Subject: CVS commit: pkgsrc/comms/asterisk16
From: Ryo ONODERA
Date: 2023-01-03 17:53:17
Message id: 20230103165317.6EC9FFA90@cvs.NetBSD.org

Log Message:
asterisk16: Update to 16.29.1

* Use bash for configure script. It uses bash-specific syntax.
* Use menuselect command to adjust options instead of manually
  crafted makeopts file. Manually crafted file does not work
  properly for me and 16.29.1 now.
* I have no idea about x11 option's status. It seems that
  gtk2 config UI is not available in this release at least,
  if I understand correctly.

Changelog:
16.29.1
Bugs fixed in this release:

[ASTERISK-30103] chan_ooh323 vulnerability in calling/called party IE (Reported \ 
By: Michael Bradeen)

[ASTERISK-30176] GetConfig can read files outside of Asterisk (Reported By: shawty)

[ASTERISK-30244] Occasional crash when TCP/TLS connection terminated and \ 
subscription persistence is removed (Reported By: nappsoft)

[ASTERISK-30338] Backport 2.13 security fixes from pjproject

16.29.0
New Features made in this release:

  * [ASTERISK-30037]         Add test support to calling external processes
                             (Reported by Philip Prindeville)
  * [ASTERISK-30161]         locks: add AMI event for deadlock
                             (Reported by N A)
  * [ASTERISK-30211]         app_confbridge: Add end_marked_any option
                             (Reported by N A)
  * [ASTERISK-30186]         res_pjsip: Add support for reloading TLS
                             certificate and key information
                             (Reported by Joshua C. Colp)
  * [ASTERISK-29899]         features: Add advanced transfer initiation options
                             (Reported by N A)

Bugs fixed in this release:

  * [ASTERISK-30235]         res_crypto and tests: Memory issues and and
                             uninitialized variable error
                             (Reported by George Joseph)
  * [ASTERISK-30234]         res_geolocation:   may be used uninitialized error
                             in geoloc_config.c
                             (Reported by George Joseph)
  * [ASTERISK-30215]         Inbound SIP INVITE with Geo Location causing a
                             Segmentation Fault
                             (Reported by Dan Cropp)
  * [ASTERISK-30135]         [res_musiconhold] Allows the moh only for the
                             answered call
                             (Reported by sungtae kim)
  * [ASTERISK-26894]         pjsip should support tel uri scheme
                             (Reported by Gergely D?ms?di)
  * [ASTERISK-30210]         func_frame_trace: Channel masquerade triggers
                             assertion
                             (Reported by N A)
  * [ASTERISK-30190]         res_geolocation: GEOLOC_PROFILE isn  t returning
                             correct values on incoming channel
                             (Reported by George Joseph)
  * [ASTERISK-29185]         chan_pjsip: Endpoint: allow = all is broken.
                             (Reported by Alexander Traud)
  * [ASTERISK-30192]         res_tonedetect: fix typo for frametype
                             (Reported by N A)
  * [ASTERISK-29453]         alembic: incoming_call_offer_pref and
                             outgoing_call_offer_pref missing in   ps_endpoints
                                table
                             (Reported by Daniel Th  men)
  * [ASTERISK-26826]         testsuite: Add support for Python 3
                             (Reported by Joshua C. Colp)
  * [ASTERISK-30167]         res_geolocation: Refactor for issues found by
                             users
                             (Reported by George Joseph)
  * [ASTERISK-28422]         Memory Leak in Confbridge menu
                             (Reported by Ted G)
  * [ASTERISK-29917]         ami: FilterList action doesn  t exist
                             (Reported by N A)
  * [ASTERISK-30020]         ConfbridgeListRooms Event Not Documented
                             (Reported by Michael Cargile)
  * [ASTERISK-30018]         app_meetme: MeetmeList AMI event not documented
                             (Reported by Michael Cargile)
  * [ASTERISK-30151]         Documentation doesn  t include info about   field
                               , a 3rd required parameter.
                             (Reported by Chris Young)

