[Buildroot] [PATCH] package/asterisk: security bump to version 16.25.2

[Buildroot] [PATCH] package/asterisk: security bump to version 16.25.2

[Peter Korsgaard]

Fixes the following security issues:

16.24.1:

CVE-2021-37706 / AST-2022-004: pjproject: integer underflow on STUN message

The header length on incoming STUN messages that contain an ERROR-CODE
attribute is not properly checked.  This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use with a malicious
remote party.

https://seclists.org/fulldisclosure/2022/Mar/0

CVE-2022-23608 / AST-2022-005: pjproject: undefined behavior after freeing a
dialog set

When acting as a UAC, and when placing an outgoing call to a target that then
forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
after a dialog set is prematurely freed.

https://seclists.org/fulldisclosure/2022/Mar/1

CVE-2022-21723 / AST-2022-006: pjproject: unconstrained malformed multipart
SIP message

If an incoming SIP message contains a malformed multi-part body an out of
bounds read access may occur, which can result in undefined behavior.  Note,
it’s currently uncertain if there is any externally exploitable vector
within Asterisk for this issue, but providing this as a security issue out
of caution.

https://seclists.org/fulldisclosure/2022/Mar/2

16.25.2:

CVE-2022-26498 / AST-2022-001: res_stir_shaken: resource exhaustion with
large files

When using STIR/SHAKEN, it’s possible to download files that are not
certificates. These files could be much larger than what you would expect to
download.

https://seclists.org/fulldisclosure/2022/Apr/17

CVE-2022-26499 / AST-2022-002: res_stir_shaken: SSRF vulnerability with
Identity header

When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to
interfaces such as localhost using the Identity header.

https://seclists.org/fulldisclosure/2022/Apr/18

CVE-2022-26651 / AST-2022-003: func_odbc: Possible SQL Injection

Some databases can use backslashes to escape certain characters, such as
backticks.  If input is provided to func_odbc which includes backslashes it
is possible for func_odbc to construct a broken SQL query and the SQL query
to fail.

https://seclists.org/fulldisclosure/2022/Apr/19

Update hash of sha1.c after a doxygen comment update:
https://github.com/asterisk/asterisk/commit/37c29b6a281d7f69e891117269dbf8c20bacc904

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/asterisk/asterisk.hash | 4 ++--
 package/asterisk/asterisk.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
index eabe11e052..fe59483b73 100644
--- a/package/asterisk/asterisk.hash
+++ b/package/asterisk/asterisk.hash
@@ -1,5 +1,5 @@
 # Locally computed
-sha256  1ba86666072b903e24b5cfef3d6d607d0d090c0fd232429ed410496e8f93ac40  asterisk-16.21.1.tar.gz
+sha256  0fb817943a276f5e540c2a9432e8841cd3393e7c1bd1250055c620902f6eafc8  asterisk-16.25.2.tar.gz
 
 # sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
 # sha256 locally computed
@@ -10,6 +10,6 @@ sha256  449fb810d16502c3052fedf02f7e77b36206ac5a145f3dacf4177843a2fcb538  asteri
 
 # License files, locally computed
 sha256  82af40ed7f49c08685360811993d9396320842f021df828801d733e8fdc0312f  COPYING
-sha256  ac5571f00e558e3b7c9b3f13f421b874cc12cf4250c4f70094c71544cf486312  main/sha1.c
+sha256  3ce4755b8da872a0de93ecdbbe2f940763cc95c9027bbf3c4a2e914fcd8bf4c6  main/sha1.c
 sha256  6215e3ed73c3982a5c6701127d681ec0b9f1121ac78a28805bd93f93c3eb84c0  codecs/speex/speex_resampler.h
 sha256  ea69cc96ab8a779c180a362377caeada71926897d1b55b980f04d74ba5aaa388  utils/db1-ast/include/db.h
diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
index 2b7854b982..9b59997b80 100644
--- a/package/asterisk/asterisk.mk
+++ b/package/asterisk/asterisk.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-ASTERISK_VERSION = 16.21.1
+ASTERISK_VERSION = 16.25.2
 # Use the github mirror: it's an official mirror maintained by Digium, and
 # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
 ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/asterisk: security bump to version 16.25.2

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > 16.24.1:

 > CVE-2021-37706 / AST-2022-004: pjproject: integer underflow on STUN message

 > The header length on incoming STUN messages that contain an ERROR-CODE
 > attribute is not properly checked.  This can result in an integer underflow.
 > Note, this requires ICE or WebRTC support to be in use with a malicious
 > remote party.

