Merge pull request #490 from micmac1/17.01-AST-2019-006_007_008

[17.01] asterisk-13.x: add fixes for AST-2019-006, 007 & 008
asterisk-13.x: add fixes for AST-2019-006, 007 & 008
2019-12-01 22:21:24 +01:00 · 2019-11-22 21:18:13 +01:00 · 2019-07-12 22:14:51 +02:00 · 2019-07-12 19:24:49 +02:00 · 2018-09-21 16:49:07 +02:00 · 2018-09-21 16:47:50 +02:00
61 changed files with 2961 additions and 1059 deletions
--- a/libs/dahdi-tools/Makefile
+++ b/libs/dahdi-tools/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=dahdi-tools
 PKG_VERSION:=2.11.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/dahdi-tools/releases/
@ -30,7 +30,7 @@ endef

 define Package/dahdi-cfg
  $(call Package/dahdi-cfg/Default)
-  DEPENDS+=+libpthread
+  DEPENDS+=+libpthread +dahdi-tools-libtonezone
  TITLE:=DAHDI tools dahdi_cfg, dahdi_scan and fxotune
 endef

@ -44,6 +44,7 @@ define Package/dahdi-tools-libtonezone
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=DAHDI tonezone library
+  DEPENDS+=+libpthread
 endef

 TARGET_CFLAGS += $(FPIC)
@ -74,7 +75,7 @@ endef

 define Package/dahdi-cfg/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-	$(CP) $(PKG_BUILD_DIR)/dahdi_cfg $(1)/usr/sbin/
+	$(CP) $(PKG_BUILD_DIR)/.libs/dahdi_cfg $(1)/usr/sbin/
 	$(CP) $(PKG_BUILD_DIR)/dahdi_scan $(1)/usr/sbin/
 	$(CP) $(PKG_BUILD_DIR)/fxotune $(1)/usr/sbin/
 endef
--- a/libs/iksemel/Makefile
+++ b/libs/iksemel/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=iksemel
 PKG_VERSION:=1.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://iksemel.googlecode.com/files/
@ -31,7 +31,7 @@ define Package/libiksemel
  CATEGORY:=Libraries
  TITLE:=Iksemel Jabber Library
  URL:=http://code.google.com/p/iksemel/
-  DEPENDS:= +libgnutls +libtasn1 +libgcrypt +libgpg-error
+  DEPENDS:=+libgnutls
 endef

 define Package/libiksemel/description
@ -41,21 +41,6 @@ in ANSI C except the network code (which is POSIX compatible), thus
 highly portable.
 endef

-TARGET_CFLAGS += $(FPIC)
-TARGET_LDFLAGS += \
-	-Wl,-rpath-link,$(STAGING_DIR)/usr/lib \
-	-lgnutls -lgcrypt -lgpg-error
-
-define Build/Configure
-	$(call Build/Configure/Default, \
-		--enable-shared \
-		--enable-static \
-		--with-libgnutls-prefix="$(STAGING_DIR)/usr" \
-		, \
-		LIBS="$(TARGET_LDFLAGS)" \
-	)
-endef
-
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include/
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/iksemel.h $(1)/usr/include/
--- a/libs/iksemel/patches/001-missing-macros.patch
+++ b/libs/iksemel/patches/001-missing-macros.patch
@ -1,163 +0,0 @@
--- /dev/null
-+++ b/gnutls.m4
-@@ -0,0 +1,160 @@
-+dnl Autoconf macros for libgnutls
-+dnl $id$
-+
-+# Modified for LIBGNUTLS -- nmav
-+# Configure paths for LIBGCRYPT
-+# Shamelessly stolen from the one of XDELTA by Owen Taylor
-+# Werner Koch   99-12-09
-+
-+dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-+dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS
-+dnl
-+AC_DEFUN([AM_PATH_LIBGNUTLS],
-+[dnl
-+dnl Get the cflags and libraries from the libgnutls-config script
-+dnl
-+AC_ARG_WITH(libgnutls-prefix,
-+          [  --with-libgnutls-prefix=PFX   Prefix where libgnutls is installed (optional)],
-+          libgnutls_config_prefix="$withval", libgnutls_config_prefix="")
-+
-+  if test x$libgnutls_config_prefix != x ; then
-+     if test x${LIBGNUTLS_CONFIG+set} != xset ; then
-+        LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
-+     fi
-+  fi
-+
-+  AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no)
-+  min_libgnutls_version=ifelse([$1], ,0.1.0,$1)
-+  AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version)
-+  no_libgnutls=""
-+  if test "$LIBGNUTLS_CONFIG" = "no" ; then
-+    no_libgnutls=yes
-+  else
-+    LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
-+    LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
-+    libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
-+
-+
-+      ac_save_CFLAGS="$CFLAGS"
-+      ac_save_LIBS="$LIBS"
-+      CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-+      LIBS="$LIBS $LIBGNUTLS_LIBS"
-+dnl
-+dnl Now check if the installed libgnutls is sufficiently new. Also sanity
-+dnl checks the results of libgnutls-config to some extent
-+dnl
-+      rm -f conf.libgnutlstest
-+      AC_TRY_RUN([
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <gnutls/gnutls.h>
-+
-+int
-+main ()
-+{
-+    system ("touch conf.libgnutlstest");
-+
-+    if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
-+    {
-+      printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
-+             "$libgnutls_config_version", gnutls_check_version(NULL) );
-+      printf("*** was found! If libgnutls-config was correct, then it is best\n");
-+      printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
-+      printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
-+      printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
-+      printf("*** required on your system.\n");
-+      printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
-+      printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
-+      printf("*** before re-running configure\n");
-+    }
-+    else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
-+    {
-+      printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
-+      printf("*** library (version %s)\n", gnutls_check_version(NULL) );
-+    }
-+    else
-+    {
-+      if ( gnutls_check_version( "$min_libgnutls_version" ) )
-+      {
-+        return 0;
-+      }
-+     else
-+      {
-+        printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
-+                gnutls_check_version(NULL) );
-+        printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
-+               "$min_libgnutls_version" );
-+        printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
-+        printf("*** \n");
-+        printf("*** If you have already installed a sufficiently new version, this error\n");
-+        printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
-+        printf("*** being found. The easiest way to fix this is to remove the old version\n");
-+        printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
-+        printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
-+        printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
-+        printf("*** so that the correct libraries are found at run-time))\n");
-+      }
-+    }
-+  return 1;
-+}
-+],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"])
-+       CFLAGS="$ac_save_CFLAGS"
-+       LIBS="$ac_save_LIBS"
-+  fi
-+
-+  if test "x$no_libgnutls" = x ; then
-+     AC_MSG_RESULT(yes)
-+     ifelse([$2], , :, [$2])
-+  else
-+     if test -f conf.libgnutlstest ; then
-+        :
-+     else
-+        AC_MSG_RESULT(no)
-+     fi
-+     if test "$LIBGNUTLS_CONFIG" = "no" ; then
-+       echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
-+       echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
-+       echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
-+       echo "*** full path to libgnutls-config."
-+     else
-+       if test -f conf.libgnutlstest ; then
-+        :
-+       else
-+          echo "*** Could not run libgnutls test program, checking why..."
-+          CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-+          LIBS="$LIBS $LIBGNUTLS_LIBS"
-+          AC_TRY_LINK([
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <gnutls/gnutls.h>
-+],      [ return !!gnutls_check_version(NULL); ],
-+        [ echo "*** The test program compiled, but did not run. This usually means"
-+          echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
-+          echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
-+          echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
-+          echo "*** to the installed location  Also, make sure you have run ldconfig if that"
-+          echo "*** is required on your system"
-+          echo "***"
-+          echo "*** If you have an old version installed, it is best to remove it, although"
-+          echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH"
-+          echo "***" ],
-+        [ echo "*** The test program failed to compile or link. See the file config.log for the"
-+          echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
-+          echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
-+          echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ])
-+          CFLAGS="$ac_save_CFLAGS"
-+          LIBS="$ac_save_LIBS"
-+       fi
-+     fi
-+     LIBGNUTLS_CFLAGS=""
-+     LIBGNUTLS_LIBS=""
-+     ifelse([$3], , :, [$3])
-+  fi
-+  rm -f conf.libgnutlstest
-+  AC_SUBST(LIBGNUTLS_CFLAGS)
-+  AC_SUBST(LIBGNUTLS_LIBS)
-+])
-+
-+dnl *-*wedit:notab*-*  Please keep this as the last line.
--- a/libs/iksemel/patches/001-pkgconfig-gnutls.patch
+++ b/libs/iksemel/patches/001-pkgconfig-gnutls.patch
@ -0,0 +1,28 @@
+Last-Update: 2013-07-29
+Forwarded: not-needed
+Origin: upstream, commit:4652af9cf119145af3a90c632f8a6db215946784
+Bug-Iksemel: https://code.google.com/p/iksemel/issues/detail?id=20
+Author: Dmitry Smirnov <onlyjob@member.fsf.org>
+Description: use pkgconfig for checking gnutls
+
+--- a/configure.ac
+++ b/configure.ac
+@@ -44,9 +44,17 @@
+ AC_SEARCH_LIBS(recv,socket)
+ AC_CHECK_FUNCS(getopt_long)
+ AC_CHECK_FUNCS(getaddrinfo)
+ 
+-AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
+dnl Check GNU TLS
+PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0, have_gnutls=yes, have_gnutls=no) 
+if test "x$have_gnutls" = "xyes"; then
+  LIBGNUTLS_CFLAGS="$GNUTLS_CFLAGS"
+  LIBGNUTLS_LIBS="$GNUTLS_LIBS"
+  AC_SUBST(LIBGNUTLS_CFLAGS)
+  AC_SUBST(LIBGNUTLS_LIBS)
+  AC_DEFINE(HAVE_GNUTLS, 1, [whether to use GnuTSL support.]) 
+fi
+ 
+ dnl Check -Wall flag of GCC
+ if test "x$GCC" = "xyes"; then
+   if test -z "`echo "$CFLAGS" | grep "\-Wall" 2> /dev/null`" ; then
--- a/libs/iksemel/patches/002-secure_gnutls_options.patch
+++ b/libs/iksemel/patches/002-secure_gnutls_options.patch
@ -0,0 +1,38 @@
+Last-Update: 2015-10-28
+Bug-Upstream: https://github.com/meduketto/iksemel/issues/48
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204
+From: Marc Dequènes (duck) <duck@duckcorp.org>
+Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers).
+
+--- a/src/stream.c
+++ b/src/stream.c
+@@ -62,13 +62,9 @@
+ 
+ static int
+ handshake (struct stream_data *data)
+ {
+-	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+-	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
+-	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
+-	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
+-	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
+	const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
+ 	int ret;
+ 
+ 	if (gnutls_global_init () != 0)
+ 		return IKS_NOMEM;
+@@ -79,13 +75,9 @@
+ 	if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
+ 		gnutls_certificate_free_credentials (data->cred);
+ 		return IKS_NOMEM;
+ 	}
+-	gnutls_protocol_set_priority (data->sess, protocol_priority);
+-	gnutls_cipher_set_priority(data->sess, cipher_priority);
+-	gnutls_compression_set_priority(data->sess, comp_priority);
+-	gnutls_kx_set_priority(data->sess, kx_priority);
+-	gnutls_mac_set_priority(data->sess, mac_priority);
+	gnutls_priority_set_direct(data->sess, priority_string, NULL);
+ 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
+ 
+ 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
+ 	gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
--- a/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch
+++ b/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch
@ -1,65 +0,0 @@
-From 6b213b593c5b499679506a8c169ff3f0f4d6a34f Mon Sep 17 00:00:00 2001
-From: John Papandriopoulos <jpap@users.noreply.github.com>
-Date: Thu, 20 Aug 2015 16:55:39 -0700
-Subject: [PATCH] Use of newer gnutls_priority_set_direct API
-
---
- configure.ac |  1 +
- src/stream.c | 13 +++++++++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 91e69e3..281a044 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -46,6 +46,7 @@ AC_CHECK_FUNCS(getopt_long)
- AC_CHECK_FUNCS(getaddrinfo)
- 
- AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
-+AM_PATH_LIBGNUTLS(,AC_CHECK_FUNCS(gnutls_priority_set_direct))
- 
- dnl Check -Wall flag of GCC
- if test "x$GCC" = "xyes"; then
-diff --git a/src/stream.c b/src/stream.c
-index e8a1e8c..7d19a82 100644
--- a/src/stream.c
-+++ b/src/stream.c
-@@ -63,11 +63,20 @@ tls_pull (iksparser *prs, char *buffer, size_t len)
- static int
- handshake (struct stream_data *data)
- {
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+	const char *priorities =
-+		"NONE"
-+		":+VERS-TLS1.0:+VERS-SSL3.0"
-+		":+RSA"
-+		":+3DES-CBC:+ARCFOUR-128"
-+		":+SHA1:+SHA256:+SHA384:+MD5";
-+#else
- 	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
- 	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
- 	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
- 	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- 	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
-+#endif
- 	int ret;
- 
- 	if (gnutls_global_init () != 0)
-@@ -80,11 +89,15 @@ handshake (struct stream_data *data)
- 		gnutls_certificate_free_credentials (data->cred);
- 		return IKS_NOMEM;
- 	}
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+	gnutls_priority_set_direct (data->sess, priorities, NULL);
-+#else
- 	gnutls_protocol_set_priority (data->sess, protocol_priority);
- 	gnutls_cipher_set_priority(data->sess, cipher_priority);
- 	gnutls_compression_set_priority(data->sess, comp_priority);
- 	gnutls_kx_set_priority(data->sess, kx_priority);
- 	gnutls_mac_set_priority(data->sess, mac_priority);
-+#endif
- 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
- 
- 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
-- 
-2.1.4
--- a/libs/libosip2/Makefile
+++ b/libs/libosip2/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=libosip2
 PKG_VERSION:=4.1.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@GNU/osip
--- a/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch
+++ b/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch
@ -0,0 +1,69 @@
+Upstream patches by Aymeric Moizard <amoizard@gmail.com>:
+
+7e0793e15e21f68337e130c67b031ca38edf055f
+1d9fb1d3a71cc85ef95352e549b140c706cf8696
+b9dd097b5b24f5ee54b0a8739e59641cd51b6ead
+1ae06daf3b2375c34af23083394a6f010be24a45
+
+--- libosip2-4.1.0.orig/src/osipparser2/osip_body.c
+++ libosip2-4.1.0/src/osipparser2/osip_body.c
+@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo
+   }
+ 
+   if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) {
+    if (length < tmp_body - ptr + 3) {
+      size_t len;
+
+      len = tmp_body - ptr;
+      length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */
+      ptr = osip_realloc (ptr, length);
+      tmp_body = ptr + len;
+    }
+     tmp_body = osip_strn_append (tmp_body, CRLF, 2);
+   }
+   if (length < tmp_body - ptr + body->length + 4) {
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_parse.c
+++ libosip2-4.1.0/src/osipparser2/osip_message_parse.c
+@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si
+     if ('\n' == start_of_body[0] || '\r' == start_of_body[0])
+       start_of_body++;
+ 
+    /* if message body is empty or contains a single CR/LF */
+    if (end_of_body <= start_of_body) {
+      osip_free (sep_boundary);
+      return OSIP_SYNTAXERROR;
+    }
+
+     body_len = end_of_body - start_of_body;
+ 
+     /* Skip CR before end boundary. */
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_to_str.c
+++ libosip2-4.1.0/src/osipparser2/osip_message_to_str.c
+@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s
+     /* A start-line isn't required for message/sipfrag parts. */
+   }
+   else {
+    size_t message_len = strlen(tmp);
+    if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) {
+      osip_free (tmp);
+      *dest = NULL;
+      return OSIP_NOMEM;
+    }
+
+     message = osip_str_append (message, tmp);
+     osip_free (tmp);
+     message = osip_strn_append (message, CRLF, 2);
+--- libosip2-4.1.0.orig/src/osipparser2/osip_port.c
+++ libosip2-4.1.0/src/osipparser2/osip_port.c
+@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src
+   char *p;
+   size_t spaceless_length;
+ 
+-  if (src == NULL)
+  if (src == NULL || len == 0) {
+    *dst = '\0';
+     return NULL;
+  }
+ 
+   /* find the start of relevant text */
+   pbeg = src;
--- a/libs/libsrtp/Makefile
+++ b/libs/libsrtp/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=libsrtp
 PKG_VERSION:=1.4.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=srtp-$(PKG_VERSION).tgz
 PKG_SOURCE_URL:=@SF/srtp
--- a/libs/libsrtp/patches/1009_CVE-2013-2139.patch
+++ b/libs/libsrtp/patches/1009_CVE-2013-2139.patch
@ -0,0 +1,39 @@
+Description: CVE-2013-2139: buffer overflow in application of crypto profiles
+Origin: backport,
+ https://github.com/cisco/libsrtp/pull/27,
+ https://github.com/cisco/libsrtp/commit/8884f4d8eb4ca7122dfcbd640b933b98ef4bab80,
+ https://github.com/cisco/libsrtp/commit/8e47faf0f5b90672c7ebf2f0cf0562ee81a8b621,
+ https://github.com/cisco/libsrtp/commit/0acbb039c12b790621839facf56bfedbd071b74d
+Bug: https://github.com/cisco/libsrtp/issues/24
+Bug-Debian: http://bugs.debian.org/711163
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-01-02
+
+--- a/srtp/srtp.c
+++ b/srtp/srtp.c
+@@ -1807,15 +1807,12 @@
+   switch(profile) {
+   case srtp_profile_aes128_cm_sha1_80:
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+     crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+-    crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
+     crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+-    crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+     break;
+     /* the following profiles are not (yet) supported */
+   case srtp_profile_null_sha1_32:
+@@ -1838,6 +1835,8 @@
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_aes128_cm_sha1_32:
+    /* We do not honor the 32-bit auth tag request since
+     * this is not compliant with RFC 3711 */
+     crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+     break;
+   case srtp_profile_null_sha1_80:
--- a/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch
+++ b/libs/libsrtp/patches/1010-CVE-2015-6360-1.patch
@ -0,0 +1,13 @@
+Index: srtp-1.4.4~dfsg/srtp/srtp.c
+===================================================================
+--- srtp-1.4.4~dfsg.orig/srtp/srtp.c	2016-01-17 19:49:52.000000000 +0100
+++ srtp-1.4.4~dfsg/srtp/srtp.c	2016-01-17 22:50:43.000000000 +0100
+@@ -938,6 +938,8 @@
+       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+       enc_start += (ntohs(xtn_hdr->length) + 1);
+     }  
+    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
+       return err_status_parse_err;
+     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
+ 			       - ((enc_start - (uint32_t *)hdr) << 2));
+   } else {
--- a/libs/pjproject/Makefile
+++ b/libs/pjproject/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 OpenWrt.org
+# Copyright (C) 2016 - 2018 OpenWrt.org
 # Copyright (C) 2016 Cesnet, z.s.p.o.
 #
 # This is free software, licensed under the GNU General Public License v2.
@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=pjproject
-PKG_VERSION:=2.4.5
+PKG_VERSION:=2.7.2
 PKG_RELEASE:=1

 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.pjsip.org/release/$(PKG_VERSION)/
-PKG_MD5SUM:=f58b3485977b3a700256203a554b3869
+PKG_HASH:=9c2c828abab7626edf18e04b041ef274bfaa86f99adf2c25ff56f1509e813772
 PKG_INSTALL:=1
 PKG_FIXUP:=autoreconf

@ -31,7 +31,7 @@ define Package/pjproject/Default
  CATEGORY:=Libraries
  SUBMENU:=Telephony
  URL:=http://www.pjsip.org/
-  DEPENDS:=+libuuid +libstdcpp +libpthread
+  DEPENDS:=+libopenssl +libuuid +libstdcpp +libpthread
 endef

 define Package/pjproject/install/lib
@ -54,46 +54,47 @@ $(call Package/pjproject/install/lib,$$(1),$2)
 endef

 CONFIGURE_ARGS += \
-	--enable-shared \
-	--disable-floating-point \
-	--enable-g711-codec \
-	--disable-l16-codec \
-	--disable-g722-codec \
-	--disable-g7221-codec \
-	--disable-gsm-codec \
-	--disable-ilbc-coder \
-	--disable-ipp \
-	--disable-ssl \
-	--disable-oss \
-	--disable-sound \
-	--with-external-srtp="$(STAGING_DIR)/usr" \
-	--without-external-gsm \
-	--disable-small-filter \
-	--disable-large-filter \
-	--disable-speex-aec \
-	--disable-g711-codec \
-	--disable-l16-codec \
-	--disable-gsm-codec \
-	--disable-g722-codec \
-	--disable-g7221-codec \
-	--disable-speex-codec \
-	--disable-ilbc-codec \
-	--disable-resample-dll \
-	--disable-sdl \
+	$(if $(CONFIG_SOFT_FLOAT),--disable-floating-point) \
+	--disable-bcg729 \
+	--disable-ext-sound \
 	--disable-ffmpeg \
-	--disable-v4l2
+	--disable-g711-codec \
+	--disable-g722-codec \
+	--disable-g7221-codec \
+	--disable-gsm-codec \
+	--disable-ilbc-codec \
+	--disable-ipp \
+	--disable-l16-codec \
+	--disable-libwebrtc \
+	--disable-libyuv \
+	--disable-opencore-amr \
+	--disable-openh264 \
+	--disable-opus \
+	--disable-oss \
+	--disable-resample \
+	--disable-sdl \
+	--disable-silk \
+	--disable-sound \
+	--disable-speex-aec \
+	--disable-speex-codec \
+	--disable-v4l2 \
+	--disable-video \
+	--enable-shared \
+	--with-external-srtp="$(STAGING_DIR)/usr" \
+	--with-ssl="$(STAGING_DIR)/usr" \
+	--without-external-gsm \
+	--without-external-pa \
+	--without-external-webrtc

-TARGET_LDFLAGS+=-lc $(LIBGCC) -lm
-TARGET_CFLAGS+=$(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)
+TARGET_CFLAGS+=$(TARGET_CPPFLAGS)

 define Build/Compile
 	$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
 endef

 PJPROJECT_LIBS = \
-	libpj libpjlib-util libpjmedia-audiodev libpjmedia-codec \
-	libpjmedia-videodev libpjmedia libpjnath libpjsip-simple \
-	libpjsip-ua libpjsip libpjsua libpjsua2 libresample
+	libpj libpjlib-util libpjmedia libpjnath libpjsip-simple \
+	libpjsip-ua libpjsip libpjsua libpjsua2

 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/{include,lib}
@ -102,16 +103,16 @@ define Build/InstallDev

 	$(foreach m,$(PJPROJECT_LIBS),$(CP) $(PKG_INSTALL_DIR)/usr/lib/$(m)* $(1)/usr/lib/;)
 	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(SED) 's|$(TARGET_CFLAGS)||g' $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libpjproject.pc
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libpjproject.pc $(1)/usr/lib/pkgconfig/
 endef

 $(eval $(call PJSIPpackage,libpj,libpj,+librt))
 $(eval $(call PJSIPpackage,libpjlib-util,libpjlib-util,+libpj +librt))
-$(eval $(call PJSIPpackage,libpjmedia,libpjmedia*,+libpj +libpjlib-util +libpjnath +libresample +librt +libspeex +libsrtp))
+$(eval $(call PJSIPpackage,libpjmedia,libpjmedia*,+libpj +libpjlib-util +libpjnath +librt +libsrtp))
 $(eval $(call PJSIPpackage,libpjnath,libpjnath,+libpj +libpjlib-util +librt))
-$(eval $(call PJSIPpackage,libpjsip-simple,libpjsip-simple,+libpj +libpjlib-util +libpjsip +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsip-ua,libpjsip-ua,+libpj +libpjlib-util +libpjmedia +libpjsip-simple +libpjsip +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsip,libpjsip,+libpj +libpjlib-util +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsua,libpjsua,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libresample +librt +libspeex +libsrtp))
-$(eval $(call PJSIPpackage,libpjsua2,libpjsua2,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libresample +librt +libspeex +libsrtp +libpjsua))
-$(eval $(call PJSIPpackage,libresample,libresample,))
+$(eval $(call PJSIPpackage,libpjsip-simple,libpjsip-simple,+libpj +libpjlib-util +libpjsip +librt))
+$(eval $(call PJSIPpackage,libpjsip-ua,libpjsip-ua,+libpj +libpjlib-util +libpjmedia +libpjsip-simple +libpjsip +librt))
+$(eval $(call PJSIPpackage,libpjsip,libpjsip,+libpj +libpjlib-util +librt +libsrtp))
+$(eval $(call PJSIPpackage,libpjsua,libpjsua,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +librt))
+$(eval $(call PJSIPpackage,libpjsua2,libpjsua2,+libpj +libpjlib-util +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +librt +libpjsua))
--- a/libs/pjproject/patches/120-non-gnu-pthreads.patch
+++ b/libs/pjproject/patches/120-non-gnu-pthreads.patch
@ -1,7 +1,5 @@
-Index: pjproject-2.4/pjlib/src/pj/os_core_unix.c
-===================================================================
--- pjproject-2.4.orig/pjlib/src/pj/os_core_unix.c
-+++ pjproject-2.4/pjlib/src/pj/os_core_unix.c
+--- pjproject-2.6/pjlib/src/pj/os_core_unix.c	2016-04-13 08:24:48.000000000 +0200
+++ pjproject-new/pjlib/src/pj/os_core_unix.c	2017-05-08 09:51:49.980905420 +0200
@@ -1123,7 +1123,7 @@ static pj_status_t init_mutex(pj_mutex_t
 	return PJ_RETURN_OS_ERROR(rc);
 
