Merge pull request #588 from micmac1/18.06AST

[18.06] asterisk-13.x: fix AST-2020-001 and 002

net/asterisk-13.x/Makefile

@@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk13
 PKG_VERSION:=13.20.0
-PKG_RELEASE:=1
+PKG_RELEASE:=6
 
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases
@@ -551,8 +551,7 @@ CONFIGURE_ARGS+= \
 	--without-tinfo \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-format-ogg-vorbis),--with-vorbis="$(STAGING_DIR)/usr",--without-vorbis) \
 	--without-vpb \
-	--with-z="$(STAGING_DIR)/usr" \
-	--with-sounds-cache="$(DL_DIR)"
+	--with-z="$(STAGING_DIR)/usr"
 
 ifeq ($(CONFIG_PACKAGE_$(PKG_NAME)-codec-speex)$(CONFIG_PACKAGE_$(PKG_NAME)-func-speex),)
 CONFIGURE_ARGS+= \

net/asterisk-13.x/patches/110-AST-2018-008-13.diff

@@ -0,0 +1,101 @@
+From 4eeb16d1a316aa3d6f5710a2f6beffb0fecb6121 Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Mon, 30 Apr 2018 17:38:58 -0500
+Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
+
+When endpoint specific ACL rules block a SIP request they respond with a
+403 forbidden.  However, if an endpoint is not identified then a 401
+unauthorized response is sent.  This vulnerability just discloses which
+requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
+access to the disclosed endpoints.
+
+* Made endpoint specific ACL rules now respond with a 401 unauthorized
+which is the same as if an endpoint were not identified.  The fix is
+accomplished by replacing the found endpoint with the artificial endpoint
+which always fails authentication.
+
+ASTERISK-27818
+
+Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
+---
+
+diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c
+index e056b60..19266df 100644
+--- a/res/res_pjsip/pjsip_distributor.c
++++ b/res/res_pjsip/pjsip_distributor.c
+@@ -666,6 +666,26 @@
+ 	ao2_unlock(unid);
+ }
+ 
++static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
++static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
++
++static void apply_acls(pjsip_rx_data *rdata)
++{
++	struct ast_sip_endpoint *endpoint;
++
++	/* Is the endpoint allowed with the source or contact address? */
++	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
++	if (endpoint != artificial_endpoint
++		&& (apply_endpoint_acl(rdata, endpoint)
++			|| apply_endpoint_contact_acl(rdata, endpoint))) {
++		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
++			ast_sorcery_object_get_id(endpoint));
++
++		/* Replace the rdata endpoint with the artificial endpoint. */
++		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
++	}
++}
++
+ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
+ {
+ 	struct ast_sip_endpoint *endpoint;
+@@ -684,6 +704,7 @@
+ 			ao2_unlink(unidentified_requests, unid);
+ 			ao2_ref(unid, -1);
+ 		}
++		apply_acls(rdata);
+ 		return PJ_FALSE;
+ 	}
+ 
+@@ -743,6 +764,8 @@
+ 			ast_sip_report_invalid_endpoint(name, rdata);
+ 		}
+ 	}
++
++	apply_acls(rdata);
+ 	return PJ_FALSE;
+ }
+ 
+@@ -826,16 +849,11 @@
+ 
+ 	ast_assert(endpoint != NULL);
+ 
+-	if (endpoint!=artificial_endpoint) {
+-		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
+-			if (!is_ack) {
+-				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+-			}
+-			return PJ_TRUE;
+-		}
++	if (is_ack) {
++		return PJ_FALSE;
+ 	}
+ 
+-	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
++	if (ast_sip_requires_authentication(endpoint, rdata)) {
+ 		pjsip_tx_data *tdata;
+ 		struct unidentified_request *unid;
+ 
+@@ -871,6 +889,10 @@
+ 			return PJ_TRUE;
+ 		}
+ 		pjsip_tx_data_dec_ref(tdata);
++	} else if (endpoint == artificial_endpoint) {
++		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
++		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
++		return PJ_TRUE;
+ 	}
+ 
+ 	return PJ_FALSE;
+