Improvements made in this release:

  * [ASTERISK-30241]         res_pjsip_gelocation: Downgrade some NOTICE scope
                             trace debugs to DEBUG level
                             (Reported by N A)
  * [ASTERISK-30178]         extend user_eq_phone behavior to local uri  s
                             (Reported by Michael Bradeen)
  * [ASTERISK-30046]         Reimplement res/res_crypto.c internals with
                             EVP_PKEY interface to Openssl API  s
                             (Reported by Philip Prindeville)
  * [ASTERISK-30045]         Add test coverage to res/res_crypto.c
                             functionality
                             (Reported by Philip Prindeville)
  * [ASTERISK-30185]         res_geolocation: Allow location parameters to be
                             specified in profiles
                             (Reported by George Joseph)
  * [ASTERISK-30177]         res_geolocation: Add option to suppress empty
                             elements
                             (Reported by George Joseph)
  * [ASTERISK-30182]         res_geolocation: Add built-in profiles to use in
                             fully dynamic configurations
                             (Reported by George Joseph)
  * [ASTERISK-29906]         update RLS to reflect the changes to the lists
                             (Reported by Alexei Gradinari)
  * [ASTERISK-30163]         general: fix minor formatting issues
                             (Reported by N A)
  * [ASTERISK-30164]         chan_iax2: Add missing option documentation
                             (Reported by N A)
  * [ASTERISK-30160]         cdr.conf: Remove obsolete app_mysql reference
                             (Reported by N A)
  * [ASTERISK-30159]         general: Remove obsolete SVN references
                             (Reported by N A)
  * [ASTERISK-30153]         logger: Improve log levels
                             (Reported by N A)

16.28.0
The following issues are resolved in this release:

Improvements made in this release:

  * [ASTERISK-30128]         Create PJSIP interface module for
                             Geolocation
                             (Reported by George Joseph)
  * [ASTERISK-30127]         Create core Geolocation capability for
                             Asterisk
                             (Reported by George Joseph)
  * [ASTERISK-30089]         general: fix typos
                             (Reported by N A)
  * [ASTERISK-30050]         Upgrade Asterisk to bundled pjproject
                             2.12.1
                             (Reported by Stanislav Abramenkov)

Bugs fixed in this release:

  * [ASTERISK-30167]         res_geolocation: Refactor for issues found by
                             users
                             (Reported by George Joseph)
  * [ASTERISK-29966]         pbx_variables: ast_str_strlen can be wrong
                             (Reported by N A)
  * [ASTERISK-29905]         OSX: bininstall launchd issue on cross-platfrom
                             build
                             (Reported by Sergey V. Lobanov)
  * [ASTERISK-30137]         manager: Global disabled event filtered is
                             incomplete
                             (Reported by N A)
  * [ASTERISK-30109]         res_pjsip: no contact-status AMI event on register
                             of prune-on-boot contact that uses the same URI as
                             before Asterisk restart
                             (Reported by Michael Neuhauser)
  * [ASTERISK-30126]         Spelling mistake in configs/samples/queues.conf.
                             sample
                             (Reported by Sam Banks)
  * [ASTERISK-29991]         chan_dahdi, callerid: Caller ID does not honor
                             presentation
                             (Reported by N A)
  * [ASTERISK-29907]         res_pjsip, app_confbridge: Video call through
                             ConfBridge with normal endpoints causes infinite
                             loop/crash
                             (Reported by N A)
  * [ASTERISK-30029]         build: Git security vulnerability fix is sad with
                             our accessing git as root during   make install
                             (Reported by Joshua C. Colp)
  * [ASTERISK-30138]         Compile failure in res_geolocation/geoloc_
                             eprofile.c when optimization is enabled
                             (Reported by George Joseph)
  * [ASTERISK-30096]         cel_odbc: Column type 9 (field   cdr:cel:eventtime
                               ) is unsupported at this time
                             (Reported by Morvai Szabolcs)
  * [ASTERISK-30083]         chan_iax2: Optional dependency on openssl/
                             res_crypto is now mandatory
                             (Reported by Dmitry Melekhov)
  * [ASTERISK-30123]         features: Update automixmon documentation to
                             reflect reality
                             (Reported by Trevor Peirce)
  * [ASTERISK-30117]         pbx_lua: Remove compiler warnings
                             (Reported by Boris P. Korzun)
  * [ASTERISK-30001]         db: Removing nonexistent entries shows   Database
                             entry removed
                             (Reported by N A)
  * [ASTERISK-29822]         cli: Typing \? freezes the CLI permanently with
                             remote console
                             (Reported by N A)
  * [ASTERISK-30106]         res_calendar_icalendar: Microsoft online ICS
                             calendars no longer work
                             (Reported by N A)
  * [ASTERISK-30115]         app_dial: Allow hook flashes to propogate on
                             outbound dials
                             (Reported by N A)
  * [ASTERISK-29989]         app_dial, chan_dahdi: DIALSTATUS is inconsistent
                             for busy
                             (Reported by N A)
  * [ASTERISK-30072]         res_pjsip: allow TLS verification of wildcard
                             cert-bearing servers
                             (Reported by Kevin Harwell)
  * [ASTERISK-30075]         say: Abort if channel hangs up during playback
                             (Reported by N A)

