3959): ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  - [GHSA-wcvv-g26m-wx5c](https://github.com/asterisk/asterisk/security/advisories/GHSA-wcvv-g26m-wx5c): ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  - [GHSA-x348-j6c9-77f3](https://github.com/asterisk/asterisk/security/advisories/GHSA-x348-j6c9-77f3): Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  - [GHSA-xgj6-2gc5-5x9c](https://github.com/asterisk/asterisk/security/advisories/GHSA-xgj6-2gc5-5x9c): ast_loggrabber executes python script in world writable directory(`/tmp`) leading to potential 
privilege escalation And RCE

### Developer Notes:

- #### ARI: Make ARI applications respect live_dangerously.
  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

### Commit Authors:

- George Joseph: (6)
- Mike Bradeen: (3)
- Milan Kyselica: (7)
- Pengpeng Hou: (1)
- Roberto Paleari: (1)
- ThatTotallyRealMyth: (1)

## Issue and Commit Detail:

### Closed Issues:

  - !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  - !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  - !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  - !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  - !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  - !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  - !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  - !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  - !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  - !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  - !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  - !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  - !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  - !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  - !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  - !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  - !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  - !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  - !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  - !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(`/tmp`) leading to potential privilege escalation And RCE

### Commit List:

-  ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
-  chan_unistim.c: Prevent overrun of phone_number field.
-  ooh323c: not checking for IE minimum length
-  res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
-  pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
-  ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
-  ARI: Make ARI applications respect live_dangerously.
-  res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
-  res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
-  manager: Use remote address in user error logging
-  ooh323: Prevent potential buffer overflow in trace logging
-  app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
-  res_xmpp: Fix stack buffer overflow in namespace prefix handling
-  res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
-  res_config_ldap: Escape LDAP filter values per RFC 4515
-  cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
-  http: Escape error page text to prevent reflected XSS
-  codec_codec2: Only process complete Codec2 frames in decoder
-  format_ogg_speex: Add bounds check to prevent heap buffer overflow


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 pkgsrc/comms/asterisk23/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/comms/asterisk23/PLIST \
    pkgsrc/comms/asterisk23/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/comms/asterisk23/Makefile
diff -u pkgsrc/comms/asterisk23/Makefile:1.9 pkgsrc/comms/asterisk23/Makefile:1.10
--- pkgsrc/comms/asterisk23/Makefile:1.9        Mon Jun 22 02:59:47 2026
+++ pkgsrc/comms/asterisk23/Makefile    Mon Jul 13 05:09:27 2026
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.9 2026/06/22 02:59:47 jnemeth Exp $
+# $NetBSD: Makefile,v 1.10 2026/07/13 05:09:27 jnemeth Exp $
 #
 # NOTE: when updating this package, there are two places that sound
 #       tarballs need to be checked; look in ${WRKSRC}/sounds/Makefile
 #       to find out the current sound file versions
 #       Also look in ${WRKSRC}/third-party/versions.mak for pjproject
 
-DISTNAME=      asterisk-23.4.0
+DISTNAME=      asterisk-23.4.1
 CATEGORIES=    comms net audio
 MASTER_SITES=  https://downloads.asterisk.org/pub/telephony/asterisk/
 MASTER_SITES+= https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/
@@ -268,6 +268,8 @@ post-install:
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-23.3.0.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-23.4.0.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-23.4.0.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+       ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-23.4.1.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+       ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-23.4.1.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/LICENSE ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/README-SERIOUSLY.bestpractices.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/README.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}

Index: pkgsrc/comms/asterisk23/PLIST
diff -u pkgsrc/comms/asterisk23/PLIST:1.5 pkgsrc/comms/asterisk23/PLIST:1.6
--- pkgsrc/comms/asterisk23/PLIST:1.5   Mon Jun 22 02:59:47 2026
+++ pkgsrc/comms/asterisk23/PLIST       Mon Jul 13 05:09:27 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2026/06/22 02:59:47 jnemeth Exp $
+@comment $NetBSD: PLIST,v 1.6 2026/07/13 05:09:27 jnemeth Exp $
 lib/asterisk/libasteriskpj.so
 lib/asterisk/libasteriskpj.so.2
 lib/asterisk/modules/app_adsiprog.so
@@ -2323,6 +2323,7 @@ share/doc/asterisk/ChangeLog-23.2.1.html
 share/doc/asterisk/ChangeLog-23.2.2.html
 share/doc/asterisk/ChangeLog-23.3.0.html
 share/doc/asterisk/ChangeLog-23.4.0.html
+share/doc/asterisk/ChangeLog-23.4.1.html
 share/doc/asterisk/ChangeLog-23.0.0.md
 share/doc/asterisk/ChangeLog-23.1.0.md
 share/doc/asterisk/ChangeLog-23.2.0.md
@@ -2330,6 +2331,7 @@ share/doc/asterisk/ChangeLog-23.2.1.md
 share/doc/asterisk/ChangeLog-23.2.2.md
 share/doc/asterisk/ChangeLog-23.3.0.md
 share/doc/asterisk/ChangeLog-23.4.0.md
+share/doc/asterisk/ChangeLog-23.4.1.md
 share/doc/asterisk/IAX2-security.pdf
 share/doc/asterisk/IAX2-security.txt
 share/doc/asterisk/LICENSE
Index: pkgsrc/comms/asterisk23/distinfo
diff -u pkgsrc/comms/asterisk23/distinfo:1.5 pkgsrc/comms/asterisk23/distinfo:1.6
--- pkgsrc/comms/asterisk23/distinfo:1.5        Mon Jun 22 02:59:47 2026
+++ pkgsrc/comms/asterisk23/distinfo    Mon Jul 13 05:09:27 2026
@@ -1,17 +1,17 @@
-$NetBSD: distinfo,v 1.5 2026/06/22 02:59:47 jnemeth Exp $
+$NetBSD: distinfo,v 1.6 2026/07/13 05:09:27 jnemeth Exp $
 