@ -9,7 +7,7 @@ Index: pjproject-2.4/pjlib/src/pj/os_core_unix.c
 -#if (defined(PJ_LINUX) && PJ_LINUX!=0) || \
 +#if (defined(PJ_LINUX) && PJ_LINUX!=0 && defined(__GLIBC__)) || \
     defined(PJ_HAS_PTHREAD_MUTEXATTR_SETTYPE)
- 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_FAST_NP);
+ 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
 #elif (defined(PJ_RTEMS) && PJ_RTEMS!=0) || \
@@ -1133,7 +1133,7 @@ static pj_status_t init_mutex(pj_mutex_t
 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
@ -18,49 +16,5 @@ Index: pjproject-2.4/pjlib/src/pj/os_core_unix.c
 -#if (defined(PJ_LINUX) && PJ_LINUX!=0) || \
 +#if (defined(PJ_LINUX) && PJ_LINUX!=0 && defined(__GLIBC__)) || \
      defined(PJ_HAS_PTHREAD_MUTEXATTR_SETTYPE)
- 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE_NP);
+ 	rc = pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE);
 #elif (defined(PJ_RTEMS) && PJ_RTEMS!=0) || \
-Index: pjproject-2.4/pjsip-apps/src/samples/siprtp.c
-===================================================================
--- pjproject-2.4.orig/pjsip-apps/src/samples/siprtp.c
-+++ pjproject-2.4/pjsip-apps/src/samples/siprtp.c
-@@ -1134,7 +1134,7 @@ static void boost_priority(void)
- 		    PJ_RETURN_OS_ERROR(rc));
- 	return;
-     }
-    tp.__sched_priority = max_prio;
-+    tp.sched_priority = max_prio;
- 
-     rc = sched_setscheduler(0, POLICY, &tp);
-     if (rc != 0) {
-@@ -1143,7 +1143,7 @@ static void boost_priority(void)
-     }
- 
-     PJ_LOG(4, (THIS_FILE, "New process policy=%d, priority=%d",
-	      policy, tp.__sched_priority));
-+	      policy, tp.sched_priority));
- 
-     /*
-      * Adjust thread scheduling algorithm and priority
-@@ -1156,10 +1156,10 @@ static void boost_priority(void)
-     }
- 
-     PJ_LOG(4, (THIS_FILE, "Old thread policy=%d, priority=%d",
-	      policy, tp.__sched_priority));
-+	      policy, tp.sched_priority));
- 
-     policy = POLICY;
-    tp.__sched_priority = max_prio;
-+    tp.sched_priority = max_prio;
- 
-     rc = pthread_setschedparam(pthread_self(), policy, &tp);
-     if (rc != 0) {
-@@ -1169,7 +1169,7 @@ static void boost_priority(void)
-     }
- 
-     PJ_LOG(4, (THIS_FILE, "New thread policy=%d, priority=%d",
-	      policy, tp.__sched_priority));
-+	      policy, tp.sched_priority));
- }
- 
- #else
--- a/libs/pjproject/patches/150-config_site.patch
+++ b/libs/pjproject/patches/150-config_site.patch
@ -0,0 +1,95 @@
+--- /dev/null
+++ b/pjlib/include/pj/config_site.h
+@@ -0,0 +1,92 @@
+/*
+ * Asterisk config_site.h
+ */
+
+#include <sys/select.h>
+
+/*
+ * Since both pjproject and asterisk source files will include config_site.h,
+ * we need to make sure that only pjproject source files include asterisk_malloc_debug.h.
+ */
+
+/* #if defined(MALLOC_DEBUG) && !defined(_ASTERISK_ASTMM_H)
+ * #include "asterisk_malloc_debug.h"
+ * #endif
+ */
+
+/*
+ * Defining PJMEDIA_HAS_SRTP to 0 does NOT disable Asterisk's ability to use srtp.
+ * It only disables the pjmedia srtp transport which Asterisk doesn't use.
+ * The reason for the disable is that while Asterisk works fine with older libsrtp
+ * versions, newer versions of pjproject won't compile with them.
+ */
+
+/*
+ * This doesn't disable SRTP completely, so we have to keep using the external
+ * libsrtp, otherwise pjsip would just build the internal one.
+ */
+
+#define PJMEDIA_HAS_SRTP 0
+
+/*
+ * Defining PJMEDIA_HAS_WEBRTC_AEC to 0 does NOT disable Asterisk's ability to use
+ * webrtc.  It only disables the pjmedia webrtc transport which Asterisk doesn't use.
+ */
+#define PJMEDIA_HAS_WEBRTC_AEC 0
+
+#define PJ_HAS_IPV6 1
+#define NDEBUG 1
+#define PJ_MAX_HOSTNAME (256)
+#define PJSIP_MAX_URL_SIZE (512)
+#ifdef PJ_HAS_LINUX_EPOLL
+#define PJ_IOQUEUE_MAX_HANDLES	(5000)
+#else
+#define PJ_IOQUEUE_MAX_HANDLES	(FD_SETSIZE)
+#endif
+#define PJ_IOQUEUE_HAS_SAFE_UNREG 1
+#define PJ_IOQUEUE_MAX_EVENTS_IN_SINGLE_POLL (16)
+
+#define PJ_SCANNER_USE_BITWISE	0
+#define PJ_OS_HAS_CHECK_STACK	0
+
+#ifndef PJ_LOG_MAX_LEVEL
+#define PJ_LOG_MAX_LEVEL		6
+#endif
+
+#define PJ_ENABLE_EXTRA_CHECK	1
+#define PJSIP_MAX_TSX_COUNT		((64*1024)-1)
+#define PJSIP_MAX_DIALOG_COUNT	((64*1024)-1)
+#define PJSIP_UDP_SO_SNDBUF_SIZE	(512*1024)
+#define PJSIP_UDP_SO_RCVBUF_SIZE	(512*1024)
+#define PJ_DEBUG			0
+#define PJSIP_SAFE_MODULE		0
+#define PJ_HAS_STRICMP_ALNUM		0
+
+/*
+ * Do not ever enable PJ_HASH_USE_OWN_TOLOWER because the algorithm is
+ * inconsistently used when calculating the hash value and doesn't
+ * convert the same characters as pj_tolower()/tolower().  Thus you
+ * can get different hash values if the string hashed has certain
+ * characters in it.  (ASCII '@', '[', '\\', ']', '^', and '_')
+ */
+#undef PJ_HASH_USE_OWN_TOLOWER
+
+/*
+  It is imperative that PJSIP_UNESCAPE_IN_PLACE remain 0 or undefined.
+  Enabling it will result in SEGFAULTS when URIs containing escape sequences are encountered.
+*/
+#undef PJSIP_UNESCAPE_IN_PLACE
+#define PJSIP_MAX_PKT_LEN			6000
+
+#undef PJ_TODO
+#define PJ_TODO(x)
+
+/* Defaults too low for WebRTC */
+#define PJ_ICE_MAX_CAND 32
+#define PJ_ICE_MAX_CHECKS (PJ_ICE_MAX_CAND * PJ_ICE_MAX_CAND)
+
+/* Increase limits to allow more formats */
+#define	PJMEDIA_MAX_SDP_FMT   64
+#define	PJMEDIA_MAX_SDP_BANDW   4
+#define	PJMEDIA_MAX_SDP_ATTR   (PJMEDIA_MAX_SDP_FMT*2 + 4)
+#define	PJMEDIA_MAX_SDP_MEDIA   16
--- a/net/asterisk-11.x-chan-dongle/Makefile
+++ b/net/asterisk-11.x-chan-dongle/Makefile
@ -1,78 +0,0 @@
-#
-# Copyright (C) 2013 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=asterisk11-chan-dongle
-PKG_VERSION:=1.1r35
-PKG_REV:=28a46567a88cebdc365db6f294e682246fd2dd7b
-PKG_RELEASE:=6
-
-PKG_SOURCE_SUBDIR:=asterisk11-chan-dongle-$(PKG_VERSION)
-PKG_SOURCE:=$(PKG_SOURCE_SUBDIR).tar.gz
-PKG_SOURCE_URL:=https://github.com/jstasiak/asterisk-chan-dongle.git
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_VERSION:=$(PKG_REV)
-
-PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR)
-
-PKG_FIXUP:=autoreconf
-
-PKG_LICENSE:=GPL-2.0
-PKG_LICENSE_FILES:=COPYRIGHT.txt LICENSE.txt
-PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/asterisk11-chan-dongle
-  SUBMENU:=Telephony
-  SECTION:=net
-  CATEGORY:=Network
-  URL:=https://code.google.com/p/asterisk-chan-dongle/
-  DEPENDS:= asterisk11 +libiconv-full +kmod-usb-acm +kmod-usb-serial +kmod-usb-serial-option +libusb-1.0 +usb-modeswitch
-  TITLE:=Huawei UMTS 3G dongle support
-endef
-
-define Package/asterisk11-chan-dongle/description
- Asterisk channel driver for Huawei UMTS 3G dongle.
-endef
-
-MAKE_ARGS:= \
-	CC="$(TARGET_CC)" \
-	LD="$(TARGET_CC)" \
-	CFLAGS="$(TARGET_CFLAGS) -DASTERISK_VERSION_NUM=110000 -DLOW_MEMORY -D_GNU_SOURCE -D_XOPEN_SOURCE=600 $(TARGET_CPPFLAGS) -I$(STAGING_DIR)/usr/lib/libiconv-full/include -I$(STAGING_DIR)/usr/include/asterisk-11/include -DHAVE_CONFIG_H -I. -fPIC" \
-	LDFLAGS="$(TARGET_LDFLAGS) -L$(STAGING_DIR)/usr/lib/libiconv-full/lib -liconv" \
-	DESTDIR="$(PKG_INSTALL_DIR)/usr/lib/asterisk/modules"
-
-CONFIGURE_VARS += \
-	ac_cv_type_size_t=yes \
-	ac_cv_type_ssize_t=yes
-
-define Build/Configure
-	$(call Build/Configure/Default, \
-	    --with-asterisk=$(STAGING_DIR)/usr/include/asterisk-11/include \
-	    $(MAKE_ARGS) \
-	)
-endef
-
-define Build/Compile
-	mkdir -p $(PKG_INSTALL_DIR)/usr/lib/asterisk/modules
-	$(MAKE) -C "$(PKG_BUILD_DIR)" $(MAKE_ARGS) all install
-endef
-
-define Package/asterisk11-chan-dongle/conffiles
-/etc/asterisk/dongle.conf
-endef
-
-define Package/asterisk11-chan-dongle/install
-	$(INSTALL_DIR) $(1)/etc/asterisk
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/dongle.conf $(1)/etc/asterisk/
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/modules
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/asterisk/modules/chan_dongle.so $(1)/usr/lib/asterisk/modules/
-endef
-
-$(eval $(call BuildPackage,asterisk11-chan-dongle))
--- a/net/asterisk-11.x-chan-dongle/patches/001-add-send-ussd.patch
+++ b/net/asterisk-11.x-chan-dongle/patches/001-add-send-ussd.patch
@ -1,64 +0,0 @@
--- a/app.c
-+++ b/app.c
-@@ -114,7 +114,44 @@ static int app_send_sms_exec (attribute_
- 	return !status;
- }
- 
-+static int app_send_ussd_exec (attribute_unused struct ast_channel* channel, const char* data) 
-+{ 
-+        char*   parse; 
-+        const char* msg; 
-+        int status; 
-+        void * msgid; 
- 
-+        AST_DECLARE_APP_ARGS (args, 
-+                AST_APP_ARG (device); 
-+                AST_APP_ARG (ussd); 
-+        ); 
-+
-+        if (ast_strlen_zero (data)) 
-+        { 
-+                return -1; 
-+        } 
-+
-+        parse = ast_strdupa (data); 
-+
-+        AST_STANDARD_APP_ARGS (args, parse); 
-+
-+        if (ast_strlen_zero (args.device)) 
-+        { 
-+                ast_log (LOG_ERROR, "NULL device for ussd -- USSD will not be sent\n"); 
-+                return -1; 
-+        } 
-+
-+        if (ast_strlen_zero (args.ussd)) 
-+        { 
-+                ast_log (LOG_ERROR, "NULL ussd command -- USSD will not be sent\n"); 
-+                return -1; 
-+        } 
-+
-+        msg = send_ussd(args.device, args.ussd, &status, &msgid); 
-+        if(!status) 
-+                ast_log (LOG_ERROR, "[%s] %s with id %p\n", args.device, msg, msgid); 
-+        return !status; 
-+} 
- 
- static const struct dongle_application
- {
-@@ -144,7 +181,15 @@ static const struct dongle_application
- 		"  Message  - text of the message\n"
- 		"  Validity - Validity period in minutes\n"
- 		"  Report   - Boolean flag for report request\n"
-	}
-+	},
-+        { 
-+                "DongleSendUSSD", 
-+                app_send_ussd_exec, 
-+                "DongleSendUSSD(Device,USSD)", 
-+                "DongleSendUSSD(Device,USSD)\n" 
-+                "  Device   - Id of device from dongle.conf\n" 
-+                "  USSD     - ussd command\n" 
-+        }
- };
- 
- #if ASTERISK_VERSION_NUM >= 10800
--- a/net/asterisk-11.x-chan-dongle/patches/050-add-E1752-to-seven_bit_modems.patch
+++ b/net/asterisk-11.x-chan-dongle/patches/050-add-E1752-to-seven_bit_modems.patch
@ -1,19 +0,0 @@
-From da5cd41e8554eaf1133f85282c253da2c74ff7eb Mon Sep 17 00:00:00 2001
-From: "bg_one@mail.ru" <bg111@users.noreply.github.com>
-Date: Fri, 6 Sep 2013 19:37:05 +0000
-Subject: [PATCH] added E1752 to seven_bit_modems
-
---
- at_response.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletion(-)
-
--- a/at_response.c
-+++ b/at_response.c
-@@ -1590,6 +1590,7 @@ static int at_response_cgmm (struct pvt*
- 		"E171",
- 		"E153",
- 		"E156B",
-+		"E1752",
- 	};
- 
- 	ast_copy_string (pvt->model, str, sizeof (pvt->model));
--- a/net/asterisk-11.x-chan-dongle/patches/051-bump-package-revision.patch
+++ b/net/asterisk-11.x-chan-dongle/patches/051-bump-package-revision.patch
@ -1,20 +0,0 @@
-From da5cd41e8554eaf1133f85282c253da2c74ff7eb Mon Sep 17 00:00:00 2001
-From: "bg_one@mail.ru" <bg111@users.noreply.github.com>
-Date: Fri, 6 Sep 2013 19:37:05 +0000
-Subject: [PATCH] added E1752 to seven_bit_modems
-
---
- configure.in  | 2 +-
- 1 files changed, 1 insertions(+), 1 deletion(-)
-
--- a/configure.in
-+++ b/configure.in
-@@ -2,7 +2,7 @@ dnl init
- dnl AC_REVISION($Revision: 1.30 $)
- AC_PREREQ([2.60])
- AC_INIT([chan_dongle],[1.1],[http://code.google.com/p/asterisk-chan-dongle/issues/list],[chan_dongle],[http://code.google.com/p/asterisk-chan-dongle])
-PACKAGE_REVISION="34"
-+PACKAGE_REVISION="35"
- AC_CANONICAL_TARGET
- AM_INIT_AUTOMAKE
- AC_CONFIG_HEADERS([config.h])
--- a/net/asterisk-11.x-chan-dongle/patches/100-fix-audio-on-big-endian-systems.patch
+++ b/net/asterisk-11.x-chan-dongle/patches/100-fix-audio-on-big-endian-systems.patch
@ -1,46 +0,0 @@
--- a/channel.c
-+++ b/channel.c
-@@ -495,6 +495,19 @@ again:
- 	}
- }
- 
-+// see https://github.com/openwrt/telephony/issues/7
-+static inline void change_audio_endianness_to_le(struct iovec *iov, int iovcnt)
-+{
-+#if __BYTE_ORDER == __LITTLE_ENDIAN
-+   return; // nothing to do
-+#else
-+   for(;iovcnt-->0;iov++)
-+   {
-+      ast_swapcopy_samples(iov->iov_base, iov->iov_base, iov->iov_len/2);
-+   }
-+#endif
-+}
-+
- #/* */
- static void timing_write (struct pvt* pvt)
- {
-@@ -522,6 +535,7 @@ static void timing_write (struct pvt* pv
- 			iovcnt = mixb_read_n_iov (&pvt->a_write_mixb, iov, FRAME_SIZE);
- 			mixb_read_n_iov (&pvt->a_write_mixb, iov, FRAME_SIZE);
- 			mixb_read_upd (&pvt->a_write_mixb, FRAME_SIZE);
-+			change_audio_endianness_to_le(iov, iovcnt);
- 		}
- 		else if (used > 0)
- 		{
-@@ -535,6 +549,7 @@ static void timing_write (struct pvt* pv
- 			iov[iovcnt].iov_base	= silence_frame;
- 			iov[iovcnt].iov_len	= FRAME_SIZE - used;
- 			iovcnt++;
-+			change_audio_endianness_to_le(iov, iovcnt);
- 		}
- 		else
- 		{
-@@ -544,6 +559,7 @@ static void timing_write (struct pvt* pv
- 			iov[0].iov_base		= silence_frame;
- 			iov[0].iov_len		= FRAME_SIZE;
- 			iovcnt			= 1;
-+			// ignore endianness for zeros
- //			continue;
- 		}
- 
--- a/net/asterisk-11.x/Makefile
+++ b/net/asterisk-11.x/Makefile
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=asterisk11
 PKG_VERSION:=11.22.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/asterisk/releases/
@ -146,6 +146,20 @@ $(foreach m,$(AST_EMB_MODULES),$(call Package/asterisk11/install/module,$(1),$(m
 	$(INSTALL_BIN) ./files/asterisk.init $(1)/etc/init.d/asterisk
 endef