 > https://seclists.org/fulldisclosure/2022/Mar/0

 > CVE-2022-23608 / AST-2022-005: pjproject: undefined behavior after freeing a
 > dialog set

 > When acting as a UAC, and when placing an outgoing call to a target that then
 > forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
 > after a dialog set is prematurely freed.

 > https://seclists.org/fulldisclosure/2022/Mar/1

 > CVE-2022-21723 / AST-2022-006: pjproject: unconstrained malformed multipart
 > SIP message

 > If an incoming SIP message contains a malformed multi-part body an out of
 > bounds read access may occur, which can result in undefined behavior.  Note,
 > it’s currently uncertain if there is any externally exploitable vector
 > within Asterisk for this issue, but providing this as a security issue out
 > of caution.

 > https://seclists.org/fulldisclosure/2022/Mar/2

 > 16.25.2:

 > CVE-2022-26498 / AST-2022-001: res_stir_shaken: resource exhaustion with
 > large files

 > When using STIR/SHAKEN, it’s possible to download files that are not
 > certificates. These files could be much larger than what you would expect to
 > download.

 > https://seclists.org/fulldisclosure/2022/Apr/17

 > CVE-2022-26499 / AST-2022-002: res_stir_shaken: SSRF vulnerability with
 > Identity header

 > When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to
 > interfaces such as localhost using the Identity header.

 > https://seclists.org/fulldisclosure/2022/Apr/18

 > CVE-2022-26651 / AST-2022-003: func_odbc: Possible SQL Injection

 > Some databases can use backslashes to escape certain characters, such as
 > backticks.  If input is provided to func_odbc which includes backslashes it
 > is possible for func_odbc to construct a broken SQL query and the SQL query
 > to fail.

 > https://seclists.org/fulldisclosure/2022/Apr/19

 > Update hash of sha1.c after a doxygen comment update:
 > https://github.com/asterisk/asterisk/commit/37c29b6a281d7f69e891117269dbf8c20bacc904

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/asterisk: security bump to version 16.25.2

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > 16.24.1:

 > CVE-2021-37706 / AST-2022-004: pjproject: integer underflow on STUN message

 > The header length on incoming STUN messages that contain an ERROR-CODE
 > attribute is not properly checked.  This can result in an integer underflow.
 > Note, this requires ICE or WebRTC support to be in use with a malicious
 > remote party.

 > https://seclists.org/fulldisclosure/2022/Mar/0

 > CVE-2022-23608 / AST-2022-005: pjproject: undefined behavior after freeing a
 > dialog set

 > When acting as a UAC, and when placing an outgoing call to a target that then
 > forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
 > after a dialog set is prematurely freed.

 > https://seclists.org/fulldisclosure/2022/Mar/1

 > CVE-2022-21723 / AST-2022-006: pjproject: unconstrained malformed multipart
 > SIP message

 > If an incoming SIP message contains a malformed multi-part body an out of
 > bounds read access may occur, which can result in undefined behavior.  Note,
 > it’s currently uncertain if there is any externally exploitable vector
 > within Asterisk for this issue, but providing this as a security issue out
 > of caution.

 > https://seclists.org/fulldisclosure/2022/Mar/2

 > 16.25.2:

 > CVE-2022-26498 / AST-2022-001: res_stir_shaken: resource exhaustion with
 > large files

 > When using STIR/SHAKEN, it’s possible to download files that are not
 > certificates. These files could be much larger than what you would expect to
 > download.

 > https://seclists.org/fulldisclosure/2022/Apr/17

 > CVE-2022-26499 / AST-2022-002: res_stir_shaken: SSRF vulnerability with
 > Identity header

 > When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to
 > interfaces such as localhost using the Identity header.

 > https://seclists.org/fulldisclosure/2022/Apr/18

 > CVE-2022-26651 / AST-2022-003: func_odbc: Possible SQL Injection

 > Some databases can use backslashes to escape certain characters, such as
 > backticks.  If input is provided to func_odbc which includes backslashes it
 > is possible for func_odbc to construct a broken SQL query and the SQL query
 > to fail.

 > https://seclists.org/fulldisclosure/2022/Apr/19

 > Update hash of sha1.c after a doxygen comment update:
 > https://github.com/asterisk/asterisk/commit/37c29b6a281d7f69e891117269dbf8c20bacc904

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot