asterisk, pjproject: update CPE IDs (OpenWrt 25.12)#940
Open
RomanGenexis wants to merge 2 commits into
Open
Conversation
In the official CPE dictionary [1], the latest Asterisk versions to have the old `cpe:/a:digium:asterisk` ID are 18.20.1 (2023-12-14), 20.5.1 (2023-12-14), 21.0.0 (2023-10-18). All of them appeared in the CPE database in December 2023. Other Asterisk branches reached EoL before 2024 [2]. For all new Asterisk security advisories since 2024 [3], the CPE ID used is `cpe:/a:sangoma:asterisk`, with first entries appearing in the database in August 2024. Update the CPE ID to the new value of `cpe:/a:sangoma:asterisk`. [1]: https://nvd.nist.gov/products/cpe [2]: https://docs.asterisk.org/About-the-Project/Asterisk-Versions/ [3]: https://github.com/asterisk/asterisk/security Signed-off-by: Roman Azarenko <roman.azarenko+gh@genexis.eu>
In the official CPE dictionary [1], `cpe:/a:pjsip:pjsip` is marked "deprecated" for most of the recorded versions. The value of `deprecatedBy` points at respective versions under `cpe:/a:teluu:pjsip`. The deprecation marking is pretty recent (2026-05-06). There are CVEs from 2026 that reference both the deprecated [2] and the new [3] CPE IDs. It then depends on each particular analysis tool whether it consults the CPE database for deprecations. Update the CPE ID to the non-deprecated value of `cpe:/a:teluu:pjsip`. [1]: https://nvd.nist.gov/products/cpe [2]: https://www.cvedetails.com/vulnerability-list/vendor_id-21360/product_id-65638/Pjsip-Pjsip.html [3]: https://www.cvedetails.com/vulnerability-list/vendor_id-17771/product_id-44396/Teluu-Pjsip.html Signed-off-by: Roman Azarenko <roman.azarenko+gh@genexis.eu>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR only changes the Makefile metadata in
asteriskandpjproject, namelyPKG_CPE_ID. These changes shouldn't affect the compilation or runtime.Below are the commit messages for respective changes, they should be pretty self-descriptive.
This is a backport of #939 to OpenWrt 25.12.
asterisk: update CPE ID
In the official CPE dictionary 1, the latest Asterisk versions to have the
old
cpe:/a:digium:asteriskID are 18.20.1 (2023-12-14), 20.5.1 (2023-12-14),21.0.0 (2023-10-18).
All of them appeared in the CPE database in December 2023. Other Asterisk
branches reached EoL before 2024 2.
For all new Asterisk security advisories since 2024 3, the CPE ID used is
cpe:/a:sangoma:asterisk, with first entries appearing in the database inAugust 2024.
Update the CPE ID to the new value of
cpe:/a:sangoma:asterisk.pjproject: update CPE ID
In the official CPE dictionary 4,
cpe:/a:pjsip:pjsipis marked "deprecated"for most of the recorded versions. The value of
deprecatedBypoints atrespective versions under
cpe:/a:teluu:pjsip.The deprecation marking is pretty recent (2026-05-06). There are CVEs from 2026
that reference both the deprecated 5 and the new 6 CPE IDs. It then depends
on each particular analysis tool whether it consults the CPE database for
deprecations.
Update the CPE ID to the non-deprecated value of
cpe:/a:teluu:pjsip.