CVS commit: pkgsrc/comms/asterisk18

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/comms/asterisk18
From: "John Nemeth" <jnemeth%netbsd.org@localhost>
Date: Mon, 4 Aug 2025 20:17:18 +0000

Module Name:    pkgsrc
Committed By:   jnemeth
Date:           Mon Aug  4 20:17:18 UTC 2025

Modified Files:
        pkgsrc/comms/asterisk18: Makefile PLIST distinfo

Log Message:
Update to Asterisk 18.26.3.  This is a security update.

## Change Log for Release asterisk-18.26.3

### Links:

 - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.26.3.html)

### Summary:

- Commits: 2
- Commit Authors: 2
- Issues Resolved: 0
- Security Advisories Resolved: 2
  - [GHSA-mrq5-74j5-f5cr](https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr): Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  - [GHSA-v9q8-9j8m-5xwp](https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp): Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

### User Notes:

### Upgrade Notes:

- #### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root.  If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started.  Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

### Developer Notes:

### Commit Authors:

- George Joseph: (1)
- ThatTotallyRealMyth: (1)

## Issue and Commit Detail:

### Closed Issues:

  - !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  - !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

### Commits By Author:

- #### George Joseph (1):
  - res_stir_shaken: Test for missing semicolon in Identity header.

- #### ThatTotallyRealMyth (1):
  - safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

### Commit List:

-  safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
-  res_stir_shaken: Test for missing semicolon in Identity header.

### Commit Details:

#### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
  Author: ThatTotallyRealMyth
  Date:   2025-06-10

  UpgradeNote: The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root.  If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started.  Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

  Resolves: #GHSA-v9q8-9j8m-5xwp

#### res_stir_shaken: Test for missing semicolon in Identity header.
  Author: George Joseph
  Date:   2025-07-31

  ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
  the Identity header to prevent a possible segfault.

  Resolves: #GHSA-mrq5-74j5-f5cr


To generate a diff of this commit:
cvs rdiff -u -r1.171 -r1.172 pkgsrc/comms/asterisk18/Makefile
cvs rdiff -u -r1.34 -r1.35 pkgsrc/comms/asterisk18/PLIST
cvs rdiff -u -r1.80 -r1.81 pkgsrc/comms/asterisk18/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/comms/asterisk18/Makefile
diff -u pkgsrc/comms/asterisk18/Makefile:1.171 pkgsrc/comms/asterisk18/Makefile:1.172
--- pkgsrc/comms/asterisk18/Makefile:1.171      Mon Jun  2 03:16:07 2025
+++ pkgsrc/comms/asterisk18/Makefile    Mon Aug  4 20:17:17 2025
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.171 2025/06/02 03:16:07 jnemeth Exp $
+# $NetBSD: Makefile,v 1.172 2025/08/04 20:17:17 jnemeth Exp $
 #
 # NOTE: when updating this package, there are two places that sound
 #       tarballs need to be checked; look in ${WRKSRC}/sounds/Makefile
@@ -6,7 +6,7 @@
 #       Also look in ${WRKSRC}/third-party/versions.mak for pjproject
 #       and libjwt
 
-DISTNAME=      asterisk-18.26.2
+DISTNAME=      asterisk-18.26.3
 CATEGORIES=    comms net audio
 MASTER_SITES=  https://downloads.asterisk.org/pub/telephony/asterisk/
 MASTER_SITES+= https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/
@@ -317,6 +317,8 @@ post-install:
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-18.26.1.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-18.26.2.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-18.26.2.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+       ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-18.26.3.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
+       ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/ChangeLog-18.26.3.html ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/historical/CHANGES ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/ChangeLogs/historical/ChangeLog ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}
        ${INSTALL_DATA} ${WRKSRC}/doc/IAX2-security.pdf ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}

