[Buildroot] [External] Re: [PATCH] package/asterisk: security bump to version 16.21.1

[Weber, Matthew L Collins]

All,

> From: buildroot <buildroot-bounces at buildroot.org> on behalf of Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> Sent: Monday, October 25, 2021 2:20 AM
> To: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> Cc: Weber, Matthew L Collins <Matthew.Weber at collins.com>; Yann E. MORIN <yann.morin.1998 at free.fr>; Buildroot Mailing List <buildroot at buildroot.org>
> Subject: [External] Re: [Buildroot] [PATCH] package/asterisk: security bump to version 16.21.1 
>  
> On Sun, 24 Oct 2021 23:10:51 +0200
> Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> 
> > No specific reason, I missed that the digium entry was more up to date.
> 
> Ideally, we should notify the NVD people that they seem to have two
> different CPE identifiers for the same software product.
> 

I've sent an email, and CC'd you guys.  From what I can tell, the business CPE had been used for a long time, and recently they split it out into a few different CPE.  Honestly, not deprecating the old one and going cleanly to the new one seems like an opportunity for CVE not to get assigned correctly.  I do think we should use the open-source CPE and see if that covers our Asterisk version.  Then we could compare the CVE between the old/new for that version and the more recent.  That comparison could lead to sending in CVE updates for any CVE->"both CPEs" mapping updates.

-Matt