From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] asterisk: security bump to version 14.6.2
Date: Sun, 7 Jan 2018 23:47:59 +0100 [thread overview]
Message-ID: <20180107234759.11189ae5@windsurf> (raw)
In-Reply-To: <20180107214629.18544-1-peter@korsgaard.com>
Hello,
On Sun, 7 Jan 2018 22:46:29 +0100, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> 14.6.1:
>
> * AST-2017-005 (applied to all released versions): The "strictrtp" option in
> rtp.conf enables a feature of the RTP stack that learns the source address
> of media for a session and drops any packets that do not originate from
> the expected address. This option is enabled by default in Asterisk 11
> and above. The "nat" and "rtp_symmetric" options for chan_sip and
> chan_pjsip respectively enable symmetric RTP support in the RTP stack.
> This uses the source address of incoming media as the target address of
> any sent media. This option is not enabled by default but is commonly
> enabled to handle devices behind NAT.
>
> A change was made to the strict RTP support in the RTP stack to better
> tolerate late media when a reinvite occurs. When combined with the
> symmetric RTP support this introduced an avenue where media could be
> hijacked. Instead of only learning a new address when expected the new
> code allowed a new source address to be learned at all times.
>
> If a flood of RTP traffic was received the strict RTPsupport would allow
> the new address to provide media and with symmetric RTP enabled outgoing
> traffic would be sent to this new address, allowing the media to be
> hijacked. Provided the attacker continued to send traffic they would
> continue to receive traffic as well.
>
> * AST-2017-006 (applied to all released versions): The app_minivm module has
> an ?externnotify? program configuration option that is executed by the
> MinivmNotify dialplan application. The application uses the caller-id
> name and number as part of a built string passed to the OS shell for
> interpretation and execution. Since the caller-id name and number can
> come from an untrusted source, a crafted caller-id name or number allows
> an arbitrary shell command injection.
>
> * AST-2017-007 (applied only to 13.17.1 and 14.6.1): A carefully crafted URI
> in a From, To or Contact header could cause Asterisk to crash
>
> For more details, see the announcement:
> https://www.asterisk.org/downloads/asterisk-news/asterisk-11252-13171-1461-116-cert17-1313-cert5-now-available-security
>
> 14.6.2:
>
> * AST-2017-008: Insufficient RTCP packet validation could allow reading
> stale buffer contents and when combined with the ?nat? and ?symmetric_rtp?
> options allow redirecting where Asterisk sends the next RTCP report.
>
> The RTP stream qualification to learn the source address of media always
> accepted the first RTP packet as the new source and allowed what
> AST-2017-005 was mitigating. The intent was to qualify a series of
> packets before accepting the new source address.
>
> For more details, see the announcement:
> https://www.asterisk.org/downloads/asterisk-news/asterisk-11253-13172-1462-116-cert18-1313-cert6-now-available-security
>
> Drop 0004-configure-in-cross-complation-assimne-eventfd-are-av.patch as this
> is now handled differently upstream (by disabling eventfd for cross
> compilation, see commit 2e927990b3d2 (eventfd: Disable during cross
> compilation)). If eventfd support is needed then this should be submitted
> upstream.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> ...sure-target-directory-for-modules-exists.patch} | 0
> ...n-cross-complation-assimne-eventfd-are-av.patch | 37 ----------------------
> ...0005-install-samples-need-the-data-files.patch} | 0
> package/asterisk/asterisk.hash | 2 +-
> package/asterisk/asterisk.mk | 2 +-
> 5 files changed, 2 insertions(+), 39 deletions(-)
> rename package/asterisk/{0005-build-ensure-target-directory-for-modules-exists.patch => 0004-build-ensure-target-directory-for-modules-exists.patch} (100%)
> delete mode 100644 package/asterisk/0004-configure-in-cross-complation-assimne-eventfd-are-av.patch
> rename package/asterisk/{0006-install-samples-need-the-data-files.patch => 0005-install-samples-need-the-data-files.patch} (100%)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
next prev parent reply other threads:[~2018-01-07 22:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-07 21:46 [Buildroot] [PATCH] asterisk: security bump to version 14.6.2 Peter Korsgaard
2018-01-07 22:09 ` Yann E. MORIN
2018-01-07 22:47 ` Thomas Petazzoni [this message]
2018-01-08 21:54 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180107234759.11189ae5@windsurf \
--to=thomas.petazzoni@free-electrons.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox