[Buildroot] [PATCH] package/asterisk: security bump to version 16.21.1
Peter Korsgaard
peter at korsgaard.com
Sun Oct 24 15:20:30 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
Hi,
>>> Fixes the following security issues:
>> I have applied to master, but what's quite worrying is that there were
>> 0 CVEs affecting asterisk in version 16.14.1 according to
>> http://autobuild.buildroot.net/stats/master.html. Does this mean that
>> the Asterisk community is not submitting CVEs for their security
>> vulnerabilities ?
> Looks like it. I also didn't find any CVE references in the description
> of the issues I listed :/
Looking closer, there are in fact CVEs for some of the issues, E.G.:
https://downloads.asterisk.org/pub/security/AST-2021-001.html
But that refers to a digium:asterisk CPE rather than the
asterisk:open_source one we look for.
Looking at the CPE database, we should probably use that CPE identifier
instead as it looks much more actively used (1154 entries vs 61):
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Adigium%3Aasterisk%3A*%3A*%3A*%3A*%3A*%3A*%3A*%3A*
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aasterisk%3Aopen_source%3A*%3A*%3A*%3A*%3A*%3A*%3A*%3A*
Fabrice, you added the CPE variables for asterisk. Any specific reason
to use asterisk/open_source?
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list