-BLAKE2s (asterisk-23.4.0/asterisk-23.4.0.tar.gz) = 4dacf1403121ee6e897c851c815b780d5ad91685ad68e095655a09f7b4696ce2
-SHA512 (asterisk-23.4.0/asterisk-23.4.0.tar.gz) = da50d6d26e631e6a5e90d6eb5efa78c46fb9e852eb0bcfe01b7e82332e3361b024bd9a1e63d9c5f21d56cd3e3817f28b1a97d7be7f2194e0d506560d3a07071c
-Size (asterisk-23.4.0/asterisk-23.4.0.tar.gz) = 26525287 bytes
-BLAKE2s (asterisk-23.4.0/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
-SHA512 (asterisk-23.4.0/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
-Size (asterisk-23.4.0/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
-BLAKE2s (asterisk-23.4.0/pjproject-2.17.md5) = 40b4cd26a5101f81b6d57f5d8b8a74fe4b296292b21677e02a1bcc73d0d3a3c3
-SHA512 (asterisk-23.4.0/pjproject-2.17.md5) = 8946eebc9d7d472e001d03602a8a6b12632734dbc665acb5aca60c0f83ebbd4d69d31c06096fde44907ce2040be5fd4145ff7fcaaa2f681f90600faa0ed5f294
-Size (asterisk-23.4.0/pjproject-2.17.md5) = 166 bytes
-BLAKE2s (asterisk-23.4.0/pjproject-2.17.tar.bz2) = 3909b745c89a119f41126ee49ea196d5bf6889fdcbeb22d266dabc3fd339dd96
-SHA512 (asterisk-23.4.0/pjproject-2.17.tar.bz2) = b523b3761aab8931ad2a940d107861caf346e3c5cf9b12d23b5b267b8f3b4758ee842b401f1199c3ceb7e78bbaf0d2a167d2574222c51e6016586eb2caa1e33d
-Size (asterisk-23.4.0/pjproject-2.17.tar.bz2) = 8975382 bytes
+BLAKE2s (asterisk-23.4.1/asterisk-23.4.1.tar.gz) = ee8624676e494abc20538d89c9fab7c81d361e4ccfac28c20a2a7d2f3f3cd172
+SHA512 (asterisk-23.4.1/asterisk-23.4.1.tar.gz) = b189526328c72d544875ba48a5946ec33aa454739e38e0e7e1e0495604d9cdb96ed4eeae54dd0c6a0d7328022e9737e76097a13ca682a053a1e465d805621501
+Size (asterisk-23.4.1/asterisk-23.4.1.tar.gz) = 26534868 bytes
+BLAKE2s (asterisk-23.4.1/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
+SHA512 (asterisk-23.4.1/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
+Size (asterisk-23.4.1/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
+BLAKE2s (asterisk-23.4.1/pjproject-2.17.md5) = 40b4cd26a5101f81b6d57f5d8b8a74fe4b296292b21677e02a1bcc73d0d3a3c3
+SHA512 (asterisk-23.4.1/pjproject-2.17.md5) = 8946eebc9d7d472e001d03602a8a6b12632734dbc665acb5aca60c0f83ebbd4d69d31c06096fde44907ce2040be5fd4145ff7fcaaa2f681f90600faa0ed5f294
+Size (asterisk-23.4.1/pjproject-2.17.md5) = 166 bytes
+BLAKE2s (asterisk-23.4.1/pjproject-2.17.tar.bz2) = 3909b745c89a119f41126ee49ea196d5bf6889fdcbeb22d266dabc3fd339dd96
+SHA512 (asterisk-23.4.1/pjproject-2.17.tar.bz2) = b523b3761aab8931ad2a940d107861caf346e3c5cf9b12d23b5b267b8f3b4758ee842b401f1199c3ceb7e78bbaf0d2a167d2574222c51e6016586eb2caa1e33d
+Size (asterisk-23.4.1/pjproject-2.17.tar.bz2) = 8975382 bytes
 SHA1 (patch-Makefile) = 5cf3b6937ec23a82e4d056b91e493a36bc1089b9
 SHA1 (patch-addons_chan__ooh323.c) = 1775da7ca2129a962ed460bd1e78ba3ce6afa62c
 SHA1 (patch-apps_app__adsiprog.c) = 031139e5cd1ef6bb2afb0a74fee3d752eded0a2c



Home | Main Index | Thread Index | Old Index