New Features made in this release:

  * [ASTERISK-30136]         db: Add AMI action to retrieve all keys beginning
                             with a prefix
                             (Reported by N A)
  * [ASTERISK-30000]         chan_dahdi: Add POLARITY function
                             (Reported by N A)
  * [ASTERISK-30062]         cli: Add CLI command to execute a dialplan app
                             (Reported by N A)
  * [ASTERISK-29999]         pjsip: Get information from 200 OK INVITE reply
                             headers
                             (Reported by Jos   Lopes)
  * [ASTERISK-30061]         pbx: Add pbx helper application
                             (Reported by N A)

16.27.0
Improvements made in this release:

  * [ASTERISK-30090]         xmldocs: Use example tags for examples
                             (Reported by N A)
  * [ASTERISK-29906]         update RLS to reflect the changes to the lists
                             (Reported by Alexei Gradinari)
  * [ASTERISK-29891]         provide a display name for RLS subscriptions
                             (Reported by Alexei Gradinari)
  * [ASTERISK-30086]         res_parking: Warn when invalid parking space
                             requested
                             (Reported by N A)
  * [ASTERISK-30058]         Evaluate dialplan functions and variables in agi
                             exec
                             (Reported by Shloime Rosenblum)
  * [ASTERISK-30027]         ari: expose channel driver  s unique id (i.e.
                             Call-ID for chan_sip/chan_pjsip) in ARI channel
                             resource
                             (Reported by Moritz Fain)
  * [ASTERISK-29845]         res_pjsip_outbound_registration: Show time
                             remaining until registration lapses
                             (Reported by N A)

Bugs fixed in this release:

