gentls_cert generates certificates that are deemed too weak by Debian's
OpenSSL (on Buster and up). This patch upgrades the message digest to
SHA256 to address this.
See patch for details. Sent upstream ([1]).
[1] https://github.com/signalwire/freeswitch/pull/126
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add patch for a remote crash vulnerability. Crash can occur when
negotiating for T.38 with a declined stream.
CVE-2019-15297
Refreshed some other patches.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This upgrades freeswitch from 1.6.20 to 1.8.2. All changes imported from
master. Notable changes:
Modules:
- v8 removed as too difficult to maintain
- new modules: fail2ban, raven and video_filter
Init and hotplug:
- changed init config to uci (/etc/default/freeswitch replaced with
/etc/config/freeswitch)
- logging can now be enabled via /etc/config/freeswitch
- hotplug script is now included in the main package
- the post-install script no longer disables freeswitch during
upgrades
Fixes:
- freeswitch now sends console output properly to procd
Misc:
- the new release adds support for MSRP (Message Session Relay
Protocol, see
https://en.wikipedia.org/wiki/Message_Session_Relay_Protocol), this
opens TCP ports by default, can be limited to localhost in
autoload_configs/msrp.conf.xml
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Patch from upstream:
Summary Remote crash vulnerability DNS SRV and NAPTR lookups
Nature of Advisory Denial Of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On October 23, 2018
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
With OpenWrt default awk - so awk from busybox - the filter is broken,
causing jsonrpc calls to fail, i.e. when running "kamctl ps". Below
patch makes the filter portable. Patch was already accepted upstream.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Robert Högberg found that the regex implementation in musl isn't fully
compatible with yate, leading to unexpected regexp results. Fix this by
using the internal regex.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add upstream fix for AST-2018-009: Remote crash vulnerability in HTTP
websocket upgrade
The vulnerability affects the res_http_websocket.so module.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add upstream fix for AST-2018-009: Remote crash vulnerability in HTTP
websocket upgrade
The vulnerability affects the res_http_websocket.so module.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with
an invalid Via header causes a segmentation fault and crashes Kamailio. The
reason is missing input validation in the crcitt_string_array core function
for calculating a CRC hash for To tags. (An additional error is present in
the check_via_address core function: this function also misses input
validation.) This could result in denial of service and potentially the
execution of arbitrary code.
Patch from upstream.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
A recent commit in packages/lang/perl is causing a problem with the
perlmod.mk include. Work around this by including perlver.mk instead and
setting up PERL_CMD and PERL_SITELIB manually.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
CVE-2018-14767: "In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a
crafted SIP message with a double "To" header and an empty "To" tag
causes a segmentation fault and crash. The reason is missing input
validation in the "build_res_buf_from_sip_req" core function. This could
result in denial of service and potentially the execution of arbitrary
code."
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Sometimes freeswitch doesn't exit after receiving the SIGTERM signal.
This can be reproduced by sending SIGTERM to a freeswitch instance which
is initializing (which can take quite some time).
Instead of just giving up and exiting - leaving a hung freeswitch
process on the system - this commit adds some lines to the init script
that send SIGKILL to freeswitch in case the attempt to terminate it with
SIGTERM fails.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Backport from master.
This patch is strictly speaking only needed for pcre 8.42 and up.
Add it anyway in case pcre maintainer decides to bump the version.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Backport from master.
The macro APR_TRY_COMPILE_NO_WARNING included in apr/apr-util is
incorrect. It results in extra brackets being put into conftest.c, for
example:
#include "confdefs.h"
[
#include <stddef.h>
#include <iconv.h>
]
int main(int argc, const char *const *argv) {
[
iconv(0,(char **)0,(size_t *)0,(char **)0,(size_t *)0);
]
return 0; }
The test always fails with:
error: expected identifier or '(' before '[' token
The following checks are affected:
- variable length arrays
- type of inbuf parameter to iconv
Fix from upstream (Apache).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Backport iconv fixes from master.
- Include nls.mk and remove the uclibc iconv hack.
- The above change pointed to an issue with the unimrcp sed script. It
is missing brackets, which causes follow-up breakage when APR_SETVAR
is called, because the latter uses commas to separate its arguments -
commas that TARGET_LDFLAGS contains when nls.mk is included. So add
the missing brackets.
- mod_gsmopen is unable to detect whether iconv's inbuf is const. Update
the patch so the Makefile can pass this information on to mod_gsmopen.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