+define Package/$(PKG_NAME)/postinst
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+  echo
+  echo "o-------------------------------------------------------------------o"
+  echo "| Asterisk 11 WARNING                                               |"
+  echo "o-------------------------------------------------------------------o"
+  echo "| Asterisk 11 is end-of-life. You should upgrade to Asterisk 13.    |"
+  echo "o-------------------------------------------------------------=^_^=-o"
+  echo
+fi
+exit 0
+endef
+
 define Package/asterisk11-sounds
 $(call Package/asterisk11/Default)
  TITLE:=Sounds support
--- a/net/asterisk-11.x/patches/054-AST-2016-007.patch
+++ b/net/asterisk-11.x/patches/054-AST-2016-007.patch
@ -0,0 +1,117 @@
+From a503e4879cab7e35069e5481e0864b64b55e223d Mon Sep 17 00:00:00 2001
+From: Corey Farrell <git@cfware.com>
+Date: Mon, 8 Aug 2016 08:47:12 -0400
+Subject: [PATCH] Prevent leak of dialog RTP/SRTP instances.
+
+In some scenarios dialog_initialize_rtp can be called multiple times on
+the same dialog.  This can cause RTP instances to be leaked along with
+multiple file descriptors for each instance.
+
+ASTERISK-26272 #close
+
+Change-Id: Id716c2b87762d890c062b42538524a95067018a8
+---
+ channels/chan_sip.c | 61 ++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 9eaed58..2c29c9e 100644
+--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
+@@ -5697,6 +5697,38 @@ static void copy_socket_data(struct sip_socket *to_sock, const struct sip_socket
+ 	*to_sock = *from_sock;
+ }
+ 
+/*! Cleanup the RTP and SRTP portions of a dialog
+ *
+ * \note This procedure excludes vsrtp as it is initialized differently.
+ */
+static void dialog_clean_rtp(struct sip_pvt *p)
+{
+	if (p->rtp) {
+		ast_rtp_instance_destroy(p->rtp);
+		p->rtp = NULL;
+	}
+
+	if (p->vrtp) {
+		ast_rtp_instance_destroy(p->vrtp);
+		p->vrtp = NULL;
+	}
+
+	if (p->trtp) {
+		ast_rtp_instance_destroy(p->trtp);
+		p->trtp = NULL;
+	}
+
+	if (p->srtp) {
+		sip_srtp_destroy(p->srtp);
+		p->srtp = NULL;
+	}
+
+	if (p->tsrtp) {
+		sip_srtp_destroy(p->tsrtp);
+		p->tsrtp = NULL;
+	}
+}
+
+ /*! \brief Initialize DTLS-SRTP support on an RTP instance */
+ static int dialog_initialize_dtls_srtp(const struct sip_pvt *dialog, struct ast_rtp_instance *rtp, struct sip_srtp **srtp)
+ {
+@@ -5744,6 +5776,9 @@ static int dialog_initialize_rtp(struct sip_pvt *dialog)
+ 		return 0;
+ 	}
+ 
+	/* Make sure previous RTP instances/FD's do not leak */
+	dialog_clean_rtp(dialog);
+
+ 	ast_sockaddr_copy(&bindaddr_tmp, &bindaddr);
+ 	if (!(dialog->rtp = ast_rtp_instance_new(dialog->engine, sched, &bindaddr_tmp, NULL))) {
+ 		return -1;
+@@ -6408,18 +6443,10 @@ static void sip_pvt_dtor(void *vdoomed)
+ 		ast_free(p->notify);
+ 		p->notify = NULL;
+ 	}
+-	if (p->rtp) {
+-		ast_rtp_instance_destroy(p->rtp);
+-		p->rtp = NULL;
+-	}
+-	if (p->vrtp) {
+-		ast_rtp_instance_destroy(p->vrtp);
+-		p->vrtp = NULL;
+-	}
+-	if (p->trtp) {
+-		ast_rtp_instance_destroy(p->trtp);
+-		p->trtp = NULL;
+-	}
+
+	/* Free RTP and SRTP instances */
+	dialog_clean_rtp(p);
+
+ 	if (p->udptl) {
+ 		ast_udptl_destroy(p->udptl);
+ 		p->udptl = NULL;
+@@ -6455,21 +6482,11 @@ static void sip_pvt_dtor(void *vdoomed)
+ 
+ 	destroy_msg_headers(p);
+ 
+-	if (p->srtp) {
+-		sip_srtp_destroy(p->srtp);
+-		p->srtp = NULL;
+-	}
+-
+ 	if (p->vsrtp) {
+ 		sip_srtp_destroy(p->vsrtp);
+ 		p->vsrtp = NULL;
+ 	}
+ 
+-	if (p->tsrtp) {
+-		sip_srtp_destroy(p->tsrtp);
+-		p->tsrtp = NULL;
+-	}
+-
+ 	if (p->directmediaacl) {
+ 		p->directmediaacl = ast_free_acl_list(p->directmediaacl);
+ 	}
+-- 
+2.5.5
+
--- a/net/asterisk-11.x/patches/055-AST-2016-009-11.diff
+++ b/net/asterisk-11.x/patches/055-AST-2016-009-11.diff
@ -0,0 +1,27 @@
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 556db57..9c74acb 100644
+--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
+@@ -8132,8 +8132,6 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ 	 * one afterwards.  If you shouldn't do it, what absolute idiot decided it was
+ 	 * a good idea to say you can do it, and if you can do it, why in the hell would.
+ 	 * you say you shouldn't.
+-	 * Anyways, pedanticsipchecking controls whether we allow spaces before ':',
+-	 * and we always allow spaces after that for compatibility.
+ 	 */
+ 	const char *sname = find_alias(name, NULL);
+ 	int x, len = strlen(name), slen = (sname ? 1 : 0);
+@@ -8146,10 +8144,10 @@ static const char *__get_header(const struct sip_request *req, const char *name,
+ 		if (match || smatch) {
+ 			/* skip name */
+ 			const char *r = header + (match ? len : slen );
+-			if (sip_cfg.pedanticsipchecking) {
+-				r = ast_skip_blanks(r);
+			/* HCOLON has optional SP/HTAB; skip past those */
+			while (*r == ' ' || *r == '\t') {
+				++r;
+ 			}
+-
+ 			if (*r == ':') {
+ 				*start = x+1;
+ 				return ast_skip_blanks(r+1);
--- a/net/asterisk-11.x/patches/056-AST-2017-005-11.diff
+++ b/net/asterisk-11.x/patches/056-AST-2017-005-11.diff
@ -0,0 +1,195 @@
+From dc4c130439f053592b86f0b35c1fb219a0dc6587 Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp@digium.com>
+Date: Mon, 22 May 2017 15:36:38 +0000
+Subject: [PATCH] res_rtp_asterisk: Only learn a new source in learn state.
+
+This change moves the logic which learns a new source address
+for RTP so it only occurs in the learning state. The learning
+state is entered on initial allocation of RTP or if we are
+told that the remote address for the media has changed. While
+in the learning state if we continue to receive media from
+the original source we restart the learning process. It is
+only once we receive a sufficient number of RTP packets from
+the new source that we will switch to it. Once this is done
+the closed state is entered where all packets that do not
+originate from the expected source are dropped.
+
+The learning process has also been improved to take into
+account the time between received packets so a flood of them
+while in the learning state does not cause media to be switched.
+
+Finally RTCP now drops packets which are not for the learned
+SSRC if strict RTP is enabled.
+
+ASTERISK-27013
+
+Change-Id: I56a96e993700906355e79bc880ad9d4ad3ab129c
+---
+
+diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
+index 4cdc750..4881171 100644
+--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
+@@ -201,6 +201,7 @@
+ struct rtp_learning_info {
+ 	int max_seq;	/*!< The highest sequence number received */
+ 	int packets;	/*!< The number of remaining packets before the source is accepted */
+	struct timeval received; /*!< The time of the last received packet */
+ };
+ 
+ #ifdef HAVE_OPENSSL_SRTP
+@@ -286,7 +287,6 @@
+ 	 * but these are in place to keep learning mode sequence values sealed from their normal counterparts.
+ 	 */
+ 	struct rtp_learning_info rtp_source_learn;	/* Learning mode track for the expected RTP source */
+-	struct rtp_learning_info alt_source_learn;	/* Learning mode tracking for a new RTP source after one has been chosen */
+ 
+ 	struct rtp_red *red;
+ 
+@@ -2357,6 +2357,7 @@
+ {
+ 	info->max_seq = seq - 1;
+ 	info->packets = learning_min_sequential;
+	memset(&info->received, 0, sizeof(info->received));
+ }
+ 
+ /*!
+@@ -2371,6 +2372,13 @@
+  */
+ static int rtp_learning_rtp_seq_update(struct rtp_learning_info *info, uint16_t seq)
+ {
+	if (!ast_tvzero(info->received) && ast_tvdiff_ms(ast_tvnow(), info->received) < 5) {
+		/* During the probation period the minimum amount of media we'll accept is
+		 * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
+		 */
+		return 1;
+	}
+
+ 	if (seq == info->max_seq + 1) {
+ 		/* packet is in sequence */
+ 		info->packets--;
+@@ -2379,6 +2387,7 @@
+ 		info->packets = learning_min_sequential - 1;
+ 	}
+ 	info->max_seq = seq;
+	info->received = ast_tvnow();
+ 
+ 	return (info->packets == 0);
+ }
+@@ -2540,7 +2549,6 @@
+ 	rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_LEARN : STRICT_RTP_OPEN);
+ 	if (strictrtp) {
+ 		rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
+-		rtp_learning_seq_init(&rtp->alt_source_learn, (uint16_t)rtp->seqno);
+ 	}
+ 
+ 	/* Create a new socket for us to listen on and use */
+@@ -3910,16 +3918,6 @@
+ 
+ 	packetwords = res / 4;
+ 
+-	if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+-		/* Send to whoever sent to us */
+-		if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+-			ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+-			if (rtpdebug)
+-				ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+-					  ast_sockaddr_stringify(&rtp->rtcp->them));
+-		}
+-	}
+-
+ 	ast_debug(1, "Got RTCP report of %d bytes\n", res);
+ 
+ 	while (position < packetwords) {
+@@ -3939,6 +3937,24 @@
+ 			if (rtpdebug)
+ 				ast_debug(1, "RTCP Read too short\n");
+ 			return &ast_null_frame;
+		}
+
+		if ((rtp->strict_rtp_state != STRICT_RTP_OPEN) && (ntohl(rtcpheader[i + 1]) != rtp->themssrc)) {
+			/* Skip over this RTCP record as it does not contain the correct SSRC */
+			position += (length + 1);
+			ast_debug(1, "%p -- Received RTCP report from %s, dropping due to strict RTP protection. Received SSRC '%u' but expected '%u'\n",
+				rtp, ast_sockaddr_stringify(&addr), ntohl(rtcpheader[i + 1]), rtp->themssrc);
+			continue;
+		}
+
+		if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+			/* Send to whoever sent to us */
+			if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+				ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+				if (rtpdebug)
+					ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+						ast_sockaddr_stringify(&rtp->rtcp->them));
+			}
+ 		}
+ 
+ 		if (rtcp_debug_test_addr(&addr)) {
+@@ -4330,24 +4346,11 @@
+ 
+ 	/* If strict RTP protection is enabled see if we need to learn the remote address or if we need to drop the packet */
+ 	if (rtp->strict_rtp_state == STRICT_RTP_LEARN) {
+-		ast_debug(1, "%p -- Probation learning mode pass with source address %s\n", rtp, ast_sockaddr_stringify(&addr));
+-		/* For now, we always copy the address. */
+-		ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+-
+-		/* Send the rtp and the seqno from header to rtp_learning_rtp_seq_update to see whether we can exit or not*/
+-		if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+-			ast_debug(1, "%p -- Probation at seq %d with %d to go; discarding frame\n",
+-				rtp, rtp->rtp_source_learn.max_seq, rtp->rtp_source_learn.packets);
+-			return &ast_null_frame;
+-		}
+-
+-		ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+-		rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+-	}
+-	if (rtp->strict_rtp_state == STRICT_RTP_CLOSED) {
+ 		if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+-			/* Always reset the alternate learning source */
+-			rtp_learning_seq_init(&rtp->alt_source_learn, seqno);
+			/* We are learning a new address but have received traffic from the existing address,
+			 * accept it but reset the current learning for the new source so it only takes over
+			 * once sufficient traffic has been received. */
+			rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+ 		} else {
+ 			/* Hmm, not the strict address. Perhaps we're getting audio from the alternate? */
+ 			if (!ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
+@@ -4359,15 +4362,21 @@
+ 				 * it, that means we've stopped getting RTP from the original source and we should
+ 				 * switch to it.
+ 				 */
+-				if (rtp_learning_rtp_seq_update(&rtp->alt_source_learn, seqno)) {
+				if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+ 					ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets\n",
+-							rtp, ast_sockaddr_stringify(&addr), rtp->alt_source_learn.packets);
+							rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
+ 					return &ast_null_frame;
+ 				}
+-				ast_verb(4, "%p -- Switching RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+ 				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+ 			}
+
+			ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+			rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+ 		}
+	} else if (rtp->strict_rtp_state == STRICT_RTP_CLOSED && ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+		ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection.\n",
+			rtp, ast_sockaddr_stringify(&addr));
+		return &ast_null_frame;
+ 	}
+ 
+ 	/* If symmetric RTP is enabled see if the remote side is not what we expected and change where we are sending audio */
+@@ -4762,7 +4771,11 @@
+ 
+ 	rtp->rxseqno = 0;
+ 
+-	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN) {
+	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN && !ast_sockaddr_isnull(addr) &&
+		ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
+		/* We only need to learn a new strict source address if we've been told the source is
+		 * changing to something different.
+		 */
+ 		rtp->strict_rtp_state = STRICT_RTP_LEARN;
+ 		rtp_learning_seq_init(&rtp->rtp_source_learn, rtp->seqno);
+ 	}
--- a/net/asterisk-11.x/patches/057-AST-2017-006-11.diff
+++ b/net/asterisk-11.x/patches/057-AST-2017-006-11.diff
@ -0,0 +1,397 @@
+From 31676ce058596b57e10fbf83ff1817ca7907c3b1 Mon Sep 17 00:00:00 2001
+From: Corey Farrell <git@cfware.com>
+Date: Sat, 01 Jul 2017 20:24:27 -0400
+Subject: [PATCH] AST-2017-006: Fix app_minivm application MinivmNotify command injection
+
+An admin can configure app_minivm with an externnotify program to be run
+when a voicemail is received.  The app_minivm application MinivmNotify
+uses ast_safe_system() for this purpose which is vulnerable to command
+injection since the Caller-ID name and number values given to externnotify
+can come from an external untrusted source.
+
+* Add ast_safe_execvp() function.  This gives modules the ability to run
+external commands with greater safety compared to ast_safe_system().
+Specifically when some parameters are filled by untrusted sources the new
+function does not allow malicious input to break argument encoding.  This
+may be of particular concern where CALLERID(name) or CALLERID(num) may be
+used as a parameter to a script run by ast_safe_system() which could
+potentially allow arbitrary command execution.
+
+* Changed app_minivm.c:run_externnotify() to use the new ast_safe_execvp()
+instead of ast_safe_system() to avoid command injection.
+
+* Document code injection potential from untrusted data sources for other
+shell commands that are under user control.
+
+ASTERISK-27103
+
+Change-Id: I7552472247a84cde24e1358aaf64af160107aef1
+---
+
+diff --git a/README-SERIOUSLY.bestpractices.txt b/README-SERIOUSLY.bestpractices.txt
+index 281d0d3..d63f1df 100644
+--- a/README-SERIOUSLY.bestpractices.txt
+++ b/README-SERIOUSLY.bestpractices.txt
+@@ -94,6 +94,13 @@
+ ways in which you can mitigate this impact: stricter pattern matching, or using
+ the FILTER() dialplan function.
+ 
+The CALLERID(num) and CALLERID(name) values are other commonly used values that
+are sources of data potentially supplied by outside sources.  If you use these
+values as parameters to the System(), MixMonitor(), or Monitor() applications
+or the SHELL() dialplan function, you can allow injection of arbitrary operating
+system command execution.  The FILTER() dialplan function is available to remove
+dangerous characters from untrusted strings to block the command injection.
+
+ Strict Pattern Matching
+ -----------------------
+ 
+diff --git a/apps/app_minivm.c b/apps/app_minivm.c
+index ecdf9c6..8edc132 100644
+--- a/apps/app_minivm.c
+++ b/apps/app_minivm.c
+@@ -1741,21 +1741,35 @@
+ /*! \brief Run external notification for voicemail message */
+ static void run_externnotify(struct ast_channel *chan, struct minivm_account *vmu)
+ {
+-	char arguments[BUFSIZ];
+	char fquser[AST_MAX_CONTEXT * 2];
+	char *argv[5] = { NULL };
+	struct ast_party_caller *caller;
+	char *cid;
+	int idx;
+ 
+-	if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify))
+	if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify)) {
+ 		return;
+	}
+ 
+-	snprintf(arguments, sizeof(arguments), "%s %s@%s %s %s&", 
+-		ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify, 
+-		vmu->username, vmu->domain,
+-		(ast_channel_caller(chan)->id.name.valid && ast_channel_caller(chan)->id.name.str)
+-			? ast_channel_caller(chan)->id.name.str : "",
+-		(ast_channel_caller(chan)->id.number.valid && ast_channel_caller(chan)->id.number.str)
+-			? ast_channel_caller(chan)->id.number.str : "");
+	snprintf(fquser, sizeof(fquser), "%s@%s", vmu->username, vmu->domain);
+ 
+-	ast_debug(1, "Executing: %s\n", arguments);
+-	ast_safe_system(arguments);
+	caller = ast_channel_caller(chan);
+	idx = 0;
+	argv[idx++] = ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify;
+	argv[idx++] = fquser;
+	cid = S_COR(caller->id.name.valid, caller->id.name.str, NULL);
+	if (cid) {
+		argv[idx++] = cid;
+	}
+	cid = S_COR(caller->id.number.valid, caller->id.number.str, NULL);
+	if (cid) {
+		argv[idx++] = cid;
+	}
+	argv[idx] = NULL;
+
+	ast_debug(1, "Executing: %s %s %s %s\n",
+		argv[0], argv[1], argv[2] ?: "", argv[3] ?: "");
+	ast_safe_execvp(1, argv[0], argv);
+ }
+ 
+ /*!\internal
+diff --git a/apps/app_mixmonitor.c b/apps/app_mixmonitor.c
+index 89a1d8c..96adb9a 100644
+--- a/apps/app_mixmonitor.c
+++ b/apps/app_mixmonitor.c
+@@ -127,6 +127,11 @@
+ 				<para>Will be executed when the recording is over.</para>
+ 				<para>Any strings matching <literal>^{X}</literal> will be unescaped to <variable>X</variable>.</para>
+ 				<para>All variables will be evaluated at the time MixMonitor is called.</para>
+				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
+				risk a command injection attack executing arbitrary commands if the untrusted
+				strings aren't filtered to remove dangerous characters.  See function
+				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+@@ -143,6 +148,11 @@
+ 					<para>Will contain the filename used to record.</para>
+ 				</variable>
+ 			</variablelist>
+			<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+			or <variable>CALLERID(name)</variable> as part of ANY of the application's
+			parameters.  You risk a command injection attack executing arbitrary commands
+			if the untrusted strings aren't filtered to remove dangerous characters.  See
+			function <variable>FILTER()</variable>.</para></warning>
+ 		</description>
+ 		<see-also>
+ 			<ref type="application">Monitor</ref>
+diff --git a/apps/app_system.c b/apps/app_system.c
+index 7fe453d..e868a07 100644
+--- a/apps/app_system.c
+++ b/apps/app_system.c
+@@ -48,6 +48,11 @@
+ 		<syntax>
+ 			<parameter name="command" required="true">
+ 				<para>Command to execute</para>
+				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
+				risk a command injection attack executing arbitrary commands if the untrusted
+				strings aren't filtered to remove dangerous characters.  See function
+				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+@@ -73,6 +78,11 @@
+ 		<syntax>
+ 			<parameter name="command" required="true">
+ 				<para>Command to execute</para>
+				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
+				risk a command injection attack executing arbitrary commands if the untrusted
+				strings aren't filtered to remove dangerous characters.  See function
+				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+diff --git a/configs/minivm.conf.sample b/configs/minivm.conf.sample
+index 55a39c8..3dcd59d 100644
+--- a/configs/minivm.conf.sample
+++ b/configs/minivm.conf.sample
+@@ -51,7 +51,7 @@
+ ; If you need to have an external program, i.e. /usr/bin/myapp called when a
+ ; voicemail is received by the server. The arguments are
+ ;
+-; 	<app> <username@domain> <callerid-number> <callerid-name>
+; 	<app> <username@domain> <callerid-name> <callerid-number>
+ ;
+ ;externnotify=/usr/bin/myapp
+ ; The character set for voicemail messages can be specified here
+diff --git a/funcs/func_shell.c b/funcs/func_shell.c
+index e403efc..79b7f99 100644
+--- a/funcs/func_shell.c
+++ b/funcs/func_shell.c
+@@ -84,6 +84,11 @@
+ 		<syntax>
+ 			<parameter name="command" required="true">
+ 				<para>The command that the shell should execute.</para>
+				<warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+				or <variable>CALLERID(name)</variable> as part of the command parameters.  You
+				risk a command injection attack executing arbitrary commands if the untrusted
+				strings aren't filtered to remove dangerous characters.  See function
+				<variable>FILTER()</variable>.</para></warning>
+ 			</parameter>
+ 		</syntax>
+ 		<description>
+diff --git a/include/asterisk/app.h b/include/asterisk/app.h
+index d10a0a6..8cdaea1 100644
+--- a/include/asterisk/app.h
+++ b/include/asterisk/app.h
+@@ -577,9 +577,34 @@
+ int ast_vm_test_create_user(const char *context, const char *mailbox);
+ #endif
+ 
+-/*! \brief Safely spawn an external program while closing file descriptors
+-	\note This replaces the \b system call in all Asterisk modules
+-*/
+/*!
+ * \brief Safely spawn an external program while closing file descriptors
+ *
+ * \note This replaces the \b execvp call in all Asterisk modules
+ *
+ * \param dualfork Non-zero to simulate running the program in the
+ * background by forking twice.  The option provides similar
+ * functionality to the '&' in the OS shell command "cmd &".  The
+ * option allows Asterisk to run a reaper loop to watch the first fork
+ * which immediately exits after spaning the second fork.  The actual
+ * program is run in the second fork.
+ * \param file execvp(file, argv) file parameter
+ * \param argv execvp(file, argv) argv parameter
+ */
+int ast_safe_execvp(int dualfork, const char *file, char *const argv[]);
+
+/*!
+ * \brief Safely spawn an OS shell command while closing file descriptors
+ *
+ * \note This replaces the \b system call in all Asterisk modules
+ *
+ * \param s - OS shell command string to execute.
+ *
+ * \warning Command injection can happen using this call if the passed
+ * in string is created using untrusted data from an external source.
+ * It is best not to use untrusted data.  However, the caller could
+ * filter out dangerous characters to avoid command injection.
+ */
+ int ast_safe_system(const char *s);
+ 
+ /*!
+diff --git a/main/asterisk.c b/main/asterisk.c
+index ce1d153..92256bd 100644
+--- a/main/asterisk.c
+++ b/main/asterisk.c
+@@ -1102,12 +1102,10 @@
+ 	ast_mutex_unlock(&safe_system_lock);
+ }
+ 
+-int ast_safe_system(const char *s)
+/*! \brief fork and perform other preparations for spawning applications */
+static pid_t safe_exec_prep(int dualfork)
+ {
+ 	pid_t pid;
+-	int res;
+-	struct rusage rusage;
+-	int status;
+ 
+ #if defined(HAVE_WORKING_FORK) || defined(HAVE_WORKING_VFORK)
+ 	ast_replace_sigchld();
+@@ -1129,35 +1127,102 @@
+ 		cap_free(cap);
+ #endif
+ #ifdef HAVE_WORKING_FORK
+-		if (ast_opt_high_priority)
+		if (ast_opt_high_priority) {
+ 			ast_set_priority(0);
+		}
+ 		/* Close file descriptors and launch system command */
+ 		ast_close_fds_above_n(STDERR_FILENO);
+ #endif
+-		execl("/bin/sh", "/bin/sh", "-c", s, (char *) NULL);
+-		_exit(1);
+-	} else if (pid > 0) {
+		if (dualfork) {
+#ifdef HAVE_WORKING_FORK
+			pid = fork();
+#else
+			pid = vfork();
+#endif
+			if (pid < 0) {
+				/* Second fork failed. */
+				/* No logger available. */
+				_exit(1);
+			}
+
+			if (pid > 0) {
+				/* This is the first fork, exit so the reaper finishes right away. */
+				_exit(0);
+			}
+
+			/* This is the second fork.  The first fork will exit immediately so
+			 * Asterisk doesn't have to wait for completion.
+			 * ast_safe_system("cmd &") would run in the background, but the '&'
+			 * cannot be added with ast_safe_execvp, so we have to double fork.
+			 */
+		}
+	}
+
+	if (pid < 0) {
+		ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(errno));
+	}
+#else
+	ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(ENOTSUP));
+	pid = -1;
+#endif
+
+	return pid;
+}
+
+/*! \brief wait for spawned application to complete and unreplace sigchld */
+static int safe_exec_wait(pid_t pid)
+{
+	int res = -1;
+
+#if defined(HAVE_WORKING_FORK) || defined(HAVE_WORKING_VFORK)
+	if (pid > 0) {
+ 		for (;;) {
+			struct rusage rusage;
+			int status;
+
+ 			res = wait4(pid, &status, 0, &rusage);
+ 			if (res > -1) {
+ 				res = WIFEXITED(status) ? WEXITSTATUS(status) : -1;
+ 				break;
+-			} else if (errno != EINTR)
+			}
+			if (errno != EINTR) {
+ 				break;
+			}
+ 		}
+-	} else {
+-		ast_log(LOG_WARNING, "Fork failed: %s\n", strerror(errno));
+-		res = -1;
+ 	}
+ 
+ 	ast_unreplace_sigchld();
+-#else /* !defined(HAVE_WORKING_FORK) && !defined(HAVE_WORKING_VFORK) */
+-	res = -1;
+ #endif
+ 
+ 	return res;
+ }
+ 
+int ast_safe_execvp(int dualfork, const char *file, char *const argv[])
+{
+	pid_t pid = safe_exec_prep(dualfork);
+
+	if (pid == 0) {
+		execvp(file, argv);
+		_exit(1);
+		/* noreturn from _exit */
+	}
+
+	return safe_exec_wait(pid);
+}
+
+int ast_safe_system(const char *s)
+{
+	pid_t pid = safe_exec_prep(0);
+
+	if (pid == 0) {
+		execl("/bin/sh", "/bin/sh", "-c", s, (char *) NULL);
+		_exit(1);
+		/* noreturn from _exit */
+	}
+
+	return safe_exec_wait(pid);
+}
+
+ /*!
+  * \brief enable or disable a logging level to a specified console
+  */
+diff --git a/res/res_monitor.c b/res/res_monitor.c
+index 76c43e1..12f478a 100644
+--- a/res/res_monitor.c
+++ b/res/res_monitor.c
+@@ -57,17 +57,17 @@
+ 		<syntax>
+ 			<parameter name="file_format" argsep=":">
+ 				<argument name="file_format" required="true">
+-					<para>optional, if not set, defaults to <literal>wav</literal></para>
+					<para>Optional.  If not set, defaults to <literal>wav</literal></para>
+ 				</argument>
+ 				<argument name="urlbase" />
+ 			</parameter>
+ 			<parameter name="fname_base">
+-				<para>if set, changes the filename used to the one specified.</para>
+				<para>If set, changes the filename used to the one specified.</para>
+ 			</parameter>
+ 			<parameter name="options">
+ 				<optionlist>
+ 					<option name="m">
+-						<para>when the recording ends mix the two leg files into one and
+						<para>When the recording ends mix the two leg files into one and
+ 						delete the two leg files. If the variable <variable>MONITOR_EXEC</variable>
+ 						is set, the application referenced in it will be executed instead of
+ 						soxmix/sox and the raw leg files will NOT be deleted automatically.
+@@ -78,6 +78,13 @@
+ 						will be passed on as additional arguments to <variable>MONITOR_EXEC</variable>.
+ 						Both <variable>MONITOR_EXEC</variable> and the Mix flag can be set from the
+ 						administrator interface.</para>
+						<warning><para>Do not use untrusted strings such as
+						<variable>CALLERID(num)</variable> or <variable>CALLERID(name)</variable>
+						as part of <variable>MONITOR_EXEC</variable> or
+						<variable>MONITOR_EXEC_ARGS</variable>.  You risk a command injection
+						attack executing arbitrary commands if the untrusted strings aren't
+						filtered to remove dangerous characters.  See function
+						<variable>FILTER()</variable>.</para></warning>
+ 					</option>
+ 					<option name="b">
+ 						<para>Don't begin recording unless a call is bridged to another channel.</para>
--- a/net/asterisk-11.x/patches/058-AST-2017-008-11.diff
+++ b/net/asterisk-11.x/patches/058-AST-2017-008-11.diff
@ -0,0 +1,778 @@
+From fe2ba2f3ca60d33bc789c6ae8e03ee26dc1b637c Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Wed, 13 Sep 2017 12:07:42 -0500
+Subject: [PATCH] AST-2017-008: Improve RTP and RTCP packet processing.
+
+Validate RTCP packets before processing them.
+
+* Validate that the received packet is of a minimum length and apply the
+RFC3550 RTCP packet validation checks.
+
+* Fixed potentially reading garbage beyond the received RTCP record data.
+
+* Fixed rtp->themssrc only being set once when the remote could change
+the SSRC.  We would effectively stop handling the RTCP statistic records.
+
+* Fixed rtp->themssrc to not treat a zero value as special by adding
+rtp->themssrc_valid to indicate if rtp->themssrc is available.
+
+ASTERISK-27274
+
+Make strict RTP learning more flexible.
+
+Direct media can cause strict RTP to attempt to learn a remote address
+again before it has had a chance to learn the remote address the first
+time.  Because of the rapid relearn requests, strict RTP could latch onto
+the first remote address and fail to latch onto the direct media remote
+address.  As a result, you have one way audio until the call is placed on
+and off hold.
+
+The new algorithm learns remote addresses for a set time (1.5 seconds)
+before locking the remote address.  In addition, we must see a configured
+number of remote packets from the same address in a row before switching.
+
+* Fixed strict RTP learning from always accepting the first new address
+packet as the new stream.
+
+* Fixed strict RTP to initialize the expected sequence number with the
+last received sequence number instead of the last transmitted sequence
+number.
+
+* Fixed the predicted next sequence number calculation in
+rtp_learning_rtp_seq_update() to handle overflow.
+
+ASTERISK-27252
+
+Change-Id: Ia2d3aa6e0f22906c25971e74f10027d96525f31c
+---
+
+diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
+index 4881171..7393d57 100644
+--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
+@@ -115,7 +115,9 @@
+ 	STRICT_RTP_CLOSED,   /*! Drop all RTP packets not coming from source that was learned */
+ };
+ 
+-#define DEFAULT_STRICT_RTP STRICT_RTP_CLOSED
+#define STRICT_RTP_LEARN_TIMEOUT	1500	/*!< milliseconds */
+
+#define DEFAULT_STRICT_RTP -1	/*!< Enabled */
+ #define DEFAULT_ICESUPPORT 1
+ 
+ extern struct ast_srtp_res *res_srtp;
+@@ -199,9 +201,11 @@
+ 
+ /*! \brief RTP learning mode tracking information */
+ struct rtp_learning_info {
+	struct ast_sockaddr proposed_address;	/*!< Proposed remote address for strict RTP */
+	struct timeval start;	/*!< The time learning mode was started */
+	struct timeval received; /*!< The time of the last received packet */
+ 	int max_seq;	/*!< The highest sequence number received */
+ 	int packets;	/*!< The number of remaining packets before the source is accepted */
+-	struct timeval received; /*!< The time of the last received packet */
+ };
+ 
+ #ifdef HAVE_OPENSSL_SRTP
+@@ -223,7 +227,7 @@
+ 	unsigned char rawdata[8192 + AST_FRIENDLY_OFFSET];
+ 	unsigned int ssrc;		/*!< Synchronization source, RFC 3550, page 10. */
+ 	unsigned int themssrc;		/*!< Their SSRC */
+-	unsigned int rxssrc;
+	unsigned int themssrc_valid;	/*!< True if their SSRC is available. */
+ 	unsigned int lastts;
+ 	unsigned int lastrxts;
+ 	unsigned int lastividtimestamp;
+@@ -1655,8 +1659,6 @@
+ #endif
+ };
+ 
+-static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq);
+-
+ #ifdef HAVE_OPENSSL_SRTP
+ static void dtls_perform_handshake(struct ast_rtp_instance *instance, struct dtls_details *dtls, int rtcp)
+ {
+@@ -1685,6 +1687,8 @@
+ #endif
+ 
+ #ifdef USE_PJPROJECT
+static void rtp_learning_start(struct ast_rtp *rtp);
+
+ static void ast_rtp_on_ice_complete(pj_ice_sess *ice, pj_status_t status)
+ {
+ 	struct ast_rtp_instance *instance = ice->user_data;
+@@ -1721,8 +1725,8 @@
+ 		return;
+ 	}
+ 
+-	rtp->strict_rtp_state = STRICT_RTP_LEARN;
+-	rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
+	ast_verb(4, "%p -- Strict RTP learning after ICE completion\n", rtp);
+	rtp_learning_start(rtp);
+ }
+ 
+ static void ast_rtp_on_ice_rx_data(pj_ice_sess *ice, unsigned comp_id, unsigned transport_id, void *pkt, pj_size_t size, const pj_sockaddr_t *src_addr, unsigned src_addr_len)
+@@ -2355,7 +2359,7 @@
+  */
+ static void rtp_learning_seq_init(struct rtp_learning_info *info, uint16_t seq)
+ {
+-	info->max_seq = seq - 1;
+	info->max_seq = seq;
+ 	info->packets = learning_min_sequential;
+ 	memset(&info->received, 0, sizeof(info->received));
+ }
+@@ -2372,14 +2376,17 @@
+  */
+ static int rtp_learning_rtp_seq_update(struct rtp_learning_info *info, uint16_t seq)
+ {
+	/*
+	 * During the learning mode the minimum amount of media we'll accept is
+	 * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
+	 */
+ 	if (!ast_tvzero(info->received) && ast_tvdiff_ms(ast_tvnow(), info->received) < 5) {
+-		/* During the probation period the minimum amount of media we'll accept is
+-		 * 10ms so give a reasonable 5ms buffer just in case we get it sporadically.
+		/*
+		 * Reject a flood of packets as acceptable for learning.
+		 * Reset the needed packets.
+ 		 */
+-		return 1;
+-	}
+-
+-	if (seq == info->max_seq + 1) {
+		info->packets = learning_min_sequential - 1;
+	} else if (seq == (uint16_t) (info->max_seq + 1)) {
+ 		/* packet is in sequence */
+ 		info->packets--;
+ 	} else {
+@@ -2389,7 +2396,23 @@
+ 	info->max_seq = seq;
+ 	info->received = ast_tvnow();
+ 
+-	return (info->packets == 0);
+	return info->packets;
+}
+
+/*!
+ * \brief Start the strictrtp learning mode.
+ *
+ * \param rtp RTP session description
+ *
+ * \return Nothing
+ */
+static void rtp_learning_start(struct ast_rtp *rtp)
+{
+	rtp->strict_rtp_state = STRICT_RTP_LEARN;
+	memset(&rtp->rtp_source_learn.proposed_address, 0,
+		sizeof(rtp->rtp_source_learn.proposed_address));
+	rtp->rtp_source_learn.start = ast_tvnow();
+	rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t) rtp->lastrxseqno);
+ }
+ 
+ #ifdef USE_PJPROJECT
+@@ -2546,10 +2569,7 @@
+ 	/* Set default parameters on the newly created RTP structure */
+ 	rtp->ssrc = ast_random();
+ 	rtp->seqno = ast_random() & 0xffff;
+-	rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_LEARN : STRICT_RTP_OPEN);
+-	if (strictrtp) {
+-		rtp_learning_seq_init(&rtp->rtp_source_learn, (uint16_t)rtp->seqno);
+-	}
+	rtp->strict_rtp_state = (strictrtp ? STRICT_RTP_CLOSED : STRICT_RTP_OPEN);
+ 
+ 	/* Create a new socket for us to listen on and use */
+ 	if ((rtp->s =
+@@ -3867,13 +3887,86 @@
+ 	return &rtp->f;
+ }
+ 
+static const char *rtcp_payload_type2str(unsigned int pt)
+{
+	const char *str;
+
+	switch (pt) {
+	case RTCP_PT_SR:
+		str = "Sender Report";
+		break;
+	case RTCP_PT_RR:
+		str = "Receiver Report";
+		break;
+	case RTCP_PT_FUR:
+		/* Full INTRA-frame Request / Fast Update Request */
+		str = "H.261 FUR";
+		break;
+	case RTCP_PT_SDES:
+		str = "Source Description";
+		break;
+	case RTCP_PT_BYE:
+		str = "BYE";
+		break;
+	default:
+		str = "Unknown";
+		break;
+	}
+	return str;
+}
+
+/*
+ * Unshifted RTCP header bit field masks
+ */
+#define RTCP_LENGTH_MASK			0xFFFF
+#define RTCP_PAYLOAD_TYPE_MASK		0xFF
+#define RTCP_REPORT_COUNT_MASK		0x1F
+#define RTCP_PADDING_MASK			0x01
+#define RTCP_VERSION_MASK			0x03
+
+/*
+ * RTCP header bit field shift offsets
+ */
+#define RTCP_LENGTH_SHIFT			0
+#define RTCP_PAYLOAD_TYPE_SHIFT		16
+#define RTCP_REPORT_COUNT_SHIFT		24
+#define RTCP_PADDING_SHIFT			29
+#define RTCP_VERSION_SHIFT			30
+
+#define RTCP_VERSION				2U
+#define RTCP_VERSION_SHIFTED		(RTCP_VERSION << RTCP_VERSION_SHIFT)
+#define RTCP_VERSION_MASK_SHIFTED	(RTCP_VERSION_MASK << RTCP_VERSION_SHIFT)
+
+/*
+ * RTCP first packet record validity header mask and value.
+ *
+ * RFC3550 intentionally defines the encoding of RTCP_PT_SR and RTCP_PT_RR
+ * such that they differ in the least significant bit.  Either of these two
+ * payload types MUST be the first RTCP packet record in a compound packet.
+ *
+ * RFC3550 checks the padding bit in the algorithm they use to check the
+ * RTCP packet for validity.  However, we aren't masking the padding bit
+ * to check since we don't know if it is a compound RTCP packet or not.
+ */
+#define RTCP_VALID_MASK (RTCP_VERSION_MASK_SHIFTED | (((RTCP_PAYLOAD_TYPE_MASK & ~0x1)) << RTCP_PAYLOAD_TYPE_SHIFT))
+#define RTCP_VALID_VALUE (RTCP_VERSION_SHIFTED | (RTCP_PT_SR << RTCP_PAYLOAD_TYPE_SHIFT))
+
+#define RTCP_SR_BLOCK_WORD_LENGTH 5
+#define RTCP_RR_BLOCK_WORD_LENGTH 6
+#define RTCP_HEADER_SSRC_LENGTH   2
+
+ static struct ast_frame *ast_rtcp_read(struct ast_rtp_instance *instance)
+ {
+ 	struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
+ 	struct ast_sockaddr addr;
+ 	unsigned char rtcpdata[8192 + AST_FRIENDLY_OFFSET];
+ 	unsigned int *rtcpheader = (unsigned int *)(rtcpdata + AST_FRIENDLY_OFFSET);
+-	int res, packetwords, position = 0;
+	int res;
+	unsigned int packetwords;
+	unsigned int position;
+	unsigned int first_word;
+	/*! True if we have seen an acceptable SSRC to learn the remote RTCP address */
+	unsigned int ssrc_seen;
+ 	struct ast_frame *f = &ast_null_frame;
+ 
+ 	/* Read in RTCP data from the socket */
+@@ -3918,56 +4011,170 @@
+ 
+ 	packetwords = res / 4;
+ 
+-	ast_debug(1, "Got RTCP report of %d bytes\n", res);
+	ast_debug(1, "Got RTCP report of %d bytes from %s\n",
+		res, ast_sockaddr_stringify(&addr));
+ 
+	/*
+	 * Validate the RTCP packet according to an adapted and slightly
+	 * modified RFC3550 validation algorithm.
+	 */
+	if (packetwords < RTCP_HEADER_SSRC_LENGTH) {
+		ast_debug(1, "%p -- RTCP from %s: Frame size (%u words) is too short\n",
+			rtp, ast_sockaddr_stringify(&addr), packetwords);
+		return &ast_null_frame;
+	}
+	position = 0;
+	first_word = ntohl(rtcpheader[position]);
+	if ((first_word & RTCP_VALID_MASK) != RTCP_VALID_VALUE) {
+		ast_debug(1, "%p -- RTCP from %s: Failed first packet validity check\n",
+			rtp, ast_sockaddr_stringify(&addr));
+		return &ast_null_frame;
+	}
+	do {
+		position += ((first_word >> RTCP_LENGTH_SHIFT) & RTCP_LENGTH_MASK) + 1;
+		if (packetwords <= position) {
+			break;
+		}
+		first_word = ntohl(rtcpheader[position]);
+	} while ((first_word & RTCP_VERSION_MASK_SHIFTED) == RTCP_VERSION_SHIFTED);
+	if (position != packetwords) {
+		ast_debug(1, "%p -- RTCP from %s: Failed packet version or length check\n",
+			rtp, ast_sockaddr_stringify(&addr));
+		return &ast_null_frame;
+	}
+
+	/*
+	 * Note: RFC3605 points out that true NAT (vs NAPT) can cause RTCP
+	 * to have a different IP address and port than RTP.  Otherwise, when
+	 * strictrtp is enabled we could reject RTCP packets not coming from
+	 * the learned RTP IP address if it is available.
+	 */
+
+	/*
+	 * strictrtp safety needs SSRC to match before we use the
+	 * sender's address for symmetrical RTP to send our RTCP
+	 * reports.
+	 *
+	 * If strictrtp is not enabled then claim to have already seen
+	 * a matching SSRC so we'll accept this packet's address for
+	 * symmetrical RTP.
+	 */
+	ssrc_seen = rtp->strict_rtp_state == STRICT_RTP_OPEN;
+
+	position = 0;
+ 	while (position < packetwords) {
+-		int i, pt, rc;
+-		unsigned int length, dlsr, lsr, msw, lsw, comp;
+		unsigned int i;
+		unsigned int pt;
+		unsigned int rc;
+		unsigned int ssrc;
+		/*! True if the ssrc value we have is valid and not garbage because it doesn't exist. */
+		unsigned int ssrc_valid;
+		unsigned int length;
+		unsigned int min_length;
+		unsigned int dlsr, lsr, msw, lsw, comp;
+ 		struct timeval now;
+ 		double rttsec, reported_jitter, reported_normdev_jitter_current, normdevrtt_current, reported_lost, reported_normdev_lost_current;
+ 		uint64_t rtt = 0;
+ 
+ 		i = position;
+-		length = ntohl(rtcpheader[i]);
+-		pt = (length & 0xff0000) >> 16;
+-		rc = (length & 0x1f000000) >> 24;
+-		length &= 0xffff;
+		first_word = ntohl(rtcpheader[i]);
+		pt = (first_word >> RTCP_PAYLOAD_TYPE_SHIFT) & RTCP_PAYLOAD_TYPE_MASK;
+		rc = (first_word >> RTCP_REPORT_COUNT_SHIFT) & RTCP_REPORT_COUNT_MASK;
+		/* RFC3550 says 'length' is the number of words in the packet - 1 */
+		length = ((first_word >> RTCP_LENGTH_SHIFT) & RTCP_LENGTH_MASK) + 1;
+ 
+-		if ((i + length) > packetwords) {
+-			if (rtpdebug)
+-				ast_debug(1, "RTCP Read too short\n");
+		/* Check expected RTCP packet record length */
+		min_length = RTCP_HEADER_SSRC_LENGTH;
+		switch (pt) {
+		case RTCP_PT_SR:
+			min_length += RTCP_SR_BLOCK_WORD_LENGTH;
+			/* fall through */
+		case RTCP_PT_RR:
+			min_length += (rc * RTCP_RR_BLOCK_WORD_LENGTH);
+			break;
+		case RTCP_PT_FUR:
+			break;
+		case RTCP_PT_SDES:
+		case RTCP_PT_BYE:
+			/*
+			 * There may not be a SSRC/CSRC present.  The packet is
+			 * useless but still valid if it isn't present.
+			 *
+			 * We don't know what min_length should be so disable the check
+			 */
+			min_length = length;
+			break;
+		default:
+			ast_debug(1, "%p -- RTCP from %s: %u(%s) skipping record\n",
+				rtp, ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt));
+			if (rtcp_debug_test_addr(&addr)) {
+				ast_verbose("\n");
+				ast_verbose("RTCP from %s: %u(%s) skipping record\n",
+					ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt));
+			}
+			position += length;
+			continue;
+		}
+		if (length < min_length) {
+			ast_debug(1, "%p -- RTCP from %s: %u(%s) length field less than expected minimum.  Min:%u Got:%u\n",
+				rtp, ast_sockaddr_stringify(&addr), pt, rtcp_payload_type2str(pt),
+				min_length - 1, length - 1);
+ 			return &ast_null_frame;
+ 		}
+ 
+-		if ((rtp->strict_rtp_state != STRICT_RTP_OPEN) && (ntohl(rtcpheader[i + 1]) != rtp->themssrc)) {
+-			/* Skip over this RTCP record as it does not contain the correct SSRC */
+-			position += (length + 1);
+-			ast_debug(1, "%p -- Received RTCP report from %s, dropping due to strict RTP protection. Received SSRC '%u' but expected '%u'\n",
+-				rtp, ast_sockaddr_stringify(&addr), ntohl(rtcpheader[i + 1]), rtp->themssrc);
+-			continue;
+-		}
+-
+-		if (ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+-			/* Send to whoever sent to us */
+-			if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+-				ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+-				if (rtpdebug)
+-					ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+-						ast_sockaddr_stringify(&rtp->rtcp->them));
+-			}
+		/* Get the RTCP record SSRC if defined for the record */
+		ssrc_valid = 1;
+		switch (pt) {
+		case RTCP_PT_SR:
+		case RTCP_PT_RR:
+		case RTCP_PT_FUR:
+			ssrc = ntohl(rtcpheader[i + 1]);
+			break;
+		case RTCP_PT_SDES:
+		case RTCP_PT_BYE:
+		default:
+			ssrc = 0;
+			ssrc_valid = 0;
+			break;
+ 		}
+ 
+ 		if (rtcp_debug_test_addr(&addr)) {
+-			ast_verbose("\n\nGot RTCP from %s\n",
+-				    ast_sockaddr_stringify(&addr));
+-			ast_verbose("PT: %d(%s)\n", pt, (pt == 200) ? "Sender Report" : (pt == 201) ? "Receiver Report" : (pt == 192) ? "H.261 FUR" : "Unknown");
+-			ast_verbose("Reception reports: %d\n", rc);
+-			ast_verbose("SSRC of sender: %u\n", rtcpheader[i + 1]);
+			ast_verbose("\n");
+			ast_verbose("RTCP from %s\n", ast_sockaddr_stringify(&addr));
+			ast_verbose("PT: %u(%s)\n", pt, rtcp_payload_type2str(pt));
+			ast_verbose("Reception reports: %u\n", rc);
+			ast_verbose("SSRC of sender: %u\n", ssrc);
+ 		}
+ 
+-		i += 2; /* Advance past header and ssrc */
+		if (ssrc_valid && rtp->themssrc_valid) {
+			if (ssrc != rtp->themssrc) {
+				/*
+				 * Skip over this RTCP record as it does not contain the
+				 * correct SSRC.  We should not act upon RTCP records
+				 * for a different stream.
+				 */
+				position += length;
+				ast_debug(1, "%p -- RTCP from %s: Skipping record, received SSRC '%u' != expected '%u'\n",
+					rtp, ast_sockaddr_stringify(&addr), ssrc, rtp->themssrc);
+				continue;
+			}
+			ssrc_seen = 1;
+		}
+
+		if (ssrc_seen && ast_rtp_instance_get_prop(instance, AST_RTP_PROPERTY_NAT)) {
+			/* Send to whoever sent to us */
+			if (ast_sockaddr_cmp(&rtp->rtcp->them, &addr)) {
+				ast_sockaddr_copy(&rtp->rtcp->them, &addr);
+				if (rtpdebug) {
+					ast_debug(0, "RTCP NAT: Got RTCP from other end. Now sending to address %s\n",
+						ast_sockaddr_stringify(&addr));
+				}
+			}
+		}
+
+		i += RTCP_HEADER_SSRC_LENGTH; /* Advance past header and ssrc */
+ 		if (rc == 0 && pt == RTCP_PT_RR) {      /* We're receiving a receiver report with no reports, which is ok */
+-			position += (length + 1);
+			position += length;
+ 			continue;
+ 		}
+ 
+@@ -3983,7 +4190,7 @@
+ 				ast_verbose("RTP timestamp: %lu\n", (unsigned long) ntohl(rtcpheader[i + 2]));
+ 				ast_verbose("SPC: %lu\tSOC: %lu\n", (unsigned long) ntohl(rtcpheader[i + 3]), (unsigned long) ntohl(rtcpheader[i + 4]));
+ 			}
+-			i += 5;
+			i += RTCP_SR_BLOCK_WORD_LENGTH;
+ 			if (rc < 1)
+ 				break;
+ 			/* Intentional fall through */
+@@ -4153,21 +4360,18 @@
+ 		case RTCP_PT_SDES:
+ 			if (rtcp_debug_test_addr(&addr))
+ 				ast_verbose("Received an SDES from %s\n",
+-					    ast_sockaddr_stringify(&rtp->rtcp->them));
+					ast_sockaddr_stringify(&addr));
+ 			break;
+ 		case RTCP_PT_BYE:
+ 			if (rtcp_debug_test_addr(&addr))
+ 				ast_verbose("Received a BYE from %s\n",
+-					    ast_sockaddr_stringify(&rtp->rtcp->them));
+					ast_sockaddr_stringify(&addr));
+ 			break;
+ 		default:
+-			ast_debug(1, "Unknown RTCP packet (pt=%d) received from %s\n",
+-				  pt, ast_sockaddr_stringify(&rtp->rtcp->them));
+ 			break;
+ 		}
+-		position += (length + 1);
+		position += length;
+ 	}
+-
+ 	rtp->rtcp->rtcp_info = 1;
+ 
+ 	return f;
+@@ -4344,39 +4548,156 @@
+ 		return &ast_null_frame;
+ 	}
+ 
+	/* If the version is not what we expected by this point then just drop the packet */
+	if (version != 2) {
+		return &ast_null_frame;
+	}
+
+ 	/* If strict RTP protection is enabled see if we need to learn the remote address or if we need to drop the packet */
+-	if (rtp->strict_rtp_state == STRICT_RTP_LEARN) {
+-		if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+-			/* We are learning a new address but have received traffic from the existing address,
+-			 * accept it but reset the current learning for the new source so it only takes over
+-			 * once sufficient traffic has been received. */
+-			rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+	switch (rtp->strict_rtp_state) {
+	case STRICT_RTP_LEARN:
+		/*
+		 * Scenario setup:
+		 * PartyA -- Ast1 -- Ast2 -- PartyB
+		 *
+		 * The learning timeout is necessary for Ast1 to handle the above
+		 * setup where PartyA calls PartyB and Ast2 initiates direct media
+		 * between Ast1 and PartyB.  Ast1 may lock onto the Ast2 stream and
+		 * never learn the PartyB stream when it starts.  The timeout makes
+		 * Ast1 stay in the learning state long enough to see and learn the
+		 * RTP stream from PartyB.
+		 *
+		 * To mitigate against attack, the learning state cannot switch
+		 * streams while there are competing streams.  The competing streams
+		 * interfere with each other's qualification.  Once we accept a
+		 * stream and reach the timeout, an attacker cannot interfere
+		 * anymore.
+		 *
+		 * Here are a few scenarios and each one assumes that the streams
+		 * are continuous:
+		 *
+		 * 1) We already have a known stream source address and the known
+		 * stream wants to change to a new source address.  An attacking
+		 * stream will block learning the new stream source.  After the
+		 * timeout we re-lock onto the original stream source address which
+		 * likely went away.  The result is one way audio.
+		 *
+		 * 2) We already have a known stream source address and the known
+		 * stream doesn't want to change source addresses.  An attacking
+		 * stream will not be able to replace the known stream.  After the
+		 * timeout we re-lock onto the known stream.  The call is not
+		 * affected.
+		 *
+		 * 3) We don't have a known stream source address.  This presumably
+		 * is the start of a call.  Competing streams will result in staying
+		 * in learning mode until a stream becomes the victor and we reach
+		 * the timeout.  We cannot exit learning if we have no known stream
+		 * to lock onto.  The result is one way audio until there is a victor.
+		 *
+		 * If we learn a stream source address before the timeout we will be
+		 * in scenario 1) or 2) when a competing stream starts.
+		 */
+		if (!ast_sockaddr_isnull(&rtp->strict_rtp_address)
+			&& STRICT_RTP_LEARN_TIMEOUT < ast_tvdiff_ms(ast_tvnow(), rtp->rtp_source_learn.start)) {
+			ast_verb(4, "%p -- Strict RTP learning complete - Locking on source address %s\n",
+				rtp, ast_sockaddr_stringify(&rtp->strict_rtp_address));
+			rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+
+			/*
+			 * Clear the alternate remote address after learning.
+			 *
+			 * We should not leave this address laying around.
+			 * It gets set only on a chan_sip reINVITE glare.
+			 * We don't want a stale address interfering with
+			 * the next learning time.
+			 */
+			ast_sockaddr_setnull(&rtp->alt_rtp_address);
+ 		} else {
+-			/* Hmm, not the strict address. Perhaps we're getting audio from the alternate? */
+-			if (!ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
+-				/* ooh, we did! You're now the new expected address, son! */
+-				ast_sockaddr_copy(&rtp->strict_rtp_address,
+-						  &addr);
+-			} else {
+-				/* Start trying to learn from the new address. If we pass a probationary period with
+-				 * it, that means we've stopped getting RTP from the original source and we should
+-				 * switch to it.
+			if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+				/*
+				 * We are open to learning a new address but have received
+				 * traffic from the current address, accept it and reset
+				 * the learning counts for a new source.  When no more
+				 * current source packets arrive a new source can take over
+				 * once sufficient traffic is received.
+ 				 */
+-				if (rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+-					ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets\n",
+-							rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
+-					return &ast_null_frame;
+-				}
+-				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+				break;
+ 			}
+ 
+-			ast_verb(4, "%p -- Probation passed - setting RTP source address to %s\n", rtp, ast_sockaddr_stringify(&addr));
+-			rtp->strict_rtp_state = STRICT_RTP_CLOSED;
+			/*
+			 * We give preferential treatment to the requested remote address
+			 * (negotiated SDP address) where we are to send our RTP.  However,
+			 * the other end has no obligation to send from that address even
+			 * though it is practically a requirement when NAT is involved.
+			 */
+			if (!ast_sockaddr_cmp(&remote_address, &addr)) {
+				/* Accept the negotiated remote RTP stream as the source */
+				ast_verb(4, "%p -- Strict RTP switching to RTP remote address %s as source\n",
+					rtp, ast_sockaddr_stringify(&addr));
+				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+				break;
+			}
+			/* Treat the alternate remote address as another negotiated SDP address. */
+			if (!ast_sockaddr_isnull(&rtp->alt_rtp_address)
+				&& !ast_sockaddr_cmp(&rtp->alt_rtp_address, &addr)) {
+				/* ooh, we did! You're now the new expected address, son! */
+				ast_verb(4, "%p -- Strict RTP switching to RTP alt remote address %s as source\n",
+					rtp, ast_sockaddr_stringify(&addr));
+				ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+				break;
+			}
+
+			/*
+			 * Trying to learn a new address.  If we pass a probationary period
+			 * with it, that means we've stopped getting RTP from the original
+			 * source and we should switch to it.
+			 */
+			if (!ast_sockaddr_cmp(&rtp->rtp_source_learn.proposed_address, &addr)) {
+				if (!rtp_learning_rtp_seq_update(&rtp->rtp_source_learn, seqno)) {
+					/* Accept the new RTP stream */
+					ast_verb(4, "%p -- Strict RTP switching source address to %s\n",
+						rtp, ast_sockaddr_stringify(&addr));
+					ast_sockaddr_copy(&rtp->strict_rtp_address, &addr);
+					rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+					break;
+				}
+				/* Not ready to accept the RTP stream candidate */
+				ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Will switch to it in %d packets.\n",
+					rtp, ast_sockaddr_stringify(&addr), rtp->rtp_source_learn.packets);
+			} else {
+				/*
+				 * This is either an attacking stream or
+				 * the start of the expected new stream.
+				 */
+				ast_sockaddr_copy(&rtp->rtp_source_learn.proposed_address, &addr);
+				rtp_learning_seq_init(&rtp->rtp_source_learn, seqno);
+				ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection. Qualifying new stream.\n",
+					rtp, ast_sockaddr_stringify(&addr));
+			}
+			return &ast_null_frame;
+ 		}
+-	} else if (rtp->strict_rtp_state == STRICT_RTP_CLOSED && ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+		/* Fall through */
+	case STRICT_RTP_CLOSED:
+		/*
+		 * We should not allow a stream address change if the SSRC matches
+		 * once strictrtp learning is closed.  Any kind of address change
+		 * like this should have happened while we were in the learning
+		 * state.  We do not want to allow the possibility of an attacker
+		 * interfering with the RTP stream after the learning period.
+		 * An attacker could manage to get an RTCP packet redirected to
+		 * them which can contain the SSRC value.
+		 */
+		if (!ast_sockaddr_cmp(&rtp->strict_rtp_address, &addr)) {
+			break;
+		}
+ 		ast_debug(1, "%p -- Received RTP packet from %s, dropping due to strict RTP protection.\n",
+ 			rtp, ast_sockaddr_stringify(&addr));
+ 		return &ast_null_frame;
+	case STRICT_RTP_OPEN:
+		break;
+ 	}
+ 
+ 	/* If symmetric RTP is enabled see if the remote side is not what we expected and change where we are sending audio */
+@@ -4401,11 +4722,6 @@
+ 		return &ast_null_frame;
+ 	}
+ 
+-	/* If the version is not what we expected by this point then just drop the packet */
+-	if (version != 2) {
+-		return &ast_null_frame;
+-	}
+-
+ 	/* Pull out the various other fields we will need */
+ 	payloadtype = (seqno & 0x7f0000) >> 16;
+ 	padding = seqno & (1 << 29);
+@@ -4418,7 +4734,7 @@
+ 
+ 	AST_LIST_HEAD_INIT_NOLOCK(&frames);
+ 	/* Force a marker bit and change SSRC if the SSRC changes */
+-	if (rtp->rxssrc && rtp->rxssrc != ssrc) {
+	if (rtp->themssrc_valid && rtp->themssrc != ssrc) {
+ 		struct ast_frame *f, srcupdate = {
+ 			AST_FRAME_CONTROL,
+ 			.subclass.integer = AST_CONTROL_SRCCHANGE,
+@@ -4445,8 +4761,8 @@
+ 			rtp->rtcp->received_prior = 0;
+ 		}
+ 	}
+-
+-	rtp->rxssrc = ssrc;
+	rtp->themssrc = ssrc; /* Record their SSRC to put in future RR */
+	rtp->themssrc_valid = 1;
+ 
+ 	/* Remove any padding bytes that may be present */
+ 	if (padding) {
+@@ -4498,10 +4814,6 @@
+ 
+ 	prev_seqno = rtp->lastrxseqno;
+ 	rtp->lastrxseqno = seqno;
+-
+-	if (!rtp->themssrc) {
+-		rtp->themssrc = ntohl(rtpheader[2]); /* Record their SSRC to put in future RR */
+-	}
+ 
+ 	if (rtp_debug_test_addr(&addr)) {
+ 		ast_verbose("Got  RTP packet from    %s (type %-2.2d, seq %-6.6u, ts %-6.6u, len %-6.6d)\n",
+@@ -4771,13 +5083,14 @@
+ 
+ 	rtp->rxseqno = 0;
+ 
+-	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN && !ast_sockaddr_isnull(addr) &&
+-		ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
+	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN
+		&& !ast_sockaddr_isnull(addr) && ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
+ 		/* We only need to learn a new strict source address if we've been told the source is
+ 		 * changing to something different.
+ 		 */
+-		rtp->strict_rtp_state = STRICT_RTP_LEARN;
+-		rtp_learning_seq_init(&rtp->rtp_source_learn, rtp->seqno);
+		ast_verb(4, "%p -- Strict RTP learning after remote address set to: %s\n",
+			rtp, ast_sockaddr_stringify(addr));
+		rtp_learning_start(rtp);
+ 	}
+ 
+ 	return;
+@@ -4805,7 +5118,23 @@
+ 	 */
+ 	ast_sockaddr_copy(&rtp->alt_rtp_address, addr);
+ 
+-	return;
+	if (strictrtp && rtp->strict_rtp_state != STRICT_RTP_OPEN
+		&& !ast_sockaddr_isnull(addr) && ast_sockaddr_cmp(addr, &rtp->strict_rtp_address)) {
+		/*
+		 * We only need to learn a new strict source address if we've been told the
+		 * source may be changing to something different.
+		 *
+		 * XXX NOTE: The alternate source address is only set because of a reINVITE
+		 * glare in chan_sip.  A reINVITE glare is supposed to be retried after a
+		 * backoff delay so it shouldn't be needed at all.  However, I found this
+		 * as the best description of why it was added:
+		 * http://lists.digium.com/pipermail/asterisk-dev/2009-May/038348.html
+		 * https://reviewboard.asterisk.org/r/252/
+		 */
+		ast_verb(4, "%p -- Strict RTP learning after alternate remote address set to: %s\n",
+			rtp, ast_sockaddr_stringify(addr));
+		rtp_learning_start(rtp);
+	}
+ }
+ 
+ /*! \brief Write t140 redundacy frame
--- a/net/asterisk-13.x-chan-lantiq/Makefile
+++ b/net/asterisk-13.x-chan-lantiq/Makefile
@ -0,0 +1,77 @@
+#
+# Copyright (C) 2018 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=asterisk13-chan-lantiq
+PKG_VERSION:=20180215
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://github.com/kochstefan/asterisk_channel_lantiq.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=f0d7ca7df8e5df802c5bcb79643e3bdc3956c190
+PKG_MIRROR_HASH:=aaf5ce87a2e23b801318add79eaaa1b7c4a8aa497ca8e2a71ef5d452a7595a73
+PKG_SOURCE_PROTO:=git
+
+PKG_LICENSE:=GPL-2.0
+
+PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
+
+PKG_FLAGS:=nonshared
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/$(PKG_NAME)
+  SUBMENU:=Telephony Lantiq
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=Lantiq channel driver
+  URL:=https://github.com/kochstefan/asterisk_channel_lantiq
+  DEPENDS:=+asterisk13 +kmod-ltq-vmmc
+endef
+
+define Package/$(PKG_NAME)/description
+An implementation of a Lantiq TAPI channel driver for Asterisk 13.
+endef
+
+define Package/$(PKG_NAME)/conffiles
+/etc/asterisk/lantiq.conf
+endef
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	$(INSTALL_DATA) ./files/default.exports \
+		$(PKG_BUILD_DIR)/src/channels/chan_lantiq.exports
+endef
+
+define Build/Compile
+	cd $(PKG_BUILD_DIR)/src/channels && \
+	$(TARGET_CC) -o chan_lantiq.o -c chan_lantiq.c -MD -MT chan_lantiq.o \
+		-MF .chan_lantiq.o.d -MP -pthread \
+		$(TARGET_CFLAGS) -DAST_MODULE_SELF_SYM=__internal_chan_lantiq_self \
+		-I$(STAGING_DIR)/usr/include/asterisk-13/include \
+		$(TARGET_CPPFLAGS) \
+		-Wall -Wstrict-prototypes -Wmissing-prototypes \
+		-Wmissing-declarations $(FPIC) -DAST_MODULE=\"chan_lantiq\" && \
+	$(TARGET_CC) -o chan_lantiq.so -pthread $(TARGET_LDFLAGS) -shared \
+		-Wl,--version-script,chan_lantiq.exports,--warn-common \
+		chan_lantiq.o
+endef
+
+define Package/$(PKG_NAME)/install
+	$(INSTALL_DIR) $(1)/etc/asterisk
+	$(INSTALL_CONF) \
+		$(PKG_BUILD_DIR)/src/configs/samples/lantiq.conf.sample \
+		$(1)/etc/asterisk/lantiq.conf
+	$(INSTALL_DIR) $(1)/usr/lib/asterisk/modules
+	$(INSTALL_BIN) \
+		$(PKG_BUILD_DIR)/src/channels/chan_lantiq.so \
+		$(1)/usr/lib/asterisk/modules
+endef
+
+$(eval $(call BuildPackage,$(PKG_NAME)))
--- a/net/asterisk-13.x-chan-lantiq/files/default.exports
+++ b/net/asterisk-13.x-chan-lantiq/files/default.exports
@ -0,0 +1,8 @@
+{
+	global:
+		/* See main/asterisk.exports.in for an explanation why this is
+		 * needed. */
+		_IO_stdin_used;
+	local:
+		*;
+};
--- a/net/asterisk-13.x/Config.in
+++ b/net/asterisk-13.x/Config.in
@ -0,0 +1,11 @@
+menu "Advanced configuration"
+	depends on PACKAGE_asterisk13
+
+config ASTERISK13_LOW_MEMORY
+	bool "Optimize Asterisk 13 for low memory usage"
+	default n
+	help
+	  Warning: this feature is known to cause problems with some modules.
+	  Disable it if you experience problems like segmentation faults.
+
+endmenu
--- a/net/asterisk-13.x/Makefile
+++ b/net/asterisk-13.x/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 OpenWrt.org
+# Copyright (C) 2016 - 2018 OpenWrt.org
 # Copyright (C) 2016 Cesnet, z.s.p.o.
 #
 # This is free software, licensed under the GNU General Public License v2.
@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=asterisk13
-PKG_VERSION:=13.9.1
-PKG_RELEASE:=1
+PKG_VERSION:=13.19.2
+PKG_RELEASE:=5

