Summary: | <net-misc/asterisk-{13.33.0,16.10.0}: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jaco, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/15622 https://github.com/gentoo/gentoo/pull/15779 |
||
Whiteboard: | B3 [noglsa] | ||
Package list: |
=net-misc/asterisk-13.33.0
|
Runtime testing required: | --- |
Description
Sam James
2020-04-30 20:18:25 UTC
@maintainer(s), please bump The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bba8866c2494ca62273be220a18aee165e60aea commit 9bba8866c2494ca62273be220a18aee165e60aea Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2020-05-03 11:30:10 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-05-04 17:26:08 +0000 net-misc/asterisk: version bumps Switch to media-libs/libilbc for iLBC support. Stop installing various scripts I provided a long time ago which are no longer needed (tools exist that supercedes these now). Drop samples IUSE. Remove patches that's now upstreamed. Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Bug: https://bugs.gentoo.org/720184 Closes: https://github.com/gentoo/gentoo/pull/15622 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 2 + net-misc/asterisk/asterisk-13.33.0.ebuild | 296 +++++++++++++++++++++++++++++ net-misc/asterisk/asterisk-16.10.0.ebuild | 301 ++++++++++++++++++++++++++++++ 3 files changed, 599 insertions(+) @maintainer(s), please advise if ready for stabilisation, or call yourself. (In reply to Sam James (sec padawan) from comment #3) > @maintainer(s), please advise if ready for stabilisation, or call yourself. I'm happy! RTP engine didn't blow up on ICE so that covers the portion I was worried about. (In reply to Jaco Kroon from comment #4) > (In reply to Sam James (sec padawan) from comment #3) > > @maintainer(s), please advise if ready for stabilisation, or call yourself. > > I'm happy! RTP engine didn't blow up on ICE so that covers the portion I > was worried about. Great :) Unable to check for sanity:
> no match for package: =net-misc/asterisk-13.33
amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a66a68bc50f569a9f199820e6a826d3ca9865df3 commit a66a68bc50f569a9f199820e6a826d3ca9865df3 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2020-05-13 17:49:52 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-05-14 22:12:13 +0000 net-misc/asterisk: cleanup Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Bug: https://bugs.gentoo.org/720184 Closes: https://github.com/gentoo/gentoo/pull/15779 Signed-off-by: Aaron Bauman <bman@gentoo.org> net-misc/asterisk/Manifest | 2 - net-misc/asterisk/asterisk-13.32.0-r1.ebuild | 323 ------------------ net-misc/asterisk/asterisk-16.9.0.ebuild | 315 ----------------- .../files/asterisk-13.32.0-binutils-2.34.patch | 18 - .../asterisk-historic-dahdiras-without-root.patch | 23 -- .../asterisk-historic-dundi-null-dereference.patch | 40 --- ...terisk-historic-invert-gmine-search-order.patch | 12 - .../asterisk/files/asterisk-historic-uclibc.patch | 23 -- net-misc/asterisk/files/initd-13.32.0 | 380 --------------------- 9 files changed, 1136 deletions(-) So, jkroon pointed out the original comment is wrong here (clearly!) In the 16.8-cert1 release announcement, we had: "Security bugs fixed in this release: ----------------------------------- [ASTERISK-28589] - chan_sip: Depending on configuration an INVITE can alter Addr of a peer (Reported by Andrey V. T.) [ASTERISK-28580] - Bypass SYSTEM write permission in manager action allows system commands execution (Reported by Eliel SardaƱons) [ASTERISK-28495] - res_pjsip_t38: 200 OK with SDP answer with declined stream causes crash (Reported by Alexei Gradinari) [ASTERISK-28447] - res_pjsip_messaging: In-dialog MESSAGE with no body causes crash (Reported by Gil Richard) [ASTERISK-28465] - Broken SDP can cause a segfault in a T.38 reINVITE (Reported by Francesco Castellano)" And these seem to all be definitely fixed already by now, in previous releases(?). GLSA vote: no! Closing. |