Patch from upstream:
Summary Remote crash vulnerability DNS SRV and NAPTR lookups
Nature of Advisory Denial Of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On October 23, 2018
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- clean up variable names
- add options to uci config to enable/disable logging
- remove option change_perm as it's hacky
- change check before mkdir and friends to prevent
overwriting/chown/chmod of existing files/directories (important)
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Don't force freeswitch to off during postinstall. It's not common
practice (anywhere) and it may be confusing.
Add a link to the Wiki, too, and bump the revision.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
There is no point in keeping the hotplug script in an extra package.
Move it to the main package.
The priority of the script is changed from 99 to 90 as the freeswitch
init script uses the same.
The postinstall script will check if 99-freeswitch exists. If it does a
warning is displayed with the suggestion to uninstall the hotplug
package.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
procd runs as pid 1. When freeswitch realizes that its parent has pid 1,
it thinks that it has been orphaned and terminates the console thread.
That's why procd isn't able to get freeswitch's console output.
This commit mutes the check in src/switch_console.c. Now console output
is properly logged. The workaround parameters "-nc -nf" are replaced by
a proper "-c" ("console").
Additionally this commit hands control over killing freeswitch to procd.
It's no longer done by the script. This simplifies things quite a bit.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Following up the discussion in pull request #388 this commit removes the
depend on libx264 and prevents baresip from linking to libx264.
baresip can still use a H.264 encoder through ffmpeg, which is the
preferred way anyway.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Minor version bump. Two CVE patches can be removed as they're already
included in the source. One patch was refreshed.
Also:
- https://sources.openwrt.org is added as primary source URL to lessen
the load on kamailio upstream
- Build/Configure is defined as empty (because there is no configure
script in the source tree
- patch is added to fix dp_replace(); the function was first added in the
5.1 release and didn't work; patch was accepted upstream
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Remove the depend on mod-db-sqlite from some modules. They may depend on
a db module, but any will do. And mod-jsonrpcs also does not depend on
mod-json.
Maybe things were different in the past. But today these depends aren't
needed.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
kamailio can be started with multiple "-l" ("listen") parameters to tell
it which IPs to listen on. This can also be configured in kamailio.cfg,
of course.
This commit adds the ability to the init script to translate iface names
like "wan" into IP addresses and hand them over to kamailio as command
line arguments. This is useful when using a network connection where IPs
are dynamically assigned.
kamailio can also work with interface names, e.g. "eth0". But it may
listen to all IPs configured on the interface. To avoid this the commit
differentiates beteen IPv4 ("listen") and IPv6 ("listen6"). So if the
user wants kamailio to only listen on an IPv4 address configured on a
certain iface ("wan" for instance), he/she can just specify a list entry
"listen" with that iface.
An explanation is also added to the uci configuration file.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Commit f84dda74e6 ("kamailio-5.x: enable
FAST_LOCK for MIPS") turned out to be problematic, because it changed
the ARCH to "mips2" not only for "mips", but also for some "mipsel"
targets, which was unintentional.
Address this by filtering for "mips" specifically before setting the
variable.
Also, get rid of PKG_BUILD_PARALLEL, because adding it really didn't
change anything - due to the way "make" is called. Leave a comment to
prevent repetition (read: prevent _me_ from doing the same mistake again
in the future).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit
- updates init script to use procd
- adds a default user 'kamailio' (kamailio will switch to this user)
- introduces uci init config (instead of /etc/default/kamailio)
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
rtpproxy expects IPs as parameters. Lots of OpenWrt devices use
connections where the IP is dynamically assigned. This commit adds shell
functions to convert an iface like 'wan' to an IP address before adding
the parameter to the rtpproxy command line.
Explanation is provided in /etc/config/rtpproxy. Some whitespace issues
were also fixed.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add log_level option to uci config. Paired with the comment it makes
setting the log level easier when no man page is around.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Update rtpproxy init script to use procd.
Also increases the start priority to 90 (like the hotplug script) to
make sure rtpproxy is started before kamailio.
Fixes some whitespace issues along the way, too.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Install hotplug script along with rtpproxy. It will only be used if
enabled by the user (via uci config file).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
With OpenWrt default awk - so awk from busybox - the filter is broken,
causing jsonrpc calls to fail, i.e. when running "kamctl ps". Below
patch makes the filter portable. Patch was already accepted upstream.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add package for Opus codec support plugin. Variants for both asterisk13
and asterisk15 included.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
.. because the musl implementation doesn't seem to be fully compatible
with yate. We switched to the musl implementation in f6ad95d.
Yate has this regexp:
^([[:alpha:]][[:alnum:]]+:)?/?/?([^[:space:][:cntrl:]@]+@)?([[:alnum:]._+-]+|[[][[:xdigit:].:]+[]])(:[0-9]+)?
Given a string like
sip:012345678@11.111.11.111:5060;user=phone
musl's regexec() returns these matches:
index start end
0 -1 0
1 0 32 sip:012345678@11.111.11.111:5060
2 -1 -1
3 0 14 sip:012345678@
4 14 27 11.111.11.111
5 27 32 :5060
.. but this is what yate expects:
index start end
0 -1 0
1 0 32 sip:012345678@11.111.11.111:5060
2 0 4 sip:
3 4 14 012345678@
4 14 27 11.111.11.111
5 27 32 :5060
Fixes#378
Signed-off-by: Robert Högberg <robert.hogberg@gmail.com>
- bump version
- go back to using release tarballs (unavailable when 1.8.1 was
initially released)
- add OpenWrt mirror
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add upstream fix for AST-2018-009: Remote crash vulnerability in HTTP
websocket upgrade
The vulnerability affects the res_http_websocket.so module.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Add upstream fix for AST-2018-009: Remote crash vulnerability in HTTP
websocket upgrade
The vulnerability affects the res_http_websocket.so module.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with
an invalid Via header causes a segmentation fault and crashes Kamailio. The
reason is missing input validation in the crcitt_string_array core function
for calculating a CRC hash for To tags. (An additional error is present in
the check_via_address core function: this function also misses input
validation.) This could result in denial of service and potentially the
execution of arbitrary code.
Patch from upstream.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit replaces /etc/default/freeswitch with /etc/config/freeswitch.
This way the init and hotplug configuration can be done with uci instead of
having to edit a file.
This also does away with the busybox ntpd warning. ntpd uses the same
configuration in system and it looks like busybox's ntpd is not used when
ntpd is installed.
Lastly some log strings are amended to start with a lowercase letter.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
There is a discussion ongoing if parallel builds should be enabled by
default. For freeswitch parallel builds are known to fail when certain
modules are enabled. This commit preemptively disables parallel builds
explicitly.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
A recent commit in packages/lang/perl is causing a problem with the
perlmod.mk include. Work around this by including perlver.mk instead and
setting up PERL_CMD and PERL_SITELIB manually.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
