CVE-2022-37325 (https://downloads.asterisk.org/pub/security/AST-2022-007.html): In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash. CVE-2022-42705 (https://downloads.asterisk.org/pub/security/AST-2022-008.html): A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription. CVE-2022-42706 (https://downloads.asterisk.org/pub/security/AST-2022-009.html): An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. Please bump to 16.29.1, 18.15.1. Also, if anybody knows anybody from upstream, it looks like the HTML <title> for the AST-2022-007 page is wrong: <title ...>AST-YYYY-NNN</title>
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3aff73d53bb063556a8339f32c6af447a430d660 commit 3aff73d53bb063556a8339f32c6af447a430d660 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2022-12-04 22:00:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-13 05:24:40 +0000 net-libs/pjproject: add 2.13 Bug: https://bugs.gentoo.org/884797 Closes: https://bugs.gentoo.org/882785 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Sam James <sam@gentoo.org> net-libs/pjproject/Manifest | 1 + net-libs/pjproject/pjproject-2.13.ebuild | 139 +++++++++++++++++++++++++++++++ 2 files changed, 140 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6365009d6b2dad0945e875cde7f1592ffa7f4275 commit 6365009d6b2dad0945e875cde7f1592ffa7f4275 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2022-12-04 21:58:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-13 05:24:40 +0000 net-misc/asterisk: add 20.0.1, drop 20.0.0 Bug: https://bugs.gentoo.org/884797 Closes: https://bugs.gentoo.org/880003 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Sam James <sam@gentoo.org> net-misc/asterisk/Manifest | 2 +- net-misc/asterisk/{asterisk-20.0.0.ebuild => asterisk-20.0.1.ebuild} | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=838265303fe808653fe86bf8e9da6bebc765a4bf commit 838265303fe808653fe86bf8e9da6bebc765a4bf Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2022-12-04 21:57:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-13 05:24:39 +0000 net-misc/asterisk: add 18.15.1 Bug: https://bugs.gentoo.org/884797 Bug: https://bugs.gentoo.org/880003 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Sam James <sam@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-18.15.1.ebuild | 376 ++++++++++++++++++++++++++++++ 2 files changed, 377 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5715660f692bb8e4e8b171193bd761ae32497c3 commit a5715660f692bb8e4e8b171193bd761ae32497c3 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2022-12-04 20:48:57 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-13 05:24:39 +0000 net-misc/asterisk: add 16.29.1 Bug: https://bugs.gentoo.org/884797 Bug: https://bugs.gentoo.org/880003 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Sam James <sam@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-16.29.1.ebuild | 378 +++++++++++++++++++++ ...erisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch | 39 +++ 3 files changed, 418 insertions(+)
Thanks! Please stabilize when ready