Index: pkgsrc/comms/asterisk18/PLIST
diff -u pkgsrc/comms/asterisk18/PLIST:1.34 pkgsrc/comms/asterisk18/PLIST:1.35
--- pkgsrc/comms/asterisk18/PLIST:1.34  Mon Jun  2 03:16:07 2025
+++ pkgsrc/comms/asterisk18/PLIST       Mon Aug  4 20:17:17 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.34 2025/06/02 03:16:07 jnemeth Exp $
+@comment $NetBSD: PLIST,v 1.35 2025/08/04 20:17:17 jnemeth Exp $
 lib/asterisk/libasteriskpj.so
 lib/asterisk/libasteriskpj.so.2
 lib/asterisk/modules/app_adsiprog.so
@@ -2345,6 +2345,8 @@ share/doc/asterisk/ChangeLog-18.26.0.md
 share/doc/asterisk/ChangeLog-18.26.1.md
 share/doc/asterisk/ChangeLog-18.26.2.html
 share/doc/asterisk/ChangeLog-18.26.2.md
+share/doc/asterisk/ChangeLog-18.26.3.html
+share/doc/asterisk/ChangeLog-18.26.3.md
 share/doc/asterisk/IAX2-security.pdf
 share/doc/asterisk/IAX2-security.txt
 share/doc/asterisk/LICENSE

Index: pkgsrc/comms/asterisk18/distinfo
diff -u pkgsrc/comms/asterisk18/distinfo:1.80 pkgsrc/comms/asterisk18/distinfo:1.81
--- pkgsrc/comms/asterisk18/distinfo:1.80       Mon Jun  2 03:33:51 2025
+++ pkgsrc/comms/asterisk18/distinfo    Mon Aug  4 20:17:17 2025
@@ -1,23 +1,23 @@
-$NetBSD: distinfo,v 1.80 2025/06/02 03:33:51 jnemeth Exp $
+$NetBSD: distinfo,v 1.81 2025/08/04 20:17:17 jnemeth Exp $
 