  * [ASTERISK-30097]         console: Recent documentation changes for
                             connecting to remote console are inconsistent
                             (Reported by Matthias Hensler)
  * [ASTERISK-30043]         Wrong party is disconnected when hook-flashing on
                             3-way bridge
                             (Reported by Josh Alberts)
  * [ASTERISK-29603]         res_pjsip: UPDATE/re-INVITE not sent when   timers
                             =always   is specified in pjsip.conf
                             (Reported by Ray Crumrine)
  * [ASTERISK-30092]         DateTime application: wrong inflection for one o
                             clock in German
                             (Reported by Christof Efkemann)
  * [ASTERISK-30064]         pbx: iax2 switch causes crash due to deadlock and
                             assertion
                             (Reported by N A)
  * [ASTERISK-29981]         res_calendar: Asterisk crashes when starting, and
                             will not run
                             (Reported by N A)
  * [ASTERISK-30039]         cli: Targeted debug on startup deadlocks and
                             creates unstable system
                             (Reported by N A)
  * [ASTERISK-30051]         res_pjsip: No video after un-hold with
                             moh_passthrough=yes
                             (Reported by Maximilian Fridrich)
  * [ASTERISK-24601]         Missing RFC4235 tags and attributes in PJSIP
                             NOTIFY event: dialog XML body
                             (Reported by Marco Paland)
  * [ASTERISK-30060]         loader: format warnings in dev mode
                             (Reported by N A)
  * [ASTERISK-30059]         menuselect: libxml include fails under Gentoo
                             (Reported by waltermoeller)
  * [ASTERISK-30065]         pjsip: Open Websocket connection is not reused for
                             outgoing requests
                             (Reported by LA)
  * [ASTERISK-30042]         res_pjsip_transport_websocket: Registration over
                             websocket returns a rewritten contact
                             (Reported by Thomas Guebels)
  * [ASTERISK-29993]         chan_dahdi: Operator control option borks both
                             lines involved on callee disconnect
                             (Reported by N A)
  * [ASTERISK-30044]         GCC 12 issues
                             (Reported by George Joseph)

New Features made in this release:

  * [ASTERISK-30063]         app_voicemail: Add option to prevent deletion of
                             messages
                             (Reported by N A)
  * [ASTERISK-30087]         res_parking: Add music on hold override option
                             (Reported by N A)
  * [ASTERISK-29965]         res_pjsip_outbound_registration: Make max
                             registration delay configurable
                             (Reported by N A)
  * [ASTERISK-30036]         app_confbridge: Add CONFBRIDGE_CHANNELS function
                             (Reported by N A)

16.26.1
Bugs fixed in this release:

  * [ASTERISK-30065]         pjsip: Open Websocket connection is not reused for
                             outgoing requests
                             (Reported by LA)

16.26.0
Security bugs fixed in this release:

  * [ASTERISK-29476]         res_stir_shaken: Blind SSRF vulnerabilities
                             (Reported by Clint Ruoho)
  * [ASTERISK-29838]         ${SQL_ESC()} not correctly escaping a terminating
                             \
                             (Reported by Leandro Dardini)
  * [ASTERISK-29872]         res_stir_shaken: Resource exhaustion with large
                             files
                             (Reported by Benjamin Keith Ford)

New Features made in this release:

  * [ASTERISK-29931]         Option to allow a user to not hear the join sound
                             on enter but everyone else can
                             (Reported by Michael Cargile)
  * [ASTERISK-29968]         func_db: Add a function to return cardinality of
                             keys at prefix
                             (Reported by N A)
  * [ASTERISK-29486]         Hint-like extension value lookup function without
                             device state
                             (Reported by N A)
  * [ASTERISK-29941]         chan_pjsip: Add ability to send flash events
                             (Reported by N A)
  * [ASTERISK-29820]         cli: Add command to evaluate a function
                             (Reported by N A)
  * [ASTERISK-29876]         app_queue: Add music on hold option
                             (Reported by N A)

Bugs fixed in this release:

  * [ASTERISK-28518]         chan_dahdi: Caller ID FSK Erroneously Sent when
                             Picking Up Dahdi Call On Hold
                             (Reported by Josh Alberts)
  * [ASTERISK-29990]         chan_dahdi: adding ring cadences is not idempotent
                             on dahdi restart
                             (Reported by N A)
  * [ASTERISK-30007]         chan_iax2: Prevent crashes due to attempted
                             encryption with missing secrets
                             (Reported by N A)
  * [ASTERISK-29728]         menuselect: Disabled by default modules that are
                             enabled are always recompiled
                             (Reported by N A)
  * [ASTERISK-30002]         app_meetme: Don  t erroneously set global
                             variables when channel is NULL
                             (Reported by N A)
  * [ASTERISK-29994]         chan_dahdi: Round robin array size is too small
                             for max number of groups
                             (Reported by N A)
  * [ASTERISK-22246]         Asterisk  s   T   flag is ignored when used with
                               r   or   R   flags. (documentation bug)
                             (Reported by Rusty Newton)
  * [ASTERISK-26582]         Asterisk seems to ignore the   n   parameter for
                               disable console colorization
                             (Reported by Sebastian Gutierrez)
  * [ASTERISK-29843]         Session timers get removed on UPDATE
                             (Reported by Mark Petersen)
  * [ASTERISK-29943]         file.c: seeking to negative file offset is not
                             prevented
                             (Reported by N A)
  * [ASTERISK-29955]         chan_sip: SIP route header is missing on UPDATE
                             (Reported by Mark Petersen)
  * [ASTERISK-29842]         Do not change 180 Ringing to 183 Progress even if
                             early_media already enabled
                             (Reported by Mark Petersen)
  * [ASTERISK-29948]         iostream: Infinite TCP timeout writing data
                             (Reported by N A)
  * [ASTERISK-29253]         Incorrect bridging on transfer
                             (Reported by Yury Kirsanov)
  * [ASTERISK-30024]         Failed to sign STIR/SHAKEN payload with
                             functionality not enabled
                             (Reported by Claude Diderich)
  * [ASTERISK-30006]         res_pjsip: UDP transport does not work when
                             async_operations is greater than 1
                             (Reported by Ross Beer)
  * [ASTERISK-29655]         res_pjsip_session: No video to caller if no camera
                             available
                             (Reported by Michael Auracher)
  * [ASTERISK-29638]         res_pjsip_session: No video after early media
                             (Reported by Michael Auracher)
  * [ASTERISK-30015]         pjsip / WebRTC: Chrome creating large number of
                             SDP attributes
                             (Reported by Josh Hogan)
  * [ASTERISK-30021]         ast_variable_list_replace_variable uses variable
                             with new keyword
                             (Reported by Jasper Hafkenscheid)
  * [ASTERISK-30023]         cdr_adaptive_odbc: does not support DATETIME
                             database columns
                             (Reported by Gregory Massel)
  * [ASTERISK-29411]         Crash in pjsip_msg_find_hdr_by_name
                             (Reported by LA)
  * [ASTERISK-29535]         Segmentation fault in libasteriskpj.so.2
                             (Reported by Daniel Bonazzi)
  * [ASTERISK-26719]         pbx: Only up to 127 includes in a dialplan context
                             (AST_PBX_MAX_STACK    1)
                             (Reported by Tzafrir Cohen)
  * [ASTERISK-29988]         REGRESSION: The build process is requiring xmllint
                             or xmlstarlet ro be installed when it shouldn  t
                             (Reported by George Joseph)
  * [ASTERISK-29986]         build: Asterisk 18.11.0 doesn  t compile when wget
                             isn  t available
                             (Reported by Stefan Ruijsenaars)
  * [ASTERISK-29895]         chan_iax2: Fix misaligned spacing in iax2 show
                             netstats printout
                             (Reported by N A)
  * [ASTERISK-29939]         agi: Fix xmldoc bug with set music
                             (Reported by N A)
  * [ASTERISK-28891]         documentation: AGICommand_set+music documentation
                             arguments displayed incorreclty
                             (Reported by Jonathan Harris)
  * [ASTERISK-29048]         chan_iax2:   iax2 show registry   shows host for
                             perceived
                             (Reported by David Herselman)
  * [ASTERISK-26689]         res_pjsip_sdp_rtp: 183 Session in Progress.
                             Disconnecting channel for lack of RTP activity
                             (Reported by Dmitriy Serov)
  * [ASTERISK-29929]         res_pjsip_sdp_rtp: Disconnecting channel for lack
                             of RTP activity in one way sessions
                             (Reported by Boris P. Korzun)
  * [ASTERISK-29674]         Adjust for 64bit time_t
                             (Reported by Andre Heider)
  * [ASTERISK-29961]         RLS: domain part of   uri   list attribute
                             mismatch with SUBSCRIBE request
                             (Reported by Alexei Gradinari)
  * [ASTERISK-29950]         SayNumber can handle   01   to   07  , but not
                             08   or   09
                             (Reported by Jim Van Meggelen)
  * [ASTERISK-29928]         logging messages truncated when using MUSL runtime
                             (Reported by Philip Prindeville)
  * [ASTERISK-29960]         ari: Retrieving stored recording can returns wrong
                             file
                             (Reported by Arix)

Improvements made in this release:

  * [ASTERISK-24827]         Missing documentation for chan_dahdi dial string
                             ring cadences
                             (Reported by Scott Griepentrog)
  * [ASTERISK-29940]         general: Add since tags to xmldocs
                             (Reported by N A)
  * [ASTERISK-29951]         app_mf, app_sf: Return -1 on hangup
                             (Reported by N A)
  * [ASTERISK-29954]         app_meetme: Emit warning if conference not found
                             (Reported by N A)
  * [ASTERISK-29351]         Qualify pjproject 2.12 for Asterisk
                             (Reported by George Joseph)
  * [ASTERISK-29877]         app_mf: Allow reading a maximum number of digits
                             (Reported by N A)
  * [ASTERISK-29976]         Should Readme include information about
                             install_prereq script?
                             (Reported by Marcel Wagner)
  * [ASTERISK-29970]         Use pkg-config to find libxml2 headers and
                             libraries
                             (Reported by Hugh McMaster)
  * [ASTERISK-25716]         Documentation: Document explanations and examples
                             for possible values of DIALSTATUS
                             (Reported by Rusty Newton)
  * [ASTERISK-29980]         build: External binary modules don  t use https
                             (Reported by INVADE International Ltd.)
  * [ASTERISK-29967]         pbx_builtins: Add missing documentation
                             (Reported by N A)

16.25.3
Bugs fixed in this release:

  * [ASTERISK-30024]         Failed to sign STIR/SHAKEN payload with
                             functionality not enabled
                             (Reported by Claude Diderich)

16.25.2
The following security vulnerabilities were resolved in 16.25.2:

  * AST-2022-001: res_stir_shaken: resource exhaustion with large files
    When using STIR/SHAKEN, it's possible to download files that are not
    certificates. These files could be much larger than what you would expect
    to
    download.
  * AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header
    When using STIR/SHAKEN, it's possible to send arbitrary requests like GET
    to
    interfaces such as localhost using the Identity header.
  * AST-2022-003: func_odbc: Possible SQL Injection
    Some databases can use backslashes to escape certain characters, such as
    backticks. If input is provided to func_odbc which includes backslashes it
    is
    possible for func_odbc to construct a broken SQL query and the SQL query to
    fail.

16.25.1
Bugs fixed in this release:

  * [ASTERISK-29988]         REGRESSION: The build process is requiring xmllint
                             or xmlstarlet ro be installed when it shouldn??t
                             (Reported by George Joseph)
  * [ASTERISK-29986]         build: Asterisk 18.11.0 doesn??t compile when wget
                             isn??t available
                             (Reported by Stefan Ruijsenaars)

15.25.0
Security bugs fixed in this release:

  * [ASTERISK-29945]         pjproject: Security fixes for
                             things
                             (Reported by Kevin Harwell)

New Features made in this release:

  * [ASTERISK-29853]         ami: Allow events to be globally disabled
                             (Reported by N A)
  * [ASTERISK-29840]         func_channel: Add LASTCONTEXT and LASTEXTEN
                             fields
                             (Reported by N A)

