Hi everyone. Thanks for your interest and your contribution in this project. I've just looked at the security hole in asterisk, and I don't think smeserver-trixbox is concerned. The main reason is that asterisk (UDPPort 5060) is NOT open the the Internet. Your server can open a connexion to your VOIP provider, but nobody can open a connexion to your asterisk from the outside. I think it's more risky to install gcc and openssl-devel on a prod environnement. If you have a test server, then you can compile the latest asterisk on it, and copy all the compiled files to your prod server.
Anyway, if you realy want to install gcc and openssl-devel on your prod server, here are all the dependencies that you should remove after:
gcc
openssl-devel
cpp
e2fsprogs-devel
glibc-devel
glibc-headers
glibc-kernheaders
krb5-devel
zlib-devel
libgcc
I'll soon release a new version of the contrib, with freePBX 2.2.1, and the latest rpms from trixbox repo (asterisk 1.2.14). The new version will only contains asterisk, freePBX (the base of the old package). I wont maintain anymore the others modules (maint, meetme, a2billing, xpl, crm) because it's too much work and I don't use it.