-BLAKE2s (asterisk-18.26.2/asterisk-18.26.2.tar.gz) = acedb758be5b149bf8545626ace49cac9bf0c94d79fd3573e9f6de191667c476
-SHA512 (asterisk-18.26.2/asterisk-18.26.2.tar.gz) = dff4a6cd5ac641f6c6c1f39e1a9d3ee5d02dd20c46c7e362130f7d5243ef9ca7e7cf887d6402c86e6644dd40777da38e3acbe18ba5280ff37abd8364c82e9f88
-Size (asterisk-18.26.2/asterisk-18.26.2.tar.gz) = 28568510 bytes
-BLAKE2s (asterisk-18.26.2/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
-SHA512 (asterisk-18.26.2/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
-Size (asterisk-18.26.2/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
-BLAKE2s (asterisk-18.26.2/libjwt-1.15.3.md5) = de87f03f88ad834e26bba2159f5d8ed14637377eba58c48ed0701f44994ae1a2
-SHA512 (asterisk-18.26.2/libjwt-1.15.3.md5) = d24818362ec5537c4db58421078c7dc0f8509b89a2802d1e2e6cef6d4c1e817f8304dda486e96187c375b7d1084a1400ac4647ea635f3c9703fa0fadb1c33b44
-Size (asterisk-18.26.2/libjwt-1.15.3.md5) = 55 bytes
-BLAKE2s (asterisk-18.26.2/libjwt-1.15.3.tar.gz) = 45de6898eeef8791e63469ea1a13157e425e6f9f47cb49d2bcd7e3f5c046ab68
-SHA512 (asterisk-18.26.2/libjwt-1.15.3.tar.gz) = 6a99c81258c5302f7dd908f639676d7cfbe09599812cd97ead871cd5962f15e5248b935e1ef643c4dd43bd1ee66d0e12be1b599a6d3b26d461c4b15216a93774
-Size (asterisk-18.26.2/libjwt-1.15.3.tar.gz) = 489246 bytes
-BLAKE2s (asterisk-18.26.2/pjproject-2.14.1.md5) = f384e59ad4f8227cd7131a5c07b68a83b75b319fa60c38d6f9d27af817a0f516
-SHA512 (asterisk-18.26.2/pjproject-2.14.1.md5) = 25ce388adcd7eaa2c21d95a58d9fc5e33a6cb96dd99c292574b8f11f6f1f985cf91f91ea252300bd1be192e396ac6c8a35a87b219864339798bf6195a7650c00
-Size (asterisk-18.26.2/pjproject-2.14.1.md5) = 172 bytes
-BLAKE2s (asterisk-18.26.2/pjproject-2.14.1.tar.bz2) = 4b22d553ddafc2d53d866b4936d465c161e2a095a6a75bd4b93be26e4803122c
-SHA512 (asterisk-18.26.2/pjproject-2.14.1.tar.bz2) = 996116df4a18fb28c8f68d122466f8664958226a38e432b6190b92fbf277b278d370a4b44fabeaf25691e3cdcde28a8879b2738ead5387d119229db01ce121d8
-Size (asterisk-18.26.2/pjproject-2.14.1.tar.bz2) = 8379251 bytes
+BLAKE2s (asterisk-18.26.3/asterisk-18.26.3.tar.gz) = 537865ec6379655504dbe0ff0ac3c8995901f8052a2c0bfa4fe80a8c3e627d38
+SHA512 (asterisk-18.26.3/asterisk-18.26.3.tar.gz) = bda51a928cee90ac126d59aedf6a28304a7259d5063e34d21fb86ee32404062b8a6f7b9e01167e342e52e07abbef8224f7d3a127fd2baaa64cf64a82e53023c8
+Size (asterisk-18.26.3/asterisk-18.26.3.tar.gz) = 28568360 bytes
+BLAKE2s (asterisk-18.26.3/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f7e5fe212d7e7cdca14c52527a2552311ab7762c3f1464b09ddedc7c66aebde
+SHA512 (asterisk-18.26.3/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 3f2f7bf3d5bce3544bc013f913c352f0204a3ce96239987403eb9dce8bc87e64a61d437762323a422a87b2fad1f3bf3e7a5f3d0d340f912a1b1dbfea9479d41d
+Size (asterisk-18.26.3/asterisk-extra-sounds-en-gsm-1.5.2.tar.gz) = 4253587 bytes
+BLAKE2s (asterisk-18.26.3/libjwt-1.15.3.md5) = de87f03f88ad834e26bba2159f5d8ed14637377eba58c48ed0701f44994ae1a2
+SHA512 (asterisk-18.26.3/libjwt-1.15.3.md5) = d24818362ec5537c4db58421078c7dc0f8509b89a2802d1e2e6cef6d4c1e817f8304dda486e96187c375b7d1084a1400ac4647ea635f3c9703fa0fadb1c33b44
+Size (asterisk-18.26.3/libjwt-1.15.3.md5) = 55 bytes
+BLAKE2s (asterisk-18.26.3/libjwt-1.15.3.tar.gz) = 45de6898eeef8791e63469ea1a13157e425e6f9f47cb49d2bcd7e3f5c046ab68
+SHA512 (asterisk-18.26.3/libjwt-1.15.3.tar.gz) = 6a99c81258c5302f7dd908f639676d7cfbe09599812cd97ead871cd5962f15e5248b935e1ef643c4dd43bd1ee66d0e12be1b599a6d3b26d461c4b15216a93774
+Size (asterisk-18.26.3/libjwt-1.15.3.tar.gz) = 489246 bytes
+BLAKE2s (asterisk-18.26.3/pjproject-2.14.1.md5) = f384e59ad4f8227cd7131a5c07b68a83b75b319fa60c38d6f9d27af817a0f516
+SHA512 (asterisk-18.26.3/pjproject-2.14.1.md5) = 25ce388adcd7eaa2c21d95a58d9fc5e33a6cb96dd99c292574b8f11f6f1f985cf91f91ea252300bd1be192e396ac6c8a35a87b219864339798bf6195a7650c00
+Size (asterisk-18.26.3/pjproject-2.14.1.md5) = 172 bytes
+BLAKE2s (asterisk-18.26.3/pjproject-2.14.1.tar.bz2) = 4b22d553ddafc2d53d866b4936d465c161e2a095a6a75bd4b93be26e4803122c
+SHA512 (asterisk-18.26.3/pjproject-2.14.1.tar.bz2) = 996116df4a18fb28c8f68d122466f8664958226a38e432b6190b92fbf277b278d370a4b44fabeaf25691e3cdcde28a8879b2738ead5387d119229db01ce121d8
+Size (asterisk-18.26.3/pjproject-2.14.1.tar.bz2) = 8379251 bytes
 SHA1 (patch-Makefile) = 676687f298151dbe548ae26a4f6f3fe8bf1f174e
 SHA1 (patch-addons_chan__ooh323.c) = 1775da7ca2129a962ed460bd1e78ba3ce6afa62c
 SHA1 (patch-apps_app__adsiprog.c) = 031139e5cd1ef6bb2afb0a74fee3d752eded0a2c

Prev by Date: CVS commit: pkgsrc/sysutils/eza
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/sysutils/eza
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index