Bugs fixed in this release:

  * [ASTERISK-29924]         res_config_pgsql: omit   unsupported column type
                               text'   error
                             (Reported by Boris P. Korzun)
  * [ASTERISK-29923]         docs, LICENSE: pbx.digium.com no longer exists
                             (Reported by N A)
  * [ASTERISK-29904]         RLS: Batched Notifications stop working
                             (Reported by Alexei Gradinari)
  * [ASTERISK-29365]         taskprocessor: Can cause assert at shutdown
                             (Reported by Joshua C. Colp)
  * [ASTERISK-29873]         Queue Realtime load
                             (Reported by Alexei Gradinari)
  * [ASTERISK-18416]         Realtime queue agents unavailable via AMI before a
                             call event.
                             (Reported by kwk)
  * [ASTERISK-27597]         AMI Queuestatus not working (with realtime queue)
                             (Reported by cagdas kopuz)
  * [ASTERISK-29886]         Asterisk AMI sends not-valid XML
                             (Reported by Napadailo Yaroslav)

Improvements made in this release:

  * [ASTERISK-29906]         update RLS to reflect the changes to the lists
                             (Reported by Alexei Gradinari)
  * [ASTERISK-29909]         app_queue: Add support for withdrawing a call
                             (Reported by Kfir Itzhak)
  * [ASTERISK-29353]         Qualify jansson 2.14 for asterisk
                             (Reported by George Joseph)
  * [ASTERISK-29897]         channels: Increase core debug levels for chatty
                             debugs
                             (Reported by N A)
  * [ASTERISK-29896]         xmldocs: Add since tag
                             (Reported by N A)
  * [ASTERISK-29861]         asterisk.h: add macro for curl user agent
                             (Reported by N A)
  * [ASTERISK-29920]         app_voicemail: Warn if trying to manage
                             nonexistent mailbox
                             (Reported by N A)
  * [ASTERISK-29925]         func_db: Warn about malformed key names
                             (Reported by N A)
  * [ASTERISK-29809]         curl, stir_shaken: refactor curl code
                             (Reported by N A)
  * [ASTERISK-29891]         provide a display name for RLS subscriptions
                             (Reported by Alexei Gradinari)
  * [ASTERISK-29866]         cli: add core dump information to core show
                             settings
                             (Reported by N A)
  * [ASTERISK-29898]         documentation: Add default attributes to
                             documentation
                             (Reported by N A)
  * [ASTERISK-29900]         app_mp3: Document and warn about https
                             incompatibility
                             (Reported by N A)

16.24.1
The following security vulnerabilities were resolved in 16.24.1:

  * AST-2022-004: pjproject: integer underflow on STUN message
    The header length on incoming STUN messages that contain an ERROR-CODE
    attribute is not properly checked. This can result in an integer underflow.
    Note, this requires ICE or WebRTC support to be in use with a malicious
    remote
    party.

  * AST-2022-005: pjproject: undefined behavior after freeing a dialog set
    When acting as a UAC, and when placing an outgoing call to a target that
    then
    forks Asterisk may experience undefined behavior (crashes, hangs, etc??)
    after a dialog set is prematurely freed.

  * AST-2022-006: pjproject: unconstrained malformed multipart SIP message
    If an incoming SIP message contains a malformed multi-part body an out of
    bounds read access may occur, which can result in undefined behavior. Note,
    it??s currently uncertain if there is any externally exploitable vector
    within Asterisk for this issue, but providing this as a security issue out
    of
    caution.[cleardot]

Files:
RevisionActionfile
1.94modifypkgsrc/comms/asterisk16/Makefile
1.28modifypkgsrc/comms/asterisk16/PLIST
1.46modifypkgsrc/comms/asterisk16/distinfo
1.19modifypkgsrc/comms/asterisk16/options.mk
1.5modifypkgsrc/comms/asterisk16/patches/patch-configure