net/asterisk-13.x/patches/120-AST-2018-009-13.diff

@@ -0,0 +1,89 @@
+From e6b0c4d27e0392a7b4b4b6717a6d1e0ea049b550 Mon Sep 17 00:00:00 2001
+From: Sean Bright <sean.bright@gmail.com>
+Date: Thu, 16 Aug 2018 11:45:53 -0400
+Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade
+ requests
+
+The HTTP request processing in res_http_websocket allocates additional
+space on the stack for various headers received during an Upgrade request.
+An attacker could send a specially crafted request that causes this code
+to overflow the stack, resulting in a crash.
+
+* No longer allocate memory from the stack in a loop to parse the header
+values.  NOTE: There is a slight API change when using the passed in
+strings as is.  We now require the passed in strings to no longer have
+leading or trailing whitespace.  This isn't a problem as the only callers
+have already done this before passing the strings to the affected
+function.
+
+ASTERISK-28013 #close
+
+Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a
+---
+ res/res_http_websocket.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
+index 440bf41..0ff876b 100644
+--- a/res/res_http_websocket.c
++++ b/res/res_http_websocket.c
+@@ -736,7 +736,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser)
+ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers)
+ {
+ 	struct ast_variable *v;
+-	char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL;
++	const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL;
++	char *requested_protocols = NULL, *protocol = NULL;
+ 	int version = 0, flags = 1;
+ 	struct ast_websocket_protocol *protocol_handler = NULL;
+ 	struct ast_websocket *session;
+@@ -755,16 +756,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 	/* Get the minimum headers required to satisfy our needs */
+ 	for (v = headers; v; v = v->next) {
+ 		if (!strcasecmp(v->name, "Upgrade")) {
+-			upgrade = ast_strip(ast_strdupa(v->value));
++			upgrade = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) {
+-			key = ast_strip(ast_strdupa(v->value));
++			key = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) {
+-			key1 = ast_strip(ast_strdupa(v->value));
++			key1 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) {
+-			key2 = ast_strip(ast_strdupa(v->value));
++			key2 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) {
+-			requested_protocols = ast_strip(ast_strdupa(v->value));
+-			protos = ast_strdupa(requested_protocols);
++			protos = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) {
+ 			if (sscanf(v->value, "%30d", &version) != 1) {
+ 				version = 0;
+@@ -778,7 +778,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 			ast_sockaddr_stringify(&ser->remote_address));
+ 		ast_http_error(ser, 426, "Upgrade Required", NULL);
+ 		return 0;
+-	} else if (ast_strlen_zero(requested_protocols)) {
++	} else if (ast_strlen_zero(protos)) {
+ 		/* If there's only a single protocol registered, and the
+ 		 * client doesn't specify what protocol it's using, go ahead
+ 		 * and accept the connection */
+@@ -799,9 +799,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 		return 0;
+ 	}
+ 
+-	/* Iterate through the requested protocols trying to find one that we have a handler for */
+-	while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
+-		protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
++	if (!protocol_handler && protos) {
++		requested_protocols = ast_strdupa(protos);
++		/* Iterate through the requested protocols trying to find one that we have a handler for */
++		while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
++			protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
++		}
+ 	}
+ 
+ 	/* If no protocol handler exists bump this back to the requester */
+-- 
+2.7.4
+

net/asterisk-13.x/patches/130-AST-2019-003-13.diff

@@ -0,0 +1,39 @@
+From 3ab9291a563656dfebcb7de67c86351541f3de1c Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano@messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 7c8928d..223ff3c 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10911,7 +10911,13 @@
+ 			    ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ 	}
+ 
+-	if (portno != -1 || vportno != -1 || tportno != -1) {
++	/* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++	 * video is not being transported, thus we continue in this function further up if that is
++	 * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++	 * stream however we need to check again to ensure that there is at least one joint codec
++	 * instead of assuming there is one.
++	 */
++	if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ 		/* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ 		   they are acceptable */
+ 		unsigned int framing;

net/asterisk-13.x/patches/140-AST-2019-006-13.diff

@@ -0,0 +1,73 @@
+From c2279540bade208dad35f7760ebd4a7cc94731fe Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Mon, 21 Oct 2019 14:55:06 -0500
+Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request.
+
+If the name of a peer is known and a SIP request is sent using that
+peer's name, the address of the peer will change even if the request
+fails the authentication challenge. This means that an endpoint can
+be altered and even rendered unusuable, even if it was in a working
+state previously. This can only occur when the nat option is set to the
+default, or auto_force_rport.
+
+This change checks the result of authentication first to ensure it is
+successful before setting the address and the nat option.
+
+ASTERISK-28589 #close
+
+Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index ea78d23..4a8d344 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -19103,18 +19103,6 @@
+ 		bogus_peer = NULL;
+ 	}
+ 
+-	/*  build_peer, called through sip_find_peer, is not able to check the
+-	 *  sip_pvt->natdetected flag in order to determine if the peer is behind
+-	 *  NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
+-	 *  are set on the peer.  So we check for that here and set the peer's
+-	 *  address accordingly.
+-	 */
+-	set_peer_nat(p, peer);
+-
+-	if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
+-		ast_sockaddr_copy(&peer->addr, &p->recv);
+-	}
+-
+ 	if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
+ 		ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
+ 		sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
+@@ -19183,6 +19171,21 @@
+ 		ast_string_field_set(p, peermd5secret, NULL);
+ 	}
+ 	if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
++
++		/* build_peer, called through sip_find_peer, is not able to check the
++		 * sip_pvt->natdetected flag in order to determine if the peer is behind
++		 * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
++		 * are set on the peer. So we check for that here and set the peer's
++		 * address accordingly. The address should ONLY be set once we are sure
++		 * authentication was a success. If, for example, an INVITE was sent that
++		 * matched the peer name but failed the authentication check, the address
++		 * would be updated, which is bad.
++		 */
++		set_peer_nat(p, peer);
++		if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
++			ast_sockaddr_copy(&peer->addr, &p->recv);
++		}
++
+ 		/* If we have a call limit, set flag */
+ 		if (peer->call_limit)
+ 			ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
+@@ -19282,6 +19285,7 @@
+ 		}
+ 	}
+ 	sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
++
+ 	return res;
+ }
+ 

