Hey!
I’m trying to build and install Asterisk 20.5 LTS.
There is a security vulnerability in pjproject that was fixed in version 2.14:
CVE-2023-38703, which seems to be somewhat critical:
This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption.
→ I’d love to include a link to the Github Security Advisory but the forum software says new users aren’t allowed to use 2 links…
However, if I run ./configure --with-pjproject-bundled, the Asterisk build process downloads 2.13.1:
checking for embedded pjproject (may have to download)… configuring
[pjproject] Downloading https://raw.githubusercontent.com/asterisk/third-party/master/pjproject/2.13.1/pjproject-2.13.1.tar.bz2 to /tmp/pjproject-2.13.1.tar.bz2
What should I do? Will there be a fixed release in near time?
I tried to download pjproject from pjsip.org and build it on my own. That worked so far.
But when I try to make Asterisk after ./configure --without-pjproject-bundled, it finally terminates with an error:
[LD] chan_pjsip.o pjsip/cli_commands.o pjsip/dialplan_functions.o → chan_pjsip.so
/usr/bin/ld: /usr/local/lib/libpj-x86_64-unknown-linux-gnu.a(os_core_unix.o): warning: relocation againststdout@@GLIBC_2.2.5' in read-only section.text’
/usr/bin/ld: /usr/local/lib/libpj-x86_64-unknown-linux-gnu.a(os_core_unix.o): relocation R_X86_64_PC32 against symbol `stdout@@GLIBC_2.2.5’ can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: bad value
collect2: error: ld returned 1 exit status
make[1]: *** [/root/asterisk/asterisk-20.5.0/Makefile.rules:193: chan_pjsip.so] Error 1
make: *** [Makefile:396: channels] Error 2
Thank you for any advice!