 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://downloads.asterisk.org/pub/telephony/asterisk/releases/
-PKG_MD5SUM:=76c42992a79f41ec467ed20500e8b249
+PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases/
+PKG_HASH:=aab4bf95eea21a3864015d2a49a02e13e9f191f6a68acb0f7b1619da86ce3fb2

 PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION)
 PKG_BUILD_DEPENDS:=libxml2/host
@ -46,8 +46,12 @@ define Package/asterisk13/install/sbin
 endef

 define Package/asterisk13/install/sounds
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
-	$(CP) $(PKG_INSTALL_DIR)/usr/lib/asterisk/sounds/en/$(2) $(1)/usr/lib/asterisk/sounds/
+	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/asterisk/sounds/en/$(2) $(1)/usr/share/asterisk/sounds/
+endef
+
+define Package/$(PKG_NAME)/config
+	source "$(SOURCE)/Config.in"
 endef

 define BuildAsterisk13Module
@ -58,7 +62,7 @@ define BuildAsterisk13Module
  endef

  define Package/asterisk13-$(1)/conffiles
-$(foreach c,$(5),/etc/asterisk/$(c))
+$(subst $(space),$(newline),$(foreach c,$(5),/etc/asterisk/$(c)))
  endef

  define Package/asterisk13-$(1)/description
@ -105,7 +109,11 @@ define Package/asterisk13/conffiles
 /etc/asterisk/acl.conf
 /etc/asterisk/cel.conf
 /etc/asterisk/ccss.conf
-/etc/asterisk/modules.conf
+/etc/asterisk/cli.conf
+/etc/asterisk/cli_permissions.conf
+/etc/asterisk/codecs.conf
+/etc/asterisk/dnsmgr.conf
+/etc/asterisk/dsp.conf
 /etc/asterisk/extconfig.conf
 /etc/asterisk/extensions.conf
 /etc/asterisk/features.conf
@ -115,7 +123,7 @@ define Package/asterisk13/conffiles
 /etc/asterisk/manager.conf
 /etc/asterisk/modules.conf
 /etc/asterisk/res_config_sqlite3.conf
-/etc/asterisk/rtp.conf
+/etc/asterisk/stasis.conf
 /etc/asterisk/udptl.conf
 /etc/asterisk/users.conf
 /etc/default/asterisk
@ -123,9 +131,10 @@ define Package/asterisk13/conffiles
 endef

 AST_CFG_FILES:= \
-	asterisk.conf acl.conf cel.conf ccss.conf extconfig.conf \
+	asterisk.conf acl.conf cel.conf ccss.conf cli.conf \
+	cli_permissions.conf codecs.conf dnsmgr.conf dsp.conf extconfig.conf \
 	extensions.conf features.conf http.conf indications.conf \
-	logger.conf manager.conf modules.conf udptl.conf \
+	logger.conf manager.conf modules.conf stasis.conf udptl.conf \
 	users.conf res_config_sqlite3.conf

 AST_EMB_MODULES:=\
@ -140,7 +149,7 @@ $(call Package/asterisk13/install/sbin,$(1),safe_asterisk)
 $(call Package/asterisk13/install/sbin,$(1),astgenkey)
 $(foreach m,$(AST_CFG_FILES),$(call Package/asterisk13/install/conffile,$(1),$(m));)
 $(foreach m,$(AST_EMB_MODULES),$(call Package/asterisk13/install/module,$(1),$(m));)
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
+	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
 	$(INSTALL_DIR) $(1)/etc/default
 	$(INSTALL_DATA) ./files/asterisk.default $(1)/etc/default/asterisk
 	$(INSTALL_DIR) $(1)/etc/init.d
@ -158,12 +167,12 @@ This package provides the sound-files for Asterisk-13.
 endef

 define Package/asterisk13-sounds/install
-	$(INSTALL_DIR) $(1)/usr/lib/asterisk/sounds/
-	$(CP) $(PKG_INSTALL_DIR)/usr/lib/asterisk/sounds/en/* $(1)/usr/lib/asterisk/sounds/
-	rm -f $(1)/usr/lib/asterisk/sounds/vm-*
+	$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/asterisk/sounds/en/* $(1)/usr/share/asterisk/sounds/
+	rm -f $(1)/usr/share/asterisk/sounds/vm-*
 endef

-ifneq ($(SDK)$(CONFIG_PACKAGE_asterisk13-chan-dahdi),)
+ifneq ($(CONFIG_PACKAGE_asterisk13-chan-dahdi),)
  CONFIGURE_ARGS+= \
 	--with-dahdi="$(STAGING_DIR)/usr" \
 	--with-pri="$(STAGING_DIR)/usr" \
@ -175,13 +184,13 @@ else
 	--without-tonezone
 endif

-TARGET_LDFLAGS+= \
-	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pbx-lua),-ldl -lcrypt)
-
-EXTRA_CFLAGS+=$(TARGET_CPPFLAGS)
-EXTRA_LDFLAGS+=$(TARGET_LDFLAGS) -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
+# Pass CPPFLAGS in the CFLAGS as otherwise the build system will
+# ignore them.
+TARGET_CFLAGS+=$(TARGET_CPPFLAGS)

 CONFIGURE_ARGS+= \
+	--disable-xmldoc \
+	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-chan-alsa),--with-asound="$(STAGING_DIR)/usr",--without-asound) \
 	--without-execinfo \
 	--without-bluetooth \
 	--without-cap \
@ -203,30 +212,55 @@ CONFIGURE_ARGS+= \
 	--without-osptk \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pbx-lua),--with-lua="$(STAGING_DIR)/usr",--without-lua) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pgsql),--with-postgres="$(STAGING_DIR)/usr",--without-postgres) \
-	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-pjsip),--with-pjproject,--without-pjproject) \
 	--with-popt="$(STAGING_DIR)/usr" \
 	--without-pwlib \
 	--without-radius \
-	--without-spandsp \
+	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-fax-spandsp),--with-spandsp="$(STAGING_DIR)/usr",--without-spandsp) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-xmpp),--with-iksemel="$(STAGING_DIR)/usr",--without-iksemel) \
 	--without-sdl \
 	--without-sqlite \
 	--with-sqlite3="$(STAGING_DIR)/usr" \
-	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-srtp),--with-srtp="$(STAGING_DIR)/usr",--without-srtp) \
 	--without-suppserv \
 	--without-tds \
 	--without-termcap \
 	--without-tinfo \
-	--with-uuid="$(STAGING_DIR)/usr" \
 	--without-vorbis \
 	--without-vpb \
-	--with-z="$(STAGING_DIR)/usr" \
-	--with-sounds-cache="$(DL_DIR)" \
-	--enable-xmldoc
+	--with-z="$(STAGING_DIR)/usr"
+
+ifeq ($(CONFIG_PACKAGE_$(PKG_NAME)-res-pjproject)$(CONFIG_PACKAGE_$(PKG_NAME)-res-srtp),)
+CONFIGURE_ARGS+= \
+	--without-srtp
+else
+CONFIGURE_ARGS+= \
+	--with-srtp="$(STAGING_DIR)/usr"
+endif
+
+ifeq ($(CONFIG_PACKAGE_$(PKG_NAME)-pjsip)$(CONFIG_PACKAGE_$(PKG_NAME)-res-pjproject)$(CONFIG_PACKAGE_$(PKG_NAME)-res-rtp-asterisk),)
+CONFIGURE_ARGS+= \
+	--without-pjproject
+else
+CONFIGURE_ARGS+= \
+	--with-pjproject="$(STAGING_DIR)/usr"
+endif

 CONFIGURE_VARS += \
 	ac_cv_path_ac_pt_CONFIG_LIBXML2=$(STAGING_DIR)/host/bin/xml2-config

+MAKE_FLAGS+= \
+	ASTDATADIR="/usr/share/asterisk" \
+	DESTDIR="$(PKG_INSTALL_DIR)"
+
+# show full gcc arguments instead of [CC] and [LD]
+MAKE_FLAGS+= \
+	NOISY_BUILD="yes"
+
+# don't let asterisk mess with build flags
+MAKE_FLAGS+= \
+	AST_FORTIFY_SOURCE="" \
+	DEBUG="" \
+	OPTIMIZE=""
+
 AST_MENUSELECT_OPTS = \
 	--without-newt \
 	--without-curses \
@ -237,7 +271,7 @@ define Build/Configure
 	(cd $(PKG_BUILD_DIR); \
 		./bootstrap.sh; \
 	);
-	$(call Build/Configure/Default,,$(SITE_VARS))
+	$(call Build/Configure/Default)
 	(cd $(PKG_BUILD_DIR)/menuselect; \
 		./bootstrap.sh; \
 		./configure \
@ -252,22 +286,20 @@ define Build/Compile
 	$(MAKE) -C "$(PKG_BUILD_DIR)/menuselect" \
 		CFLAGS="$(HOST_CFLAGS) -I$(STAGING_DIR)/host/include/libxml2" \
 		LDFLAGS="$(HOST_LDFLAGS) -lxml2"
-	$(MAKE) -C "$(PKG_BUILD_DIR)" \
-		include/asterisk/version.h \
-		include/asterisk/buildopts.h defaults.h \
-		makeopts.embed_rules
-	ASTCFLAGS="$(EXTRA_CFLAGS) -DLOW_MEMORY"
-	ASTLDFLAGS="$(EXTRA_LDFLAGS)"
-	$(MAKE) -C "$(PKG_BUILD_DIR)" \
-		ASTVARLIBDIR="/usr/lib/asterisk" \
-		ASTDATADIR="/usr/lib/asterisk" \
-		ASTKEYDIR="/usr/lib/asterisk" \
-		ASTDBDIR="/usr/lib/asterisk" \
-		NOISY_BUILD="yes" \
-		DEBUG="" \
-		OPTIMIZE="" \
-		DESTDIR="$(PKG_INSTALL_DIR)" \
-		all install samples
+	$(MAKE) -C "$(PKG_BUILD_DIR)" menuselect-tree
+	cd "$(PKG_BUILD_DIR)" && \
+		./menuselect/menuselect \
+			--disable BUILD_NATIVE \
+			$(if $(CONFIG_ASTERISK13_LOW_MEMORY),--enable LOW_MEMORY) \
+			menuselect.makeopts
+	# Hack:
+	# When changing anything in MENUSELECT_CFLAGS the file ".lastclean"
+	# gets deleted. E.g. when compiling on x86 for x86 "--disable
+	# BUILD_NATIVE" changes MENUSELECT_CFLAGS and the file gets removed.
+	# But that will result in a rebuild attempt of menuselect which will
+	# likely fail. Prevent that by recreating ".lastclean".
+	$(CP) "$(PKG_BUILD_DIR)/.cleancount" "$(PKG_BUILD_DIR)/.lastclean"
+	$(call Build/Compile/Default,all install samples)
 endef

 define Build/InstallDev
@ -329,7 +361,7 @@ $(eval $(call BuildAsterisk13Module,cdr,Provides CDR,Call Detail Record,,cdr.con
 $(eval $(call BuildAsterisk13Module,cdr-csv,Provides CDR CSV,Call Detail Record with CSV support,,,cdr_csv,,))
 $(eval $(call BuildAsterisk13Module,cdr-sqlite3,Provides CDR SQLITE3,Call Detail Record with SQLITE3 support,libsqlite3,,cdr_sqlite3_custom,,))
 $(eval $(call BuildAsterisk13Module,chan-alsa,ALSA channel,the channel chan_alsa,+alsa-lib,alsa.conf,chan_alsa,,))
-$(eval $(call BuildAsterisk13Module,chan-dahdi,DAHDI channel,DAHDI channel support,+dahdi-tools-libtonezone +kmod-dahdi +libpri,chan_dahdi.conf,chan_dahdi,,))
+$(eval $(call BuildAsterisk13Module,chan-dahdi,DAHDI channel,DAHDI channel support,+dahdi-tools-libtonezone +kmod-dahdi +libpri @!aarch64,chan_dahdi.conf,chan_dahdi,,))
 $(eval $(call BuildAsterisk13Module,chan-iax2,IAX2 channel,IAX support,+asterisk13-res-timing-timerfd,iax.conf iaxprov.conf,chan_iax2,,))
 $(eval $(call BuildAsterisk13Module,chan-oss,OSS channel,the channel chan_oss,,oss.conf,chan_oss,,))
 $(eval $(call BuildAsterisk13Module,chan-sip,SIP channel,the channel chan_sip,+asterisk13-app-confbridge,sip.conf sip_notify.conf,chan_sip,,))
@ -346,7 +378,7 @@ $(eval $(call BuildAsterisk13Module,codec-ilbc,linear to ILBC translation,transl
 $(eval $(call BuildAsterisk13Module,codec-lpc10,Linear to LPC10 translation,translate between signed linear and LPC10,,,codec_lpc10,,))
 $(eval $(call BuildAsterisk13Module,codec-resample,resample sLinear audio,resample sLinear audio,,,codec_resample,,))
 $(eval $(call BuildAsterisk13Module,codec-ulaw,Signed linear to ulaw translation,translation between signed linear and ulaw codecs,,,codec_ulaw,,))
-$(eval $(call BuildAsterisk13Module,curl,CURL,CURL support,+libcurl,,func_curl res_curl,,))
+$(eval $(call BuildAsterisk13Module,curl,CURL,CURL support,+libcurl,,func_curl res_config_curl res_curl,,))
 $(eval $(call BuildAsterisk13Module,format-g726,G.726,support for headerless G.726 16/24/32/40kbps data format,,,format_g726,,))
 $(eval $(call BuildAsterisk13Module,format-g729,G.729,support for raw headerless G729 data,,,format_g729,,))
 $(eval $(call BuildAsterisk13Module,format-gsm,GSM format,support for GSM format,,,format_gsm,,))
@ -372,38 +404,44 @@ $(eval $(call BuildAsterisk13Module,func-groupcount,Group count,for counting num
 $(eval $(call BuildAsterisk13Module,func-math,Math functions,Math functions,,,func_math,))
 $(eval $(call BuildAsterisk13Module,func-module,Simple module check function,Simple module check function,,,func_module,))
 $(eval $(call BuildAsterisk13Module,func-presencestate,Hinted presence state,Gets or sets a presence state in the dialplan,,,func_presencestate,,))
+$(eval $(call BuildAsterisk13Module,func-periodic-hook,Periodic dialplan hooks,Execute a periodic dialplan hook into the audio of a call,+$(PKG_NAME)-app-chanspy +$(PKG_NAME)-func-cut +$(PKG_NAME)-func-groupcount +$(PKG_NAME)-func-uri,,func_periodic_hook,,))
 $(eval $(call BuildAsterisk13Module,func-realtime,realtime,the realtime dialplan function,,,func_realtime,,))
 $(eval $(call BuildAsterisk13Module,func-shell,Shell,support for shell execution,,,func_shell,,))
 $(eval $(call BuildAsterisk13Module,func-uri,URI encoding and decoding,Encodes and decodes URI-safe strings,,,func_uri,,))
 $(eval $(call BuildAsterisk13Module,func-vmcount,vmcount dialplan,a vmcount dialplan function,,,func_vmcount,,))
-$(eval $(call BuildAsterisk13Module,odbc,ODBC,ODBC support,+libpthread +libc +unixodbc,cdr_adaptive_odbc.conf cdr_odbc.conf cel_odbc.conf func_odbc.conf res_odbc.conf,cdr_adaptive_odbc cdr_odbc cel_odbc func_odbc res_config_odbc res_odbc,,))
-$(eval $(call BuildAsterisk13Module,pbx-ael,Asterisk Extension Logic,support for symbolic Asterisk Extension Logic,,extensions.ael,pbx_ael,,))
+$(eval $(call BuildAsterisk13Module,odbc,ODBC,ODBC support,+libpthread +libc +unixodbc,cdr_adaptive_odbc.conf cdr_odbc.conf cel_odbc.conf func_odbc.conf res_odbc.conf,cdr_adaptive_odbc cdr_odbc cel_odbc func_odbc res_config_odbc res_odbc res_odbc_transaction,,))
+$(eval $(call BuildAsterisk13Module,pbx-ael,Asterisk Extension Logic,support for symbolic Asterisk Extension Logic,+$(PKG_NAME)-res-ael-share,extensions.ael,pbx_ael,,))
 $(eval $(call BuildAsterisk13Module,pbx-dundi,Dundi,provides Dundi Lookup service for Asterisk,,dundi.conf,pbx_dundi,,))
 $(eval $(call BuildAsterisk13Module,pbx-realtime,Realtime Switch,realtime switch support,,,pbx_realtime,,))
 $(eval $(call BuildAsterisk13Module,pbx-spool,Call Spool,outgoing call spool support,,,pbx_spool,,))
-$(eval $(call BuildAsterisk13Module,pgsql,PostgreSQL,PostgreSQL support,+libpq,cel_pgsql.conf cdr_pgsql.conf res_pgsql.conf,cel_pgsql cdr_pgsql res_config_pgsql,,))
-$(eval $(call BuildAsterisk13Module,pjsip,pjsip channel,the channel pjsip,+asterisk13-res-sorcery +libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,pjsip.conf pjsip_notify.conf,func_pjsip_endpoint chan_pjsip res_pjsip_acl res_pjsip_authenticator_digest res_pjsip_caller_id res_pjsip_dialog_info_body_generator res_pjsip_diversion res_pjsip_dtmf_info res_pjsip_endpoint_identifier_anonymous res_pjsip_endpoint_identifier_ip res_pjsip_endpoint_identifier_user res_pjsip_exten_state res_pjsip_header_funcs res_pjsip_log_forwarder res_pjsip_logger res_pjsip_messaging res_pjsip_multihomed res_pjsip_mwi_body_generator res_pjsip_mwi res_pjsip_nat res_pjsip_notify res_pjsip_one_touch_record_info res_pjsip_outbound_authenticator_digest res_pjsip_outbound_publish res_pjsip_outbound_registration res_pjsip_path res_pjsip_pidf_body_generator res_pjsip_pidf_digium_body_supplement res_pjsip_pidf_eyebeam_body_supplement res_pjsip_publish_asterisk res_pjsip_pubsub res_pjsip_refer res_pjsip_registrar_expire res_pjsip_registrar res_pjsip_rfc3326 res_pjsip_sdp_rtp res_pjsip_send_to_voicemail res_pjsip_session res_pjsip res_pjsip_transport_websocket res_pjsip_t38 res_pjsip_xpidf_body_generator,,))
+$(eval $(call BuildAsterisk13Module,pgsql,PostgreSQL,PostgreSQL support,+libpq @!arc,cel_pgsql.conf cdr_pgsql.conf res_pgsql.conf,cel_pgsql cdr_pgsql res_config_pgsql,,))
+$(eval $(call BuildAsterisk13Module,pjsip,pjsip channel,the channel pjsip,+asterisk13-res-sorcery +asterisk13-res-pjproject +libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,pjsip.conf pjsip_notify.conf pjsip_wizard.conf,chan_pjsip func_pjsip_aor func_pjsip_contact func_pjsip_endpoint res_pjsip res_pjsip_acl res_pjsip_authenticator_digest res_pjsip_caller_id res_pjsip_config_wizard res_pjsip_dialog_info_body_generator res_pjsip_diversion res_pjsip_dlg_options res_pjsip_dtmf_info res_pjsip_empty_info res_pjsip_endpoint_identifier_anonymous res_pjsip_endpoint_identifier_ip res_pjsip_endpoint_identifier_user res_pjsip_exten_state res_pjsip_header_funcs res_pjsip_history res_pjsip_logger res_pjsip_messaging res_pjsip_mwi res_pjsip_mwi_body_generator res_pjsip_nat res_pjsip_notify res_pjsip_one_touch_record_info res_pjsip_outbound_authenticator_digest res_pjsip_outbound_publish res_pjsip_outbound_registration res_pjsip_path res_pjsip_pidf_body_generator res_pjsip_pidf_digium_body_supplement res_pjsip_pidf_eyebeam_body_supplement res_pjsip_publish_asterisk res_pjsip_pubsub res_pjsip_refer res_pjsip_registrar res_pjsip_registrar_expire res_pjsip_rfc3326 res_pjsip_sdp_rtp res_pjsip_send_to_voicemail res_pjsip_session res_pjsip_sips_contact res_pjsip_t38 res_pjsip_transport_websocket res_pjsip_xpidf_body_generator,,))
 $(eval $(call BuildAsterisk13Module,res-adsi,Provide ADSI,Analog Display Services Interface capability,,,res_adsi,,))
 $(eval $(call BuildAsterisk13Module,res-ael-share,Shareable AEL code,support for shareable AEL code mainly between internal and external modules,,,res_ael_share,,))
-$(eval $(call BuildAsterisk13Module,res-agi,Asterisk Gateway Interface,Support for the Asterisk Gateway Interface extension,,,res_agi,,))
+$(eval $(call BuildAsterisk13Module,res-agi,Asterisk Gateway Interface,Support for the Asterisk Gateway Interface extension,+asterisk13-res-speech,,res_agi,,))
 $(eval $(call BuildAsterisk13Module,res-calendar,Calendaring API,Calendaring support (ICal and Google Calendar),,calendar.conf,res_calendar,,))
 $(eval $(call BuildAsterisk13Module,res-clioriginate,Calls via CLI,Originate calls via the CLI,,,res_clioriginate,,))
-$(eval $(call BuildAsterisk13Module,res-hep,HEPv3 API,,,,res_hep,,))
-$(eval $(call BuildAsterisk13Module,res-hep-pjsip,PJSIP HEPv3 Logger,,+asterisk13-res-hep +asterisk13-pjsip,,res_hep,,))
-$(eval $(call BuildAsterisk13Module,res-hep-rtcp,RTCP HEPv3 Logger,,+asterisk13-res-hep,,res_hep,,))
-$(eval $(call BuildAsterisk13Module,res-http-websocket,HTTP websocket support,,,,res_http_websocket,,))
-$(eval $(call BuildAsterisk13Module,res-monitor,Provide Monitor,Cryptographic Signature capability,,,res_monitor,,))
+$(eval $(call BuildAsterisk13Module,res-fax,FAX modules,Generic FAX resource for FAX technology resource modules,+asterisk13-res-timing-pthread,res_fax.conf,res_fax,,))
+$(eval $(call BuildAsterisk13Module,res-fax-spandsp,Spandsp T.38 and G.711,Spandsp T.38 and G.711 FAX Resource,+asterisk13-res-fax +libspandsp +libtiff,,res_fax_spandsp,,))
+$(eval $(call BuildAsterisk13Module,res-hep,HEPv3 API,Routines for integration with Homer using HEPv3,,hep.conf,res_hep,,))
+$(eval $(call BuildAsterisk13Module,res-hep-pjsip,PJSIP HEPv3 Logger,PJSIP logging with Homer,+asterisk13-res-hep +asterisk13-pjsip,,res_hep_pjsip,,))
+$(eval $(call BuildAsterisk13Module,res-hep-rtcp,RTCP HEPv3 Logger,RTCP logging with Homer,+asterisk13-res-hep,,res_hep_rtcp,,))
+$(eval $(call BuildAsterisk13Module,res-http-websocket,HTTP websocket support,WebSocket support for the Asterisk internal HTTP server,,,res_http_websocket,,))
+$(eval $(call BuildAsterisk13Module,res-monitor,PBX channel monitoring,call monitoring resource,+$(PKG_NAME)-func-periodic-hook,,res_monitor,,))
 $(eval $(call BuildAsterisk13Module,res-musiconhold,MOH,Music On Hold support,,musiconhold.conf,res_musiconhold,,))
-$(eval $(call BuildAsterisk13Module,res-parking,Phone Parking,Phone Parking application,,res_parking.conf,res_parking,,))
+$(eval $(call BuildAsterisk13Module,res-parking,Phone Parking,Phone Parking application,+$(PKG_NAME)-bridge-holding,res_parking.conf,res_parking,,))
 $(eval $(call BuildAsterisk13Module,res-phoneprov,Phone Provisioning,Phone provisioning application for the asterisk internal http server,,phoneprov.conf,res_phoneprov,,))
+$(eval $(call BuildAsterisk13Module,res-pjproject,Bridge PJPROJECT to Asterisk logging,,+libpj +libpjlib-util +libpjmedia +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsip +libpjsua +libpjsua2 +libsrtp,pjproject.conf,res_pjproject,,))
 $(eval $(call BuildAsterisk13Module,res-realtime,Realtime,Realtime Interface,,,res_realtime,,))
-$(eval $(call BuildAsterisk13Module,res-rtp-asterisk,RTP stack,,+libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,rtp.conf,res_rtp_asterisk,,))
-$(eval $(call BuildAsterisk13Module,res-rtp-multicast,RTP multicast engine,,,,res_rtp_multicast,,))
+$(eval $(call BuildAsterisk13Module,res-rtp-asterisk,RTP stack,Supports RTP and RTCP with Symmetric RTP support for NAT traversal,+libpjsip +libpjmedia +libpjnath +libpjsip-simple +libpjsip-ua +libpjsua +libpjsua2,rtp.conf,res_rtp_asterisk,,))
+$(eval $(call BuildAsterisk13Module,res-rtp-multicast,RTP multicast engine,Multicast RTP Engine,,,res_rtp_multicast,,))
 $(eval $(call BuildAsterisk13Module,res-smdi,Provide SMDI,Simple Message Desk Interface capability,,smdi.conf,res_smdi,,))
-$(eval $(call BuildAsterisk13Module,res-sorcery,Sorcery data layer,,,,res_sorcery_astdb res_sorcery_config res_sorcery_memory res_sorcery_realtime,,))
+$(eval $(call BuildAsterisk13Module,res-sorcery,Sorcery data layer,Sorcery backend modules for data access intended for using realtime as backend,,sorcery.conf,res_sorcery_astdb res_sorcery_config res_sorcery_memory res_sorcery_realtime,,))
+$(eval $(call BuildAsterisk13Module,res-speech,Speech Recognition API,Support for the Asterisk Generic Speech Recognition API,,,res_speech,,))
 $(eval $(call BuildAsterisk13Module,res-srtp,SRTP Support,Secure RTP connection,+libsrtp,,res_srtp,,))
-$(eval $(call BuildAsterisk13Module,res-timing-dahdi,DAHDI Timing Interface,,+asterisk13-chan-dahdi,,res_timing_dahdi,,))
-$(eval $(call BuildAsterisk13Module,res-timing-pthread,pthread Timing Interface,,,,res_timing_pthread,,))
-$(eval $(call BuildAsterisk13Module,res-timing-timerfd,Timerfd Timing Interface,,,,res_timing_timerfd,,))
+$(eval $(call BuildAsterisk13Module,res-timing-dahdi,DAHDI Timing Interface,DAHDI timing interface,+asterisk13-chan-dahdi,,res_timing_dahdi,,))
+$(eval $(call BuildAsterisk13Module,res-timing-pthread,pthread Timing Interface,POSIX pthreads Timing Interface,,,res_timing_pthread,,))
+$(eval $(call BuildAsterisk13Module,res-timing-timerfd,Timerfd Timing Interface,Timing interface provided by Linux kernel,,,res_timing_timerfd,,))
+$(eval $(call BuildAsterisk13Module,res-xmpp,XMPP client and component module,reference module for interfacting Asterisk directly as a client or component with XMPP server,+libiksemel +libopenssl,xmpp.conf,res_xmpp,,))
 $(eval $(call BuildAsterisk13Module,voicemail,Voicemail,voicemail related modules,+asterisk13-res-adsi +asterisk13-res-smdi,voicemail.conf,app_voicemail,vm-*,))

--- a/net/asterisk-13.x/files/asterisk.init
+++ b/net/asterisk-13.x/files/asterisk.init
@ -14,8 +14,7 @@ start() {
       [ -d $DEST/var/run/asterisk ] || mkdir -p $DEST/var/run/asterisk
       [ -d $DEST/var/log/asterisk ] || mkdir -p $DEST/var/log/asterisk
       [ -d $DEST/var/spool/asterisk ] || mkdir -p $DEST/var/spool/asterisk
-       [ -d $DEST/var/lib ] || mkdir -p $DEST/var/lib
-       [ -h $DEST/var/lib/asterisk ] || ln -s /usr/lib/asterisk /var/lib/asterisk
+       [ -d $DEST/var/lib/asterisk ] || mkdir -p $DEST/var/lib/asterisk
       [ -d $DEST/var/lib/asterisk/keys ] || mkdir -p $DEST/var/lib/asterisk/keys
       [ -d $DEST/var/log/asterisk/cdr-csv ] || mkdir -p $DEST/var/log/asterisk/cdr-csv

--- a/net/asterisk-13.x/patches/001-disable-semaphores-check.patch
+++ b/net/asterisk-13.x/patches/001-disable-semaphores-check.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -927,19 +927,6 @@ AC_LINK_IFELSE(
+@@ -965,19 +965,6 @@ AC_LINK_IFELSE(
   ]
 )
 
--- a/net/asterisk-13.x/patches/002-undef-res-ninit.patch
+++ b/net/asterisk-13.x/patches/002-undef-res-ninit.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1261,7 +1261,6 @@ AC_LINK_IFELSE(
+@@ -1299,7 +1299,6 @@ AC_LINK_IFELSE(
 			#include <resolv.h>],
 			[int foo = res_ninit(NULL);])],
 	AC_MSG_RESULT(yes)
--- a/net/asterisk-13.x/patches/003-disable-ast-xml-docs.patch
+++ b/net/asterisk-13.x/patches/003-disable-ast-xml-docs.patch
@ -1,13 +0,0 @@
--- a/include/asterisk/xml.h
-+++ b/include/asterisk/xml.h
-@@ -246,10 +246,5 @@ struct ast_xml_node *ast_xml_xpath_get_f
-  */
- struct ast_xml_xpath_results *ast_xml_query(struct ast_xml_doc *doc, const char *xpath_str);
- 
-/* Features using ast_xml_ */
-#ifdef HAVE_LIBXML2
-#define AST_XML_DOCS
-#endif
-
- #endif /* _ASTERISK_XML_H */
- 
--- a/net/asterisk-13.x/patches/004-ifdef-missing-execinfo.patch
+++ b/net/asterisk-13.x/patches/004-ifdef-missing-execinfo.patch
@ -31,7 +31,7 @@
@@ -114,9 +120,11 @@ struct ast_lock_track {
 	int reentrancy;
 	const char *func[AST_MAX_REENTRANCY];
- 	pthread_t thread[AST_MAX_REENTRANCY];
+ 	pthread_t thread_id[AST_MAX_REENTRANCY];
 +#ifndef __UCLIBC__
 #ifdef HAVE_BKTR
 	struct ast_bt backtrace[AST_MAX_REENTRANCY];
--- a/net/asterisk-13.x/patches/040-fix-config-options.patch
+++ b/net/asterisk-13.x/patches/040-fix-config-options.patch
@ -1,12 +0,0 @@
--- a/main/config_options.c
-+++ b/main/config_options.c
-@@ -198,8 +198,8 @@ static int link_option_to_types(struct a
- #ifdef AST_DEVMODE
- 			opt->doc_unavailable = 1;
- #endif
-#endif
- 		}
-+#endif
- 	}
- 	/* The container(s) should hold the only ref to opt */
- 	ao2_ref(opt, -1);
--- a/net/asterisk-13.x/patches/050-musl-glob-compat.patch
+++ b/net/asterisk-13.x/patches/050-musl-glob-compat.patch
@ -1,6 +1,6 @@
 --- a/res/ael/ael.flex
 +++ b/res/ael/ael.flex
-@@ -79,6 +79,12 @@
+@@ -79,6 +79,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
 #if !defined(GLOB_ABORTED)
 #define GLOB_ABORTED GLOB_ABEND
 #endif
@ -13,10 +13,9 @@
 
 #include "asterisk/logger.h"
 #include "asterisk/utils.h"
-Only in asterisk-11.7.0: res/ael/ael.tab.o
 --- a/res/ael/ael_lex.c
 +++ b/res/ael/ael_lex.c
-@@ -838,6 +838,12 @@
+@@ -838,6 +838,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
 #if !defined(GLOB_ABORTED)
 #define GLOB_ABORTED GLOB_ABEND
 #endif
--- a/net/asterisk-13.x/patches/051-musl-includes.patch
+++ b/net/asterisk-13.x/patches/051-musl-includes.patch
@ -1,42 +0,0 @@
--- a/include/asterisk/compat.h
-+++ b/include/asterisk/compat.h
-@@ -68,7 +68,7 @@
- #endif
- 
- #ifndef AST_POLL_COMPAT
-#include <sys/poll.h>
-+#include <poll.h>
- #else
- #include "asterisk/poll-compat.h"
- #endif
--- a/include/asterisk/poll-compat.h
-+++ b/include/asterisk/poll-compat.h
-@@ -83,7 +83,7 @@
- 
- #ifndef AST_POLL_COMPAT
- 
-#include <sys/poll.h>
-+#include <poll.h>
- 
- #define ast_poll(a, b, c) poll(a, b, c)
- 
--- a/main/ast_expr2.c
-+++ b/main/ast_expr2.c
-@@ -93,6 +93,7 @@
- 
- #include "asterisk.h"
- 
-+#include <sys/cdefs.h>
- #include <sys/types.h>
- #include <stdio.h>
- 
--- a/main/ast_expr2.y
-+++ b/main/ast_expr2.y
-@@ -14,6 +14,7 @@
- 
- #include "asterisk.h"
- 
-+#include <sys/cdefs.h>
- #include <sys/types.h>
- #include <stdio.h>
- 
--- a/net/asterisk-13.x/patches/052-musl-libcap.patch
+++ b/net/asterisk-13.x/patches/052-musl-libcap.patch
@ -1,7 +1,7 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -181,6 +181,9 @@ case "${host_os}" in
-      linux-gnueabi* |  linux-gnuspe)
+@@ -180,6 +180,9 @@ case "${host_os}" in
+      linux-gnu*)
      OSARCH=linux-gnu
      ;;
 +     linux-musl*)
@ -10,7 +10,7 @@
      kfreebsd*-gnu)
      OSARCH=kfreebsd-gnu
      ;;
-@@ -1373,9 +1376,11 @@ if test "${PBX_BFD}" = "0"; then
+@@ -1423,9 +1426,11 @@ if test "${PBX_BFD}" = "0"; then
   AST_EXT_LIB_CHECK([BFD], [bfd], [bfd_check_format], [bfd.h], [-ldl -liberty -lz])
 fi
 
@ -26,12 +26,12 @@
 AST_C_DEFINE_CHECK([DAHDI], [DAHDI_DEFAULT_MTU_MRU], [dahdi/user.h], [220])
 --- a/main/Makefile
 +++ b/main/Makefile
-@@ -45,7 +45,7 @@ AST_LIBS+=$(UUID_LIB)
- AST_LIBS+=$(CRYPT_LIB)
- AST_LIBS+=$(AST_CLANG_BLOCKS_LIBS)
+@@ -47,7 +47,7 @@ AST_LIBS+=$(AST_CLANG_BLOCKS_LIBS)
+ AST_LIBS+=$(RT_LIB)
+ AST_LIBS+=$(SYSTEMD_LIB)
 
