Related to d31e4e7a

Rebuild is not needed for aports where postgresql-dev was only in
makedepends.

Duncan Bellamy authored 3 years ago and Timo Teräs committed 3 years ago

* fixes #12808

Fixes #11142

/var/log/asterisk has 755 asterisk:asterisk permissions
log files in asterisk log dir are created with 0644 permissions
with this patch, logrotate keeps the 0644 permissions as installed.

omni authored 3 years ago and Leo committed 3 years ago

AST-2021-006

fixes:

- CVE-2019-15297 (again)

remove /tmp which is owned by alpine-baselayout so we don't get wrong
permissions on /tmp when asterisk is installed.

fixes:

- CVE-2021-26717
- CVE-2021-26713
- CVE-2021-26712
- CVE-2021-26906

adds missing secfixes for:

- CVE-2020-35776
- CVE-2020-35652
- CVE-2020-28327

See: #12469

Duncan Bellamy authored 4 years ago and Timo Teräs committed 4 years ago

* compile with CFLAGS='-DENABLE_SRTP_AES_256', from #11609
* update APKBUILD to use amove
* update license from SPDX
* add missing descriptions to patches, and openrc sub package
* remove empty doc sub package function
* make single line sub package format the same
* add support for unbound

CVE-2019-18610, CVE-2019-18790

fixes #10981

CVE-2019-15297, CVE-2019-15639

ref #10790

AST-2019-002: Remote crash vulnerability with MESSAGE messages
AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver

AST-2018-009 (CVE-2018-17281): Remote crash in HTTP websocket upgrade

fixes #9196

AST-2018-007: Infinite loop when reading iostreams
AST-2018-008: PJSIP endpoint presence disclosure when using ACL

AST-2018-001 (CVE-2018-7285): Crash when receiving unnegotiated dynamic payload
AST-2018-002: Crash when given an invalid SDP media format description
AST-2018-003: Crash with an invalid SDP fmtp attribute
AST-2018-004 (CVE-2018-7284): Crash when receiving SUBSCRIBE request
AST-2018-005 (CVE-2018-7286): Crash when large numbers of TCP connections are closed suddenly
AST-2018-006 (CVE-2018-7287): WebSocket frames with 0 sized payload causes DoS

This is a requirement to get res_odbc built.

This commit updates $license variable in all APKBUILDs to comply with
short names specified by SPDX version 3.0 [1] where possible. It was
done using find-and-replace method on substrings inside $license
variables.

Only license names were updated, not "expressions" specifying relation
between the licenses (e.g. "X and Y", "X or Y", "X and (Y or Z)") or
exceptions (e.g. "X with exceptions").

Many licenses have a version or multiple variants, e.g. MPL-2.0,
BSD-2-Clause, BSD-3-Clause. However, $license in many aports do not
contain license version or variant. Since there's no way how to infer
this information just from abuild, it were left without the variant
suffix or version, i.e. non SPDX compliant.

GNU licenses (AGPL, GFDL, GPL, LGPL) are especially complicated. They
exist in two variants: -only (formerly e.g. GPL-2.0) and -or-later
(formerly e.g. GPL-2.0+). We did not systematically noted distinguish
between these variants, so GPL-2.0, GPL2, GPLv2 etc. may mean
GPL-2.0-only or GPL-2.0-or-later. Thus GNU licenses without "+" (e.g.
GPL2+) were left without the variant suffix, i.e. non SPDX compliant.

Note: This commit just fixes format of the license names, no
verification has been done if the specified license information is
actually correct!

[1]: https://spdx.org/licenses/