[Buildroot] [git commit] package/asterisk: security bump to version 16.6.2
Yann E. MORIN
yann.morin.1998 at free.fr
Sat Nov 23 18:27:39 UTC 2019
commit: https://git.buildroot.net/buildroot/commit/?id=b3aaa725f1642bb3d2448b889b1674c7f79afcd9
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes the following security vulnerabilities:
AST-2019-006: SIP request can change address of a SIP peer.
A SIP request can be sent to Asterisk that can change a SIP peerâs IP
address. A REGISTER does not need to occur, and calls can be hijacked as a
result. The only thing that needs to be known is the peerâs name;
authentication details such as passwords do not need to be known. This
vulnerability is only exploitable when the ânatâ option is set to the
default, or âauto_force_rportâ.
https://downloads.asterisk.org/pub/security/AST-2019-006.pdf
AST-2019-007: AMI user could execute system commands.
A remote authenticated Asterisk Manager Interface (AMI) user without
âsystemâ authorization could use a specially crafted âOriginateâ AMI request
to execute arbitrary system commands.
https://downloads.asterisk.org/pub/security/AST-2019-007.pdf
AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0
and no c line in the SDP, a crash will occur.
https://downloads.asterisk.org/pub/security/AST-2019-008.pdf
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
---
package/asterisk/asterisk.hash | 2 +-
package/asterisk/asterisk.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
index 4cb4a42e19..26aa4b89b7 100644
--- a/package/asterisk/asterisk.hash
+++ b/package/asterisk/asterisk.hash
@@ -1,5 +1,5 @@
# Locally computed
-sha256 9323f1fd41416d2d997015b2199d5507847e54da64c2e24923d75f5c283c5e83 asterisk-16.6.1.tar.gz
+sha256 474cbc6f9dddee94616f8af8e097bc4d340dc9698c4165dc45be6e0be80ff725 asterisk-16.6.2.tar.gz
# sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
# sha256 locally computed
diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
index 6f94f628a4..00070aadba 100644
--- a/package/asterisk/asterisk.mk
+++ b/package/asterisk/asterisk.mk
@@ -4,7 +4,7 @@
#
################################################################################
-ASTERISK_VERSION = 16.6.1
+ASTERISK_VERSION = 16.6.2
# Use the github mirror: it's an official mirror maintained by Digium, and
# provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
More information about the buildroot
mailing list