 -ifneq ($(findstring $(OSARCH), linux-gnu uclinux linux-uclibc kfreebsd-gnu),)
 +ifneq ($(findstring $(OSARCH), linux-gnu uclinux linux-uclibc linux-musl kfreebsd-gnu),)
-   ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),)
   AST_LIBS+=-ldl
-   endif
+   ifneq (x$(CAP_LIB),x)
+     AST_LIBS+=$(CAP_LIB)
--- a/net/asterisk-13.x/patches/060-AST-2018-008-13.diff
+++ b/net/asterisk-13.x/patches/060-AST-2018-008-13.diff
@ -0,0 +1,101 @@
+From 4eeb16d1a316aa3d6f5710a2f6beffb0fecb6121 Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Mon, 30 Apr 2018 17:38:58 -0500
+Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
+
+When endpoint specific ACL rules block a SIP request they respond with a
+403 forbidden.  However, if an endpoint is not identified then a 401
+unauthorized response is sent.  This vulnerability just discloses which
+requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
+access to the disclosed endpoints.
+
+* Made endpoint specific ACL rules now respond with a 401 unauthorized
+which is the same as if an endpoint were not identified.  The fix is
+accomplished by replacing the found endpoint with the artificial endpoint
+which always fails authentication.
+
+ASTERISK-27818
+
+Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
+---
+
+diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
+index e056b60..19266df 100644
+--- a/res/res_pjsip/pjsip_distributor.c
+++ b/res/res_pjsip/pjsip_distributor.c
+@@ -666,6 +666,26 @@
+ 	ao2_unlock(unid);
+ }
+ 
+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+
+static void apply_acls(pjsip_rx_data *rdata)
+{
+	struct ast_sip_endpoint *endpoint;
+
+	/* Is the endpoint allowed with the source or contact address? */
+	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
+	if (endpoint != artificial_endpoint
+		&& (apply_endpoint_acl(rdata, endpoint)
+			|| apply_endpoint_contact_acl(rdata, endpoint))) {
+		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
+			ast_sorcery_object_get_id(endpoint));
+
+		/* Replace the rdata endpoint with the artificial endpoint. */
+		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
+	}
+}
+
+ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
+ {
+ 	struct ast_sip_endpoint *endpoint;
+@@ -684,6 +704,7 @@
+ 			ao2_unlink(unidentified_requests, unid);
+ 			ao2_ref(unid, -1);
+ 		}
+		apply_acls(rdata);
+ 		return PJ_FALSE;
+ 	}
+ 
+@@ -743,6 +764,8 @@
+ 			ast_sip_report_invalid_endpoint(name, rdata);
+ 		}
+ 	}
+
+	apply_acls(rdata);
+ 	return PJ_FALSE;
+ }
+ 
+@@ -826,16 +849,11 @@
+ 
+ 	ast_assert(endpoint != NULL);
+ 
+-	if (endpoint!=artificial_endpoint) {
+-		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
+-			if (!is_ack) {
+-				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+-			}
+-			return PJ_TRUE;
+-		}
+	if (is_ack) {
+		return PJ_FALSE;
+ 	}
+ 
+-	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
+	if (ast_sip_requires_authentication(endpoint, rdata)) {
+ 		pjsip_tx_data *tdata;
+ 		struct unidentified_request *unid;
+ 
+@@ -871,6 +889,10 @@
+ 			return PJ_TRUE;
+ 		}
+ 		pjsip_tx_data_dec_ref(tdata);
+	} else if (endpoint == artificial_endpoint) {
+		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
+		return PJ_TRUE;
+ 	}
+ 
+ 	return PJ_FALSE;
+
--- a/net/asterisk-13.x/patches/070-AST-2018-009-13.diff
+++ b/net/asterisk-13.x/patches/070-AST-2018-009-13.diff
@ -0,0 +1,89 @@
+From e6b0c4d27e0392a7b4b4b6717a6d1e0ea049b550 Mon Sep 17 00:00:00 2001
+From: Sean Bright <sean.bright@gmail.com>
+Date: Thu, 16 Aug 2018 11:45:53 -0400
+Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade
+ requests
+
+The HTTP request processing in res_http_websocket allocates additional
+space on the stack for various headers received during an Upgrade request.
+An attacker could send a specially crafted request that causes this code
+to overflow the stack, resulting in a crash.
+
+* No longer allocate memory from the stack in a loop to parse the header
+values.  NOTE: There is a slight API change when using the passed in
+strings as is.  We now require the passed in strings to no longer have
+leading or trailing whitespace.  This isn't a problem as the only callers
+have already done this before passing the strings to the affected
+function.
+
+ASTERISK-28013 #close
+
+Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a
+---
+ res/res_http_websocket.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
+index 440bf41..0ff876b 100644
+--- a/res/res_http_websocket.c
+++ b/res/res_http_websocket.c
+@@ -736,7 +736,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser)
+ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers)
+ {
+ 	struct ast_variable *v;
+-	char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL;
+	const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL;
+	char *requested_protocols = NULL, *protocol = NULL;
+ 	int version = 0, flags = 1;
+ 	struct ast_websocket_protocol *protocol_handler = NULL;
+ 	struct ast_websocket *session;
+@@ -755,16 +756,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 	/* Get the minimum headers required to satisfy our needs */
+ 	for (v = headers; v; v = v->next) {
+ 		if (!strcasecmp(v->name, "Upgrade")) {
+-			upgrade = ast_strip(ast_strdupa(v->value));
+			upgrade = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) {
+-			key = ast_strip(ast_strdupa(v->value));
+			key = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) {
+-			key1 = ast_strip(ast_strdupa(v->value));
+			key1 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) {
+-			key2 = ast_strip(ast_strdupa(v->value));
+			key2 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) {
+-			requested_protocols = ast_strip(ast_strdupa(v->value));
+-			protos = ast_strdupa(requested_protocols);
+			protos = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) {
+ 			if (sscanf(v->value, "%30d", &version) != 1) {
+ 				version = 0;
+@@ -778,7 +778,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 			ast_sockaddr_stringify(&ser->remote_address));
+ 		ast_http_error(ser, 426, "Upgrade Required", NULL);
+ 		return 0;
+-	} else if (ast_strlen_zero(requested_protocols)) {
+	} else if (ast_strlen_zero(protos)) {
+ 		/* If there's only a single protocol registered, and the
+ 		 * client doesn't specify what protocol it's using, go ahead
+ 		 * and accept the connection */
+@@ -799,9 +799,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 		return 0;
+ 	}
+ 
+-	/* Iterate through the requested protocols trying to find one that we have a handler for */
+-	while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
+-		protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
+	if (!protocol_handler && protos) {
+		requested_protocols = ast_strdupa(protos);
+		/* Iterate through the requested protocols trying to find one that we have a handler for */
+		while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
+			protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
+		}
+ 	}
+ 
+ 	/* If no protocol handler exists bump this back to the requester */
+-- 
+2.7.4
+
--- a/net/asterisk-13.x/patches/080-AST-2019-003-13.diff
+++ b/net/asterisk-13.x/patches/080-AST-2019-003-13.diff
@ -0,0 +1,39 @@
+From 3ab9291a563656dfebcb7de67c86351541f3de1c Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano@messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 7c8928d..223ff3c 100644
+--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
+@@ -10911,7 +10911,13 @@
+ 			    ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ 	}
+ 
+-	if (portno != -1 || vportno != -1 || tportno != -1) {
+	/* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
+	 * video is not being transported, thus we continue in this function further up if that is
+	 * the case. If we receive an SDP answer containing both a UDPTL stream and another media
+	 * stream however we need to check again to ensure that there is at least one joint codec
+	 * instead of assuming there is one.
+	 */
+	if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ 		/* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ 		   they are acceptable */
+ 		unsigned int framing;
--- a/net/asterisk-13.x/patches/090-AST-2019-006-13.diff
+++ b/net/asterisk-13.x/patches/090-AST-2019-006-13.diff
@ -0,0 +1,73 @@
+From c2279540bade208dad35f7760ebd4a7cc94731fe Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Mon, 21 Oct 2019 14:55:06 -0500
+Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request.
+
+If the name of a peer is known and a SIP request is sent using that
+peer's name, the address of the peer will change even if the request
+fails the authentication challenge. This means that an endpoint can
+be altered and even rendered unusuable, even if it was in a working
+state previously. This can only occur when the nat option is set to the
+default, or auto_force_rport.
+
+This change checks the result of authentication first to ensure it is
+successful before setting the address and the nat option.
+
+ASTERISK-28589 #close
+
+Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index ea78d23..4a8d344 100644
+--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
+@@ -19103,18 +19103,6 @@
+ 		bogus_peer = NULL;
+ 	}
+ 
+-	/*  build_peer, called through sip_find_peer, is not able to check the
+-	 *  sip_pvt->natdetected flag in order to determine if the peer is behind
+-	 *  NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
+-	 *  are set on the peer.  So we check for that here and set the peer's
+-	 *  address accordingly.
+-	 */
+-	set_peer_nat(p, peer);
+-
+-	if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
+-		ast_sockaddr_copy(&peer->addr, &p->recv);
+-	}
+-
+ 	if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
+ 		ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
+ 		sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
+@@ -19183,6 +19171,21 @@
+ 		ast_string_field_set(p, peermd5secret, NULL);
+ 	}
+ 	if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
+
+		/* build_peer, called through sip_find_peer, is not able to check the
+		 * sip_pvt->natdetected flag in order to determine if the peer is behind
+		 * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
+		 * are set on the peer. So we check for that here and set the peer's
+		 * address accordingly. The address should ONLY be set once we are sure
+		 * authentication was a success. If, for example, an INVITE was sent that
+		 * matched the peer name but failed the authentication check, the address
+		 * would be updated, which is bad.
+		 */
+		set_peer_nat(p, peer);
+		if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
+			ast_sockaddr_copy(&peer->addr, &p->recv);
+		}
+
+ 		/* If we have a call limit, set flag */
+ 		if (peer->call_limit)
+ 			ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
+@@ -19282,6 +19285,7 @@
+ 		}
+ 	}
+ 	sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
+
+ 	return res;
+ }
+ 
--- a/net/asterisk-13.x/patches/100-AST-2019-007-13.diff
+++ b/net/asterisk-13.x/patches/100-AST-2019-007-13.diff
@ -0,0 +1,46 @@
+From 1b9281a5ded62e5d30af2959e5aa33bc5a0fc285 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Thu, 24 Oct 2019 11:41:23 -0600
+Subject: [PATCH] manager.c:  Prevent the Originate action from running the Originate app
+
+If an AMI user without the "system" authorization calls the
+Originate AMI command with the Originate application,
+the second Originate could run the "System" command.
+
+Action: Originate
+Channel: Local/1111
+Application: Originate
+Data: Local/2222,app,System,touch /tmp/owned
+
+If the "system" authorization isn't set, we now block the
+Originate app as well as the System, Exec, etc. apps.
+
+ASTERISK-28580
+Reported by: Eliel Sardañons
+
+Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
+---
+
+diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
+new file mode 100644
+index 0000000..f2d3133
+--- /dev/null
+++ b/doc/UPGRADE-staging/AMI-Originate.txt
+@@ -0,0 +1,5 @@
+Subject: AMI
+
+The AMI Originate action, which optionally takes a dialplan application as
+an argument, no longer accepts "Originate" as the application due to
+security concerns.
+diff --git a/main/manager.c b/main/manager.c
+index fc602bc..44e25b8 100644
+--- a/main/manager.c
+++ b/main/manager.c
+@@ -5708,6 +5708,7 @@
+ 				                                     EAGI(/bin/rm,-rf /)       */
+ 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+ 				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
+				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
+ 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
+ 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ 				)) {
--- a/net/asterisk-13.x/patches/110-AST-2019-008-13.diff
+++ b/net/asterisk-13.x/patches/110-AST-2019-008-13.diff
@ -0,0 +1,35 @@
+From c257794330db49f4079a7108d51da60696269b36 Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Fri, 08 Nov 2019 13:21:15 -0600
+Subject: [PATCH] res_pjsip_session.c: Check for port of zero on incoming SDP.
+
+If a re-invite comes in initiating T.38, but there is no c line in the
+SDP and the port is also 0, a crash can occur. A check is now done on
+the port to see if the steam is already declined, preventing the crash.
+The logic was moved to res_pjsip_session.c because it is handled in a
+similar manner in later versions of Asterisk.
+
+ASTERISK-28612
+Reported by: Salah Ahmed
+
+Change-Id: Ifc4a0d05b32c7f2156e77fc8435a6ecaa6abada0
+---
+
+diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
+index 81f36a7..12cf41d 100644
+--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
+@@ -235,6 +235,13 @@
+ 			continue;
+ 		}
+ 
+		/* If we have a port of 0, ignore this stream */
+		if (!sdp->media[i]->desc.port) {
+			ast_debug(1, "Declining incoming SDP media stream '%s' at position '%d'\n",
+				session_media->stream_type, i);
+			continue;
+		}
+
+ 		if (session_media->handler) {
+ 			handler = session_media->handler;
+ 			ast_debug(1, "Negotiating incoming SDP media stream '%s' using %s SDP handler\n",
--- a/net/asterisk-chan-dongle/Makefile
+++ b/net/asterisk-chan-dongle/Makefile
@ -0,0 +1,124 @@
+#
+# Copyright (C) 2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=asterisk-chan-dongle
+PKG_VERSION:=1.1-20170913
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://github.com/wdoekes/asterisk-chan-dongle.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=4ef5ad7eea7245a031101875be08b924aa1e151b
+PKG_SOURCE_PROTO:=git
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
+PKG_FIXUP:=autoreconf
+
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=COPYRIGHT.txt LICENSE.txt
+PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/asterisk-chan-dongle/Default
+  SUBMENU:=Telephony
+  SECTION:=net
+  CATEGORY:=Network
+  URL:=https://github.com/wdoekes/asterisk-chan-dongle
+  DEPENDS:=+USE_UCLIBC:libiconv-full +kmod-usb-acm +kmod-usb-serial +kmod-usb-serial-option +libusb-1.0 +usb-modeswitch
+  TITLE:=Huawei UMTS 3G dongle support
+endef
+
+define Package/asterisk11-chan-dongle
+$(call Package/asterisk-chan-dongle/Default)
+  DEPENDS+=asterisk11
+  VARIANT:=asterisk11
+endef
+
+define Package/asterisk13-chan-dongle
+$(call Package/asterisk-chan-dongle/Default)
+  DEPENDS+=asterisk13
+  VARIANT:=asterisk13
+endef
+
+define Package/description/Default
+ Asterisk channel driver for Huawei UMTS 3G dongle.
+endef
+
+Package/asterisk11-chan-dongle/description = $(Package/description/Default)
+Package/asterisk13-chan-dongle/description = $(Package/description/Default)
+
+ifeq ($(BUILD_VARIANT),asterisk11)
+  CHAN_DONGLE_AST_HEADERS:=$(STAGING_DIR)/usr/include/asterisk-11/include
+  CONFIGURE_ARGS+= \
+	  --with-astversion=11
+endif
+
+ifeq ($(BUILD_VARIANT),asterisk13)
+  CHAN_DONGLE_AST_HEADERS:=$(STAGING_DIR)/usr/include/asterisk-13/include
+  CONFIGURE_ARGS+= \
+	  --with-astversion=13
+endif
+
+CONFIGURE_ARGS+= \
+	--with-asterisk=$(CHAN_DONGLE_AST_HEADERS)
+
+TARGET_CFLAGS+= \
+	-I$(CHAN_DONGLE_AST_HEADERS)
+
+# musl and glibc include their own iconv, but uclibc does not
+ifneq ($(CONFIG_USE_UCLIBC),)
+TARGET_CPPFLAGS+= \
+	-I$(STAGING_DIR)/usr/lib/libiconv-full/include
+endif
+
+CHAN_DONGLE_EXTRA_CFLAGS:= \
+	-Wno-old-style-declaration \
+	-I$(PKG_BUILD_DIR) \
+	$(TARGET_CPPFLAGS) \
+	-D_GNU_SOURCE \
+	-DHAVE_CONFIG_H \
+	$(FPIC)
+
+MAKE_ARGS:= \
+	CC="$(TARGET_CC)" \
+	LD="$(TARGET_CC)" \
+	CFLAGS="$(TARGET_CFLAGS) $(CHAN_DONGLE_EXTRA_CFLAGS)" \
+	LDFLAGS="$(TARGET_LDFLAGS) $(if $(CONFIG_USE_UCLIBC),-L$(STAGING_DIR)/usr/lib/libiconv-full/lib -liconv)"
+
+# $CHAN_DONGLE_ICONV_INC used by 200-fix-iconv-detection.patch
+CONFIGURE_VARS += \
+	CHAN_DONGLE_ICONV_INC="$(TOOLCHAIN_DIR)/include $(STAGING_DIR)/usr/lib/libiconv-full/include" \
+	ac_cv_type_size_t=yes \
+	ac_cv_type_ssize_t=yes
+
+define Build/Compile
+	$(MAKE) $(PKG_JOBS) -C "$(PKG_BUILD_DIR)" $(MAKE_ARGS)
+endef
+
+define Package/conffiles/Default
+/etc/asterisk/dongle.conf
+endef
+
+Package/asterisk11-chan-dongle/conffiles = $(Package/conffiles/Default)
+Package/asterisk13-chan-dongle/conffiles = $(Package/conffiles/Default)
+
+define Package/Install/Default
+	$(INSTALL_DIR) $(1)/etc/asterisk
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/dongle.conf $(1)/etc/asterisk/
+	$(INSTALL_DIR) $(1)/usr/lib/asterisk/modules
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/chan_dongle.so $(1)/usr/lib/asterisk/modules/
+endef
+
+Package/asterisk11-chan-dongle/install = $(Package/Install/Default)
+Package/asterisk13-chan-dongle/install = $(Package/Install/Default)
+
+$(eval $(call BuildPackage,asterisk11-chan-dongle))
+$(eval $(call BuildPackage,asterisk13-chan-dongle))
--- a/net/asterisk-chan-dongle/patches/200-fix-iconv-detection.patch
+++ b/net/asterisk-chan-dongle/patches/200-fix-iconv-detection.patch
@ -0,0 +1,11 @@
+--- a/configure.ac
+++ b/configure.ac
+@@ -102,7 +102,7 @@ AC_DEFUN([AC_HEADER_FIND], [
+ )
+ 
+ AC_HEADER_FIND([asterisk.h], $with_asterisk)
+-AC_HEADER_FIND([iconv.h], /usr/include /usr/local/include /opt/local/include)
+AC_HEADER_FIND([iconv.h], ${CHAN_DONGLE_ICONV_INC})
+ 
+ AC_DEFINE([ICONV_CONST],[], [Define to const if you has iconv() const declaration of input buffer])
+ AC_MSG_CHECKING([for iconv use const inbuf])
--- a/net/asterisk-g72x/Makefile
+++ b/net/asterisk-g72x/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=asterisk-g72x
 PKG_VERSION:=1.3
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_SOURCE:=asterisk-g72x-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://asterisk.hosting.lv/src/
@ -23,6 +23,8 @@ PKG_LICENSE:=GPL-3.0
 PKG_LICENSE_FILES:=README.md
 PKG_MAINTAINER:=Alex Samorukov <samm@os2.kiev.ua>

+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
 include $(INCLUDE_DIR)/package.mk

 define Package/asterisk-g72x/Default
@ -53,36 +55,20 @@ endef
 Package/asterisk11-codec-g729/description = $(Package/description/Default)
 Package/asterisk13-codec-g729/description = $(Package/description/Default)

-ifeq ($(BUILD_VARIANT),asterisk11)
-  MAKE_ARGS:= \
-	CC="$(TARGET_CC)" \
-	LD="$(TARGET_LD)" \
-	CFLAGS="$(TARGET_CFLAGS) -DASTERISK_VERSION_NUM=110000 -DLOW_MEMORY -D_XOPEN_SOURCE=600 $(TARGET_CPPFLAGS) -I$(STAGING_DIR)/usr/include/asterisk-11/include -DHAVE_CONFIG_H -I. -fPIC" \
-	LDFLAGS="$(TARGET_LDFLAGS)" \
-	DESTDIR="$(PKG_INSTALL_DIR)"
-
-  CONFIGURE_ARGS+=\
-	--with-asterisk-includes=$(STAGING_DIR)/usr/include/asterisk-11/include \
-	--with-asterisk100 \
+CONFIGURE_ARGS += \
 	--with-bcg729 \
-	--enable-shared \
-	$(MAKE_ARGS)
+	--enable-shared
+
+ifeq ($(BUILD_VARIANT),asterisk11)
+CONFIGURE_ARGS += \
+	--with-asterisk-includes=$(STAGING_DIR)/usr/include/asterisk-11/include \
+	--with-asterisk100
 endif

 ifeq ($(BUILD_VARIANT),asterisk13)
-  MAKE_ARGS:= \
-	CC="$(TARGET_CC)" \
-	LD="$(TARGET_LD)" \
-	CFLAGS="$(TARGET_CFLAGS) -DASTERISK_VERSION_NUM=130000 -DLOW_MEMORY -D_XOPEN_SOURCE=600 $(TARGET_CPPFLAGS) -I$(STAGING_DIR)/usr/include/asterisk-13/include -DHAVE_CONFIG_H -I. -fPIC" \
-	LDFLAGS="$(TARGET_LDFLAGS)" \
-	DESTDIR="$(PKG_INSTALL_DIR)"
-
-  CONFIGURE_ARGS+=\
+CONFIGURE_ARGS += \
 	--with-asterisk-includes=$(STAGING_DIR)/usr/include/asterisk-13/include \
-	--with-asterisk130 \
-	--with-bcg729 \
-	--enable-shared \
-	$(MAKE_ARGS)
+	--with-asterisk130
 endif

 define Package/Install/Default
--- a/net/chan-sccp-b/Makefile
+++ b/net/chan-sccp-b/Makefile
@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=chan-sccp-b
 PKG_REV:=6647
 PKG_VERSION:=v4.2.3-r$(PKG_REV)
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://svn.code.sf.net/p/chan-sccp-b/code/branches/v4.2
@ -19,21 +19,39 @@ PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE_VERSION:=$(PKG_REV)
 PKG_SOURCE_PROTO:=svn

-PKG_FIXUP:=autoreconf -fi
+PKG_FIXUP:=autoreconf

 PKG_LICENSE:=GPL-1.0
 PKG_LICENSE_FILES:=COPYING LICENSE
 PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>

+PKG_INSTALL:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+
+PKG_BUILD_DEPENDS:=libiconv
+
 include $(INCLUDE_DIR)/package.mk

+# musl and glibc include their own iconv, but uclibc does not
+ifneq ($(CONFIG_USE_UCLIBC),)
+TARGET_CPPFLAGS+= \
+	-I$(STAGING_DIR)/usr/lib/libiconv-full/include
+TARGET_LDFLAGS+= \
+	-L$(STAGING_DIR)/usr/lib/libiconv-full/lib -liconv
+endif
+
+CONFIGURE_ARGS += \
+	--enable-optimization=no \
+	--enable-debug=no
+
 define Package/chan-sccp-b/Default
  SUBMENU:=Telephony
  SECTION:=net
  CATEGORY:=Network
  TITLE:=SCCP channel provider support
  URL:=http://chan-sccp-b.sourceforge.net/
-  DEPENDS:= +libltdl
+  DEPENDS:=+USE_UCLIBC:libiconv-full +libltdl
 endef

 define Package/asterisk13-chan-sccp-b
@ -82,13 +100,6 @@ endef
 Package/asterisk11-chan-sccp-b/conffiles = $(Package/conffiles/Default)
 Package/asterisk13-chan-sccp-b/conffiles = $(Package/conffiles/Default)

-define Build/Compile
-	$(MAKE) -C "$(PKG_BUILD_DIR)" \
-		CFLAGS="$(CFLAGS) -I$(PKG_BUILD_DIR)/src -DLOW_MEMORY" \
-		DESTDIR="$(PKG_INSTALL_DIR)" \
-		all install
-endef
-
 define Package/Install/Default
 	$(INSTALL_DIR) $(1)/etc/asterisk
 	$(CP) ./files/sccp.conf $(1)/etc/asterisk/sccp.conf
--- a/net/chan-sccp-b/patches/01-prevent-extra-optimization.patch
+++ b/net/chan-sccp-b/patches/01-prevent-extra-optimization.patch
@ -0,0 +1,33 @@
+--- a/autoconf/extra.m4
+++ b/autoconf/extra.m4
+@@ -471,11 +471,6 @@ AC_DEFUN([CS_ENABLE_OPTIMIZATION], [
+ 
+ 	LIBBFD=""
+  	
+-	if test -n "${CPPFLAGS_saved}"; then
+-	 	CPPFLAGS_saved="${CPPFLAGS_saved} -U_FORTIFY_SOURCE"
+- 	else 
+- 		CPPFLAGS_saved="-U_FORTIFY_SOURCE"
+- 	fi
+  	LDFLAGS_saved="${LDFLAGS}"
+  	
+  	strip_binaries="no"
+@@ -486,18 +481,6 @@ AC_DEFUN([CS_ENABLE_OPTIMIZATION], [
+ 		])
+ 	   	CPPFLAGS_saved="${CPPFLAGS_saved} -D_FORTIFY_SOURCE=2"
+ 		GDB_FLAGS=""
+-	], [
+-	 	CFLAGS_saved="`echo ${CFLAGS_saved} |sed -e 's/\-O[0-9]\ \?//g' -e 's/[^|\ ]\-g[$|\ ]//g'`"
+-	 	dnl CFLAGS_saved="`echo ${CFLAGS_saved} |sed -e 's/\-O[0-9]\ \?//g'`"
+-		optimize_flag="-O0"
+-		case "${CC}" in
+-			*gcc*)
+-				AX_CHECK_COMPILE_FLAG(-Og, [
+-					optimize_flag="-Og"
+-				])
+-			;;
+-		esac
+-		CFLAGS_saved="${CFLAGS_saved} ${optimize_flag} "
+ 	])
+ 	
+ 	AS_IF([test "X${enable_debug}" == "Xyes"], [
--- a/net/kamailio-4.x/Makefile
+++ b/net/kamailio-4.x/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 OpenWrt.org
+# Copyright (C) 2016 - 2018 OpenWrt.org
 # Copyright (C) 2013-2016 CESNET,z.s.p.o.
 #
 # This is free software, licensed under the GNU General Public License v2.
@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=kamailio4
-PKG_VERSION:=4.4.0
-PKG_RELEASE:=1
+PKG_VERSION:=4.4.7
+PKG_RELEASE:=3

-PKG_SOURCE_URL:=http://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src/
+PKG_SOURCE_URL:=https://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src/
 PKG_SOURCE:=kamailio-$(PKG_VERSION)$(PKG_VARIANT)_src.tar.gz
-PKG_MD5SUM:=e9fa206f67346a6b01c015d76ec2db9d
+PKG_MD5SUM:=76d5ce257da9ee89fd66b697cb674260
 PKG_USE_MIPS16:=0

 PKG_LICENSE:=GPL-2.0+
@ -137,7 +137,6 @@ $(eval $(call BuildKamailio4Module,db_text,Text database-backend,,,dbtext/kamail
 $(eval $(call BuildKamailio4Module,db_unixodbc,UnixODBC Database-backend,,+unixodbc))
 $(eval $(call BuildKamailio4Module,debugger,Interactive config file debugger,,))
 $(eval $(call BuildKamailio4Module,dialog,Dialog support,,+kamailio4-mod-rr +kamailio4-mod-tm))
-$(eval $(call BuildKamailio4Module,dialog_ng,Dialog support,,+kamailio4-mod-rr +kamailio4-mod-tm))
 $(eval $(call BuildKamailio4Module,dialplan,Dialplan management,,))
 $(eval $(call BuildKamailio4Module,dispatcher,Dispatcher,,))
 $(eval $(call BuildKamailio4Module,diversion,Diversion header insertion,,))
--- a/net/kamailio-4.x/patches/050-fix-kamailio-utils.patch
+++ b/net/kamailio-4.x/patches/050-fix-kamailio-utils.patch
@ -8,7 +8,7 @@
 #
 --- a/utils/kamctl/kamctlrc
 +++ b/utils/kamctl/kamctlrc
-@@ -147,3 +147,6 @@
+@@ -148,3 +148,6 @@
 ## Extra start options - default is: not set
 # example: start Kamailio with 64MB share memory: STARTOPTIONS="-m 64"
 # STARTOPTIONS=
@ -25,7 +25,7 @@
 #
 --- a/utils/kamctl/kamdbctl.base
 +++ b/utils/kamctl/kamdbctl.base
-@@ -33,18 +33,18 @@ INSTALL_DBUID_TABLES=${INSTALL_DBUID_TAB
+@@ -33,19 +33,19 @@ INSTALL_DBUID_TABLES=${INSTALL_DBUID_TAB
 
 # Used by dbtext and db_berkeley to define tables to be created, used by
 # postgres to do the grants
@ -41,10 +41,12 @@
 -EXTRA_TABLES=${EXTRA_TABLES:-imc_members imc_rooms cpl sip_trace domainpolicy
 -		carrierroute carrier_name domain_name carrierfailureroute userblacklist
 -		globalblacklist htable purplemap uacreg pl_pipes mtree mtrees
+-		sca_subscriptions mohqcalls mohqueues rtpproxy dr_gateways dr_rules
 +EXTRA_TABLES=${EXTRA_TABLES:-imc_members imc_rooms cpl sip_trace domainpolicy \
 +		carrierroute carrier_name domain_name carrierfailureroute userblacklist \
 +		globalblacklist htable purplemap uacreg pl_pipes mtree mtrees \
- 		sca_subscriptions mohqcalls mohqueues rtpproxy}
+		sca_subscriptions mohqcalls mohqueues rtpproxy dr_gateways dr_rules \
+ 		dr_gw_lists}
 -PRESENCE_TABLES=${PRESENCE_TABLES:-presentity active_watchers watchers xcap
 +PRESENCE_TABLES=${PRESENCE_TABLES:-presentity active_watchers watchers xcap \
 		pua rls_presentity rls_watchers}
@ -53,7 +55,7 @@
 		uid_global_attrs uid_uri uid_uri_attrs uid_user_attrs}
 
 # SQL definitions
-@@ -68,17 +68,17 @@ GREP=${GREP:-grep}
+@@ -69,17 +69,17 @@ GREP=${GREP:-grep}
 SED=${SED:-sed}
 
 # define what modules should be installed
@ -66,9 +68,9 @@
 PRESENCE_MODULES=${PRESENCE_MODULES:-presence rls}
 
 -EXTRA_MODULES=${EXTRA_MODULES:-imc cpl siptrace domainpolicy carrierroute
-		userblacklist htable purple uac pipelimit mtree sca mohqueue
+-		drouting userblacklist htable purple uac pipelimit mtree sca mohqueue
 +EXTRA_MODULES=${EXTRA_MODULES:-imc cpl siptrace domainpolicy carrierroute \
-+		userblacklist htable purple uac pipelimit mtree sca mohqueue \
+		drouting userblacklist htable purple uac pipelimit mtree sca mohqueue \
 		rtpproxy}
 
 -DBUID_MODULES=${UID_MODULES:-uid_auth_db uid_avp_db uid_domain uid_gflags
--- a/net/kamailio-4.x/patches/110-include-sys-time-h-in-ld_session-h.patch
+++ b/net/kamailio-4.x/patches/110-include-sys-time-h-in-ld_session-h.patch
@ -1,10 +0,0 @@
--- a/modules/ldap/ld_session.h
-+++ b/modules/ldap/ld_session.h
-@@ -28,6 +28,7 @@
- #ifndef LD_SESSION_H
- #define LD_SESSION_H
- 
-+#include <sys/time.h>
- #include <ldap.h>
- 
- #include "iniparser.h"
--- a/net/kamailio-4.x/patches/130-CVE-2018-14767.patch
+++ b/net/kamailio-4.x/patches/130-CVE-2018-14767.patch
@ -0,0 +1,28 @@
+commit 281a6c6b6eaaf30058b603325e8ded20b99e1456
+Author: Henning Westerholt <hw@kamailio.org>
+Date:   Mon May 7 09:36:53 2018 +0200
+
+    core: improve to header check guards, str consists of length and pointer
+
+diff --git a/src/core/msg_translator.c b/src/core/msg_translator.c
+index 22122768a..4dd648e87 100644
+--- a/msg_translator.c
+++ b/msg_translator.c
+@@ -2369,7 +2369,7 @@ char * build_res_buf_from_sip_req( unsigned int code, str *text ,str *new_tag,
+ 			case HDR_TO_T:
+ 				if (new_tag && new_tag->len) {
+ 					to_tag=get_to(msg)->tag_value;
+-					if ( to_tag.len || to_tag.s )
+					if ( to_tag.len && to_tag.s )
+ 						len+=new_tag->len-to_tag.len;
+ 					else
+ 						len+=new_tag->len+TOTAG_TOKEN_LEN/*";tag="*/;
+@@ -2497,7 +2497,7 @@ char * build_res_buf_from_sip_req( unsigned int code, str *text ,str *new_tag,
+ 				break;
+ 			case HDR_TO_T:
+ 				if (new_tag && new_tag->len){
+-					if (to_tag.s ) { /* replacement */
+					if (to_tag.len && to_tag.s) { /* replacement */
+ 						/* before to-tag */
+ 						append_str( p, hdr->name.s, to_tag.s-hdr->name.s);
+ 						/* to tag replacement */
--- a/net/kamailio-4.x/patches/131-CVE-2018-16657.patch
+++ b/net/kamailio-4.x/patches/131-CVE-2018-16657.patch
@ -0,0 +1,46 @@
+commit d67b2f9874ca23bd69f18df71b8f53b1b6151f6d
+Author: Henning Westerholt <hw@kamailio.org>
+Date:   Sun Jun 3 20:59:32 2018 +0200
+
+    core: improve header safe guards for Via handling
+    
+    (cherry picked from commit ad68e402ece8089f133c10de6ce319f9e28c0692)
+
+diff --git a/crc.c b/crc.c
+index 462846324..23b2876ec 100644
+--- a/crc.c
+++ b/crc.c
+@@ -231,6 +231,8 @@ void crcitt_string_array( char *dst, str src[], int size )
+ 	ccitt = 0xFFFF;
+ 	str_len=CRC16_LEN;
+ 	for (i=0; i<size; i++ ) {
+		/* invalid str with positive length and null char pointer */
+		if( unlikely(src[i].s==NULL)) break;
+ 		c=src[i].s;
+ 		len=src[i].len;
+ 		while(len) {
+diff --git a/msg_translator.c b/msg_translator.c
+index 201e3a5e1..58978f958 100644
+--- a/msg_translator.c
+++ b/msg_translator.c
+@@ -168,12 +168,17 @@ static int check_via_address(struct ip_addr* ip, str *name,
+ 						(name->s[name->len-1]==']')&&
+ 						(strncasecmp(name->s+1, s, len)==0))
+ 				)
+-		   )
+		   ) {
+ 			return 0;
+-		else
+-
+		}
+		else {
+			if (unlikely(name->s==NULL)) {
+				LM_CRIT("invalid Via host name\n");
+				return -1;
+			}
+ 			if (strncmp(name->s, s, name->len)==0)
+ 				return 0;
+		}
+ 	}else{
+ 		LM_CRIT("could not convert ip address\n");
+ 		return -1;
--- a/net/siproxd/Makefile
+++ b/net/siproxd/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014-2015 OpenWrt.org
+# Copyright (C) 2014-2018 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=siproxd
-PKG_VERSION:=0.8.1
-PKG_RELEASE:=5
+PKG_VERSION:=0.8.2
+PKG_RELEASE:=3

