kumquat-buildroot/package/asterisk/asterisk.hash
Peter Korsgaard 289a15f33b package/asterisk: security bump to version 16.21.1
Fixes the following security issues:

16.15.0:
- ASTERISK-29057: pjsip: Crash on call rejection during high load

16.15.1:
- AST-2020-003: Remote crash in res_pjsip_diversion
  A crash can occur in Asterisk when a SIP message is received that has a
  History-Info header, which contains a tel-uri.
  https://downloads.asterisk.org/pub/security/AST-2020-003.pdf

- AST-2020-004: Remote crash in res_pjsip_diversion
  A crash can occur in Asterisk when a SIP 181 response is received that has
  a Diversion header, which contains a tel-uri.
  https://downloads.asterisk.org/pub/security/AST-2020-004.pdf

16.16.0:
- ASTERISK-29219: res_pjsip_diversion: Crash if Tel URI contains History-Info

16.16.1:
- AST-2021-001: Remote crash in res_pjsip_diversion
  If a registered user is tricked into dialing a malicious number that sends
  lots of 181 responses to Asterisk, each one will cause a 181 to be sent
  back to the original caller with an increasing number of entries in the
  “Supported” header.  Eventually the number of entries in the header
  exceeds the size of the entry array and causes a crash.
  https://downloads.asterisk.org/pub/security/AST-2021-001.pdf

- AST-2021-002: Remote crash possible when negotiating T.38
  When re-negotiating for T.38 if the initial remote response was delayed
  just enough Asterisk would send both audio and T.38 in the SDP.  If this
  happened, and the remote responded with a declined T.38 stream then
  Asterisk would crash.
  https://downloads.asterisk.org/pub/security/AST-2021-002.pdf

- AST-2021-003: Remote attacker could prematurely tear down SRTP calls
  An unauthenticated remote attacker could replay SRTP packets which could
  cause an Asterisk instance configured without strict RTP validation to
  tear down calls prematurely.
  https://downloads.asterisk.org/pub/security/AST-2021-003.pdf

- AST-2021-004: An unsuspecting user could crash Asterisk with multiple
  hold/unhold requests
  Due to a signedness comparison mismatch, an authenticated WebRTC client
  could cause a stack overflow and Asterisk crash by sending multiple
  hold/unhold requests in quick succession.
  https://downloads.asterisk.org/pub/security/AST-2021-004.pdf

- AST-2021-005: Remote Crash Vulnerability in PJSIP channel driver
  Given a scenario where an outgoing call is placed from Asterisk to a
  remote SIP server it is possible for a crash to occur.
  https://downloads.asterisk.org/pub/security/AST-2021-005.pdf

16.16.2:
- AST-2021-006: Crash when negotiating T.38 with a zero port
  When Asterisk sends a re-invite initiating T.38 faxing and the endpoint
  responds with a m=image line and zero port, a crash will occur in
  Asterisk.
  This is a reoccurrence of AST-2019-004.
  https://downloads.asterisk.org/pub/security/AST-2021-006.pdf

16.17.0:
- ASTERISK-29203 / AST-2021-002 — Another scenario is causing a crash

- ASTERISK-29260: sRTP Replay Protection ignored; even tears down long calls

- ASTERISK-29227: res_pjsip_diversion: sending multiple 181 responses causes
  memory corruption and crash

16.19.1:
- AST-2021-007: Remote Crash Vulnerability in PJSIP channel driver
  When Asterisk receives a re-INVITE without SDP after having sent a BYE
  request a crash will occur.  This occurs due to the Asterisk channel no
  longer being present while code assumes it is.
  https://downloads.asterisk.org/pub/security/AST-2021-007.pdf

- AST-2021-008: Remote crash when using IAX2 channel driver
  If the IAX2 channel driver receives a packet that contains an unsupported
  media format it can cause a crash to occur in Asterisk.
  https://downloads.asterisk.org/pub/security/AST-2021-008.pdf

- AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during
  handshake
  Depending on the timing, it’s possible for Asterisk to crash when using a
  TLS connection if the underlying socket parent/listener gets destroyed
  during the handshake.
  https://downloads.asterisk.org/pub/security/AST-2021-009.pdf

16.20.0:
- ASTERISK-29415: Crash in PJSIP TLS transport

- ASTERISK-29381: chan_pjsip: Remote denial of service by an authenticated
  user

In addition, a large number of bugfixes.

Drop now upstreamed
0006-AC_HEADER_STDC-causes-a-compile-failure-with-autoconf-2-70.patch.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-10-24 16:13:44 +02:00

16 lines
1.1 KiB
Plaintext

# Locally computed
sha256 1ba86666072b903e24b5cfef3d6d607d0d090c0fd232429ed410496e8f93ac40 asterisk-16.21.1.tar.gz
# sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
# sha256 locally computed
sha1 721c512feaea102700d5bdce952fdc0bb29dc640 asterisk-core-sounds-en-gsm-1.6.1.tar.gz
sha256 d79c3d2044d41da8f363c447dfccc140be86b4fcc41b1ca5a60a80da52f24f2d asterisk-core-sounds-en-gsm-1.6.1.tar.gz
sha1 f40fd6ea03dfe8d72ada2540b2288bfdc006381d asterisk-moh-opsound-wav-2.03.tar.gz
sha256 449fb810d16502c3052fedf02f7e77b36206ac5a145f3dacf4177843a2fcb538 asterisk-moh-opsound-wav-2.03.tar.gz
# License files, locally computed
sha256 82af40ed7f49c08685360811993d9396320842f021df828801d733e8fdc0312f COPYING
sha256 ac5571f00e558e3b7c9b3f13f421b874cc12cf4250c4f70094c71544cf486312 main/sha1.c
sha256 6215e3ed73c3982a5c6701127d681ec0b9f1121ac78a28805bd93f93c3eb84c0 codecs/speex/speex_resampler.h
sha256 ea69cc96ab8a779c180a362377caeada71926897d1b55b980f04d74ba5aaa388 utils/db1-ast/include/db.h