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/siproxd
-PKG_MD5SUM:=1a6f9d13aeb2d650375c9a346ac6cbaf
+PKG_HASH:=526ce491b0cc189e2766c62432aff3ebb995e551d7261ea32c02a90c7bf7ccd0

 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
@ -48,11 +48,11 @@ endef

 CONFIGURE_ARGS+= \
 	--with-libosip-prefix="$(STAGING_DIR)/usr" \
+	--disable-ltdl-convenience \
 	--disable-doc

 MAKE_FLAGS+= \
-	SUBDIRS="src scripts contrib" \
-	LIBLTDL="$(STAGING_DIR)/usr/lib/libltdl.la" \
+	SUBDIRS="src scripts contrib"

 define Package/siproxd/install
 	$(INSTALL_DIR) $(1)/usr/sbin
@ -72,18 +72,23 @@ define BuildPlugin

  define Package/siproxd-mod-$(1)/install
 	$(INSTALL_DIR) $$(1)/usr/lib/siproxd
-	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/siproxd/plugin_$(1)*.so* $$(1)/usr/lib/siproxd
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/siproxd/plugin_$(1).so $$(1)/usr/lib/siproxd
  endef

  $$(eval $$(call BuildPackage,siproxd-mod-$(1)))
 endef

 $(eval $(call BuildPackage,siproxd))
+$(eval $(call BuildPlugin,codecfilter))
 $(eval $(call BuildPlugin,defaulttarget))
 $(eval $(call BuildPlugin,demo))
 $(eval $(call BuildPlugin,fix_bogus_via))
+$(eval $(call BuildPlugin,fix_DTAG))
+$(eval $(call BuildPlugin,fix_fbox_anoncall))
 $(eval $(call BuildPlugin,logcall))
 $(eval $(call BuildPlugin,prefix))
 $(eval $(call BuildPlugin,regex))
 $(eval $(call BuildPlugin,shortdial))
+$(eval $(call BuildPlugin,stripheader))
 $(eval $(call BuildPlugin,stun))
+$(eval $(call BuildPlugin,siptrunk))
--- a/net/siproxd/files/siproxd.config
+++ b/net/siproxd/files/siproxd.config
@ -1,3 +1,25 @@
 config siproxd general
-	option if_inbound	lan
-	option if_outbound	wan
+	# Custom options allow using OpenWRT network names, and defaults should
+	# work out-of-the-box. If your SIP devices do not REGISTER externally,
+	# you may also need to open firewall ports: tcp/udp 5060, udp 7070-7089.
+	option interface_inbound lan
+	option interface_outbound wan
+
+# All other documented siproxd configuration directives are supported. Use
+# a UCI 'option' for single-instance directives, and UCI 'list' entries for
+# directives that allow multiple instances, per the examples below.
+
+	# Define low-level network devices, overriding interface_in/outbound:
+#	option if_inbound eth0
+#	option if_outbound ppp0
+
+	# Enable DEBUG logging for configuration messages:
+#	option debug_level 0x00000100
+#	option silence_log 0
+
+	# Load two plugins: one that logs SIP call details to syslog, and one
+	# that strips out G.729, GSM codecs:
+#	list load_plugin 'plugin_logcall.so'
+#	list load_plugin 'plugin_codecfilter.so'
+#	list plugin_codecfilter_blacklist G729
+#	list plugin_codecfilter_blacklist GSM
--- a/net/siproxd/files/siproxd.init
+++ b/net/siproxd/files/siproxd.init
@ -4,232 +4,167 @@

 START=50

-SERVICE_USE_PID=1
+USE_PROCD=1

-siproxd_bin="/usr/sbin/siproxd"
-siproxd_conf_dir="/var/etc"
-siproxd_conf_prefix="$siproxd_conf_dir/siproxd-"
-siproxd_registration_dir="/var/lib/siproxd"
-siproxd_pid_dir="/var/run/siproxd"
+PROG="/usr/sbin/siproxd"
+CONF_DIR="/var/etc/siproxd"
+REG_DIR="/var/lib/siproxd"
+PID_DIR="/var/run/siproxd"
+PLUGIN_DIR="/usr/lib/siproxd/"
+UID="nobody"
+GID="nogroup"

-deal_with_lists () {
-	echo "$2" = "$1" >> "$siproxd_conf_prefix$cfg"
+# Some options need special handling or conflict with procd/jail setup.
+append CONF_SKIP "interface_inbound interface_outbound chrootjail"
+append CONF_SKIP "daemonize user plugindir registration_file pid_file"
+
+
+# Check if a UCI option is set, or else apply a provided default.
+
+default_conf() {
+	local opt="$1"
+	local default="$2"
+	local val
+
+	config_get "$opt" "$sec" "$opt"
+	eval "val=\"\${$opt}\""
+
+	[ -z "$val" ] || return 0
+	[ -n "$default" ] || return 0
+	config_set "$sec" "$opt" "$default"
+	append_conf "$opt" = "$default"
 }

-start_instance() {
-	local cfg="$1"
-
-	config_get if_inbound "$cfg" if_inbound
-	config_get if_outbound "$cfg" if_outbound
-	config_get host_outbound "$cfg" host_outbound
-	config_get hosts_allow_reg "$cfg" hosts_allow_reg
-	config_get hosts_allow_sip "$cfg" hosts_allow_sip
-	config_get hosts_deny_sip "$cfg" hosts_deny_sip
-	config_get sip_listen_port "$cfg" sip_listen_port 5060
-	config_get_bool daemonize "$cfg" daemonize 1
-	config_get silence_log "$cfg" silence_log 4
-	config_get user "$cfg" user nobody
-	config_get chrootjail "$cfg" chrootjail
-	config_get registration_file "$cfg" registration_file "$siproxd_registration_dir/siproxd_registrations-$cfg"
-	config_get autosave_registrations "$cfg" autosave_registrations 300
-	config_get pid_file "$cfg" pid_file "$siproxd_pid_dir/siproxd-$cfg.pid"
-	config_get_bool rtp_proxy_enable "$cfg" rtp_proxy_enable 1
-	config_get rtp_port_low "$cfg" rtp_port_low 7070
-	config_get rtp_port_high "$cfg" rtp_port_high 7089
-	config_get rtp_timeout "$cfg" rtp_timeout 300
-	config_get rtp_dscp "$cfg" rtp_dscp 46
-	config_get sip_dscp "$cfg" sip_dscp 0
-	config_get rtp_input_dejitter "$cfg" rtp_input_dejitter 0
-	config_get rtp_output_dejitter "$cfg" rtp_output_dejitter 0
-	config_get tcp_timeout "$cfg" tcp_timeout 600
-	config_get tcp_connect_timeout "$cfg" tcp_connect_timeout 500
-	config_get tcp_keepalive "$cfg" tcp_keepalive 20
-	config_get default_expires "$cfg" default_expires 600
-	config_get proxy_auth_realm "$cfg" proxy_auth_realm
-	config_get proxy_auth_passwd "$cfg" proxy_auth_passwd
-	config_get proxy_auth_pwfile "$cfg" proxy_auth_pwfile
-	config_get debug_level "$cfg" debug_level 0x00000000
-	config_get debug_port "$cfg" debug_port 0
-	config_get mask_host "$cfg" mask_host
-	config_get masked_host "$cfg" masked_host
-	config_get ua_string "$cfg" ua_string Siproxd-UA
-	config_get use_rport "$cfg" use_rport 0
-	config_get outbound_proxy_host "$cfg" outbound_proxy_host
-	config_get outbound_proxy_port "$cfg" outbound_proxy_port
-	config_get outbound_domain_name "$cfg" outbound_domain_name
-	config_get outbound_domain_host "$cfg" outbound_domain_host
-	config_get outbound_domain_port "$cfg" outbound_domain_port
-
-	if [ -f "$siproxd_conf_prefix$cfg" ]; then
-		rm "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$if_inbound" ]; then
-		echo if_inbound = "$if_inbound" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$if_outbound" ]; then
-		echo if_outbound = "$if_outbound" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$host_outbound" ]; then
-		echo host_outbound = "$host_outbound" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$hosts_allow_reg" ]; then
-		echo hosts_allow_reg = "$hosts_allow_reg" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$hosts_allow_sip" ]; then
-		echo hosts_allow_sip = "$hosts_allow_sip" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$hosts_deny_sip" ]; then
-		echo hosts_deny_sip = "$hosts_deny_sip" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo sip_listen_port = "$sip_listen_port" >> "$siproxd_conf_prefix$cfg"
-	echo daemonize = "$daemonize" >> "$siproxd_conf_prefix$cfg"
-	echo silence_log = "$silence_log" >> "$siproxd_conf_prefix$cfg"
-	echo user = "$user" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$chrootjail" ]; then
-		if [ ! -d "$chrootjail" ]; then
-			mkdir -p "$chrootjail"
-			chmod 0755 "$chrootjail"
-		fi
-		echo chrootjail = "$chrootjail" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo registration_file = "$registration_file" >> "$siproxd_conf_prefix$cfg"
-	echo autosave_registrations = "$autosave_registrations" >> "$siproxd_conf_prefix$cfg"
-
-	echo pid_file = "$pid_file" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_proxy_enable = "$rtp_proxy_enable" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_port_low = "$rtp_port_low" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_port_high = "$rtp_port_high" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_timeout = "$rtp_timeout" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_dscp = "$rtp_dscp" >> "$siproxd_conf_prefix$cfg"
-	echo sip_dscp = "$sip_dscp" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_input_dejitter = "$rtp_input_dejitter" >> "$siproxd_conf_prefix$cfg"
-	echo rtp_output_dejitter = "$rtp_output_dejitter" >> "$siproxd_conf_prefix$cfg"
-	echo tcp_timeout = "$tcp_timeout" >> "$siproxd_conf_prefix$cfg"
-	echo tcp_connect_timeout = "$tcp_connect_timeout" >> "$siproxd_conf_prefix$cfg"
-	echo tcp_keepalive = "$tcp_keepalive" >> "$siproxd_conf_prefix$cfg"
-	echo default_expires = "$default_expires" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$proxy_auth_realm" ]; then
-		echo proxy_auth_realm = "$proxy_auth_realm" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$proxy_auth_passwd" ]; then
-		echo proxy_auth_passwd = "$proxy_auth_passwd" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$proxy_auth_pwfile" ]; then
-		echo proxy_auth_pwfile = "$proxy_auth_pwfile" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo debug_level = "$debug_level" >> "$siproxd_conf_prefix$cfg"
-	echo debug_port = "$debug_port" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$mask_host" ]; then
-		echo mask_host = "$mask_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$masked_host" ]; then
-		echo masked_host = "$masked_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	echo ua_string = "$ua_string" >> "$siproxd_conf_prefix$cfg"
-	echo use_rport = "$use_rport" >> "$siproxd_conf_prefix$cfg"
-	if [ -n "$outbound_proxy_host" ]; then
-		echo outbound_proxy_host = "$outbound_proxy_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_proxy_port" ]; then
-		echo outbound_proxy_port = "$outbound_proxy_port" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_domain_name" ]; then
-		echo outbound_domain_name = "$outbound_domain_name" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_domain_host" ]; then
-		echo outbound_domain_host = "$outbound_domain_host" >> "$siproxd_conf_prefix$cfg"
-	fi
-	if [ -n "$outbound_domain_port" ]; then
-		echo outbound_domain_port = "$outbound_domain_port" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# handle plugins
-	config_get plugindir "$cfg" plugindir "/usr/lib/siproxd/"
-	echo plugindir = "$plugindir" >> "$siproxd_conf_prefix$cfg"
-
-	config_list_foreach "$cfg" 'load_plugin' deal_with_lists "load_plugin"
-
-	# plugin_demo.so
-	config_get plugin_demo_string "$cfg" plugin_demo_string
-	if [ -n "$plugin_demo_string" ]; then
-		echo plugin_demo_string = "$plugin_demo_string" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_shortdial.so
-	config_get plugin_shortdial_akey "$cfg" plugin_shortdial_akey
-	if [ -n "$plugin_shortdial_akey" ]; then
-		echo plugin_shortdial_akey = "$plugin_shortdial_akey" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_list_foreach "$cfg" 'plugin_shortdial_entry' deal_with_lists "plugin_shortdial_entry"
-
-	# plugin_defaulttarget.so
-	config_get_bool plugin_defaulttarget_log "$cfg" plugin_defaulttarget_log
-	if [ -n "$plugin_defaulttarget_log" ]; then
-		echo plugin_defaulttarget_log = "$plugin_defaulttarget_log" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_get plugin_defaulttarget_target "$cfg" plugin_defaulttarget_target
-	if [ -n "$plugin_defaulttarget_target" ]; then
-		echo plugin_defaulttarget_target = "$plugin_defaulttarget_target" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_fix_bogus_via.so
-	config_get plugin_fix_bogus_via_networks "$cfg" plugin_fix_bogus_via_networks
-	if [ -n "$plugin_fix_bogus_via_networks" ]; then
-		echo plugin_fix_bogus_via_networks = "$plugin_fix_bogus_via_networks" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_stun.so
-	config_get plugin_stun_server "$cfg" plugin_stun_server
-	if [ -n "$plugin_stun_server" ]; then
-		echo plugin_stun_server = "$plugin_stun_server" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_get plugin_stun_port "$cfg" plugin_stun_port
-	if [ -n "$plugin_stun_port" ]; then
-		echo plugin_stun_port = "$plugin_stun_port" >> "$siproxd_conf_prefix$cfg"
-	fi
-	config_get plugin_stun_period "$cfg" plugin_stun_period
-	if [ -n "$plugin_stun_period" ]; then
-		echo plugin_stun_period = "$plugin_stun_period" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_prefix.so
-	config_get plugin_prefix_akey "$cfg" plugin_prefix_akey
-	if [ -n "$plugin_prefix_akey" ]; then
-		echo plugin_prefix_akey = "$plugin_prefix_akey" >> "$siproxd_conf_prefix$cfg"
-	fi
-
-	# plugin_regex.so
-	config_list_foreach "$cfg" 'plugin_regex_desc' deal_with_lists "plugin_regex_desc"
-	config_list_foreach "$cfg" 'plugin_regex_pattern' deal_with_lists "plugin_regex_pattern"
-	config_list_foreach "$cfg" 'plugin_regex_replace' deal_with_lists "plugin_regex_replace"
-
-	SERVICE_PID_FILE="$pid_file" \
-	service_start $siproxd_bin --config "$siproxd_conf_prefix$cfg"
+append_conf() {
+	echo $* >> "$CONF_DIR/siproxd-$sec.conf"
 }

-stop_instance() {
-	local cfg="$1"
+# Use user-friendly network names (e.g. "wan", "lan") from options
+# 'interface_inbound' and 'interface_outbound', but use standard siproxd
+# parameters 'if_inbound' and 'if_outbound' if explicitly set.

-	config_get pid_file "$cfg" pid_file "$siproxd_pid_dir/siproxd-$cfg.pid"
+setup_networks() {
+	local sec="$1"
+	local _int_inbound _int_outbound
+	local _dev_inbound _dev_outbound

-	SERVICE_PID_FILE="$pid_file" \
-	service_stop $siproxd_bin
+	config_get _int_inbound "$sec" interface_inbound
+	config_get _int_outbound "$sec" interface_outbound
+
+	. /lib/functions/network.sh
+	network_get_physdev _dev_inbound $_int_inbound
+	network_get_physdev _dev_outbound $_int_outbound
+
+	default_conf if_inbound $_dev_inbound
+	default_conf if_outbound $_dev_outbound
 }

-start() {
-	mkdir -m 0755 -p "$siproxd_conf_dir"
-	mkdir -m 0755 -p "$siproxd_registration_dir"
-	[ -d "$siproxd_pid_dir" ] || {
-		mkdir -m 0755 -p "$siproxd_pid_dir"
-		chmod 0750 "$siproxd_pid_dir"
-		chown nobody:nogroup "$siproxd_pid_dir"
+# Apply default values to key options if unset in user's UCI config.
+
+apply_defaults() {
+	local sec="$1"
+
+	default_conf sip_listen_port 5060
+	default_conf autosave_registrations 300
+	default_conf rtp_port_low 7070
+	default_conf rtp_port_high 7089
+	default_conf rtp_timeout 300
+	default_conf rtp_dscp 46
+	default_conf tcp_timeout 600
+	default_conf tcp_keepalive 20
+	default_conf default_expires 600
+	default_conf daemonize 0
+	default_conf user "$UID"
+	default_conf registration_file "$REG_DIR/siproxd-$sec.reg"
+	default_conf plugindir "$PLUGIN_DIR"
+}
+
+# Handle activities at start of a new 'siproxd' section.
+# Initialize section processing and save section name.
+
+section_start() {
+	local sec="$1"
+
+	rm -f "$CONF_DIR/siproxd-$sec.conf"
+	append_conf "# config auto-generated from /etc/config/siproxd"
+}
+
+# Handle activities at close of a 'siproxd' section.
+# Parse OpenWRT interface names (e.g. "wan"), apply defaults and
+# set up procd jail.
+
+section_end() {
+	local sec="$1"
+
+	local conf_file="$CONF_DIR/siproxd-$sec.conf"
+	local pid_file="$PID_DIR/siproxd-$sec.pid"
+	local reg_file plugin_dir
+
+	setup_networks "$sec"
+	apply_defaults "$sec"
+
+	config_get plugin_dir "$sec" plugindir
+	config_get reg_file "$sec" registration_file
+
+	procd_open_instance "$sec"
+	procd_set_param command "$PROG" --config "$conf_file"
+	procd_set_param pidfile "$pid_file"
+	procd_set_param respawn
+	procd_add_jail siproxd log
+	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /dev/null
+	procd_add_jail_mount "$conf_file"
+	[ -d "$plugin_dir" ] && procd_add_jail_mount "$plugin_dir"
+	# Ensure registration file exists for jail
+	[ -f "$reg_file" ] || touch "$reg_file"
+	chown "$UID:$GID" "$reg_file"
+	procd_add_jail_mount_rw "$reg_file"
+	procd_close_instance
+}
+
+# Setup callbacks for parsing siproxd sections, options, and lists.
+# This avoids hardcoding all supported siproxd configuration parameters.
+
+siproxd_cb() {
+	config_cb() {
+		# Section change: close any previous section.
+		[ -n "$cur_sec" ] && section_end "$cur_sec"
+
+		case "$1" in
+			# New 'siproxd' section: begin processing.
+			"siproxd")
+				cur_sec="$2"
+				section_start "$cur_sec"
+			;;
+			# Config end or unknown section: ignore.
+			*)
+				cur_sec=""
+			;;
+		esac
 	}

-	config_load 'siproxd'
-	config_foreach start_instance 'siproxd'
+	option_cb() {
+		local sec="$cur_sec"
+
+		[ -z "$sec" ] && return
+		list_contains CONF_SKIP "$1" && return
+		[ -n "$2" ] && append_conf "$1" = "$2"
+	}
+
+	list_cb() {
+		option_cb "$@"
+	}
 }

-stop() {
-	config_load 'siproxd'
-	config_foreach stop_instance 'siproxd'
+service_triggers()
+{
+	procd_add_reload_trigger "siproxd"
+}
+
+start_service() {
+	mkdir -p "$CONF_DIR" "$REG_DIR" "$PID_DIR"
+	chmod 755 "$CONF_DIR" "$REG_DIR" "$PID_DIR"
+	chown "$UID:$GID" "$REG_DIR"
+
+	siproxd_cb
+	config_load 'siproxd'
 }
--- a/net/siproxd/patches/010-fix-bogus-libltdl-dependency.patch
+++ b/net/siproxd/patches/010-fix-bogus-libltdl-dependency.patch
@ -1,26 +0,0 @@
--- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -77,8 +77,8 @@ plugin_regex_la_LDFLAGS = -module -avoid
- #  else Cygwin goes beserk when building...)
- #
- sbin_PROGRAMS = siproxd
-siproxd_LDFLAGS=-export-dynamic
-siproxd_LDADD = $(LIBLTDL) $(DLOPENPLUGINS)
-+siproxd_LDFLAGS=-export-dynamic -lltdl
-+siproxd_LDADD = $(DLOPENPLUGINS)
- siproxd_SOURCES = siproxd.c proxy.c register.c sock.c utils.c \
- 		  sip_utils.c sip_layer.c log.c readconf.c rtpproxy.c \
- 		  rtpproxy_relay.c accessctl.c route_processing.c \
--- a/src/Makefile.in
-+++ b/src/Makefile.in
-@@ -326,8 +326,8 @@ plugin_prefix_la_LDFLAGS = -module -avoi
- #
- plugin_regex_la_SOURCES = plugin_regex.c
- plugin_regex_la_LDFLAGS = -module -avoid-version -shrext '.so'
-siproxd_LDFLAGS = -export-dynamic
-siproxd_LDADD = $(LIBLTDL) $(DLOPENPLUGINS)
-+siproxd_LDFLAGS = -export-dynamic -lltdl
-+siproxd_LDADD = $(DLOPENPLUGINS)
- siproxd_SOURCES = siproxd.c proxy.c register.c sock.c utils.c \
- 		  sip_utils.c sip_layer.c log.c readconf.c rtpproxy.c \
- 		  rtpproxy_relay.c accessctl.c route_processing.c \
--- a/net/siproxd/patches/010-syslog-msg.patch
+++ b/net/siproxd/patches/010-syslog-msg.patch
@ -0,0 +1,20 @@
+--- a/src/log.c
+++ b/src/log.c
+@@ -77,7 +77,7 @@
+ static pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
+ 
+ void log_init(void) {
+-   openlog(NULL,LOG_NDELAY|LOG_PID,LOG_DAEMON);
+   openlog("siproxd",LOG_NDELAY|LOG_PID,LOG_DAEMON);
+ }
+ 
+ void log_end(void) {
+@@ -257,7 +257,7 @@
+    va_copy(ap_copy, ap);
+    vsnprintf(outbuf, sizeof(outbuf), format, ap_copy);
+    va_end(ap_copy);
+-   syslog(LOG_USER|level, "%s:%i %s%s", file, line, label, outbuf);
+   syslog(LOG_DAEMON|level, "%s:%i %s%s", file, line, label, outbuf);
+    return;
+ }
+ 
--- a/net/siproxd/patches/011-include-sys-time.patch
+++ b/net/siproxd/patches/011-include-sys-time.patch
@ -1,10 +0,0 @@
--- siproxd-0.8.1/src/dejitter.c
-+++ siproxd-0.8.1/src/dejitter.c
-@@ -24,6 +24,7 @@
- 
- #include <sys/types.h>
- #include <sys/socket.h>
-+#include <sys/time.h>
- #include <netinet/in.h>
- 
- #include <osipparser2/osip_parser.h>
--- a/net/siproxd/patches/100-musl-compat.patch
+++ b/net/siproxd/patches/100-musl-compat.patch
@ -1,31 +1,13 @@
 --- a/src/resolve.c
 +++ b/src/resolve.c
-@@ -30,6 +30,7 @@
+@@ -28,8 +28,10 @@
+ #include <arpa/nameser_compat.h>
+ #endif
 
+#include <stdio.h>
 #include <resolv.h>
 #include <string.h>
 +#include <sys/types.h>
 
 #include "log.h"
 
--- a/src/dejitter.c
-+++ b/src/dejitter.c
-@@ -21,6 +21,7 @@
- #include "config.h"
- 
- #include <errno.h>
-+#include <string.h>
- 
- #include <sys/types.h>
- #include <sys/socket.h>
--- a/src/plugins.c
-+++ b/src/plugins.c
-@@ -20,6 +20,8 @@
- 
- #include "config.h"
- 
-+#include <string.h>
-+
- #include <sys/types.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>