net/asterisk-13.x/patches/150-AST-2019-007-13.diff

@@ -0,0 +1,46 @@
+From 1b9281a5ded62e5d30af2959e5aa33bc5a0fc285 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Thu, 24 Oct 2019 11:41:23 -0600
+Subject: [PATCH] manager.c:  Prevent the Originate action from running the Originate app
+
+If an AMI user without the "system" authorization calls the
+Originate AMI command with the Originate application,
+the second Originate could run the "System" command.
+
+Action: Originate
+Channel: Local/1111
+Application: Originate
+Data: Local/2222,app,System,touch /tmp/owned
+
+If the "system" authorization isn't set, we now block the
+Originate app as well as the System, Exec, etc. apps.
+
+ASTERISK-28580
+Reported by: Eliel Sardañons
+
+Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
+---
+
+diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
+new file mode 100644
+index 0000000..f2d3133
+--- /dev/null
++++ b/doc/UPGRADE-staging/AMI-Originate.txt
+@@ -0,0 +1,5 @@
++Subject: AMI
++
++The AMI Originate action, which optionally takes a dialplan application as
++an argument, no longer accepts "Originate" as the application due to
++security concerns.
+diff --git a/main/manager.c b/main/manager.c
+index fc602bc..44e25b8 100644
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -5708,6 +5708,7 @@
+ 				                                     EAGI(/bin/rm,-rf /)       */
+ 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+ 				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
++				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
+ 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
+ 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ 				)) {

net/asterisk-13.x/patches/160-AST-2019-008-13.diff

@@ -0,0 +1,35 @@
+From c257794330db49f4079a7108d51da60696269b36 Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Fri, 08 Nov 2019 13:21:15 -0600
+Subject: [PATCH] res_pjsip_session.c: Check for port of zero on incoming SDP.
+
+If a re-invite comes in initiating T.38, but there is no c line in the
+SDP and the port is also 0, a crash can occur. A check is now done on
+the port to see if the steam is already declined, preventing the crash.
+The logic was moved to res_pjsip_session.c because it is handled in a
+similar manner in later versions of Asterisk.
+
+ASTERISK-28612
+Reported by: Salah Ahmed
+
+Change-Id: Ifc4a0d05b32c7f2156e77fc8435a6ecaa6abada0
+---
+
+diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
+index 81f36a7..12cf41d 100644
+--- a/res/res_pjsip_session.c
++++ b/res/res_pjsip_session.c
+@@ -235,6 +235,13 @@
+ 			continue;
+ 		}
+ 
++		/* If we have a port of 0, ignore this stream */
++		if (!sdp->media[i]->desc.port) {
++			ast_debug(1, "Declining incoming SDP media stream '%s' at position '%d'\n",
++				session_media->stream_type, i);
++			continue;
++		}
++
+ 		if (session_media->handler) {
+ 			handler = session_media->handler;
+ 			ast_debug(1, "Negotiating incoming SDP media stream '%s' using %s SDP handler\n",

net/asterisk-13.x/patches/170-AST-2020-001-13.diff

@@ -0,0 +1,401 @@
+From b4c49adbb9ed22f3ccc4fc45f98421012d6b62a5 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@digium.com>
+Date: Mon, 19 Oct 2020 17:21:57 -0500
+Subject: [PATCH] AST-2020-001 - res_pjsip: Return dialog locked and referenced
+
+pjproject returns the dialog locked and with a reference. However,
+in Asterisk the method that handles this decrements the reference
+and removes the lock prior to returning. This makes it possible,
+under some circumstances, for another thread to free said dialog
+before the thread that created it attempts to use it again. Of
+course when the thread that created it tries to use a freed dialog
+a crash can occur.
+
+This patch makes it so Asterisk now returns the newly created
+dialog both locked, and with an added reference. This allows the
+caller to de-reference, and unlock the dialog when it is safe to
+do so.
+
+In the case of a new SIP Invite the lock, and reference are now
+held for the entirety of the new invite handling process.
+Otherwise it's possible for the dialog, or its dependent objects,
+like the transaction, to disappear. For example if there is a TCP
+transport error.
+
+Change-Id: I5ef645a47829596f402cf383dc02c629c618969e
+---
+
+--- a/include/asterisk/res_pjsip.h
++++ b/include/asterisk/res_pjsip.h
+@@ -1840,6 +1840,11 @@ pjsip_dialog *ast_sip_create_dialog_uac(
+ /*!
+  * \brief General purpose method for creating a UAS dialog with an endpoint
+  *
++ * \deprecated This function is unsafe (due to the returned object not being locked nor
++ *             having its reference incremented) and should no longer be used. Instead
++ *             use ast_sip_create_dialog_uas_locked so a properly locked and referenced
++ *             object is returned.
++ *
+  * \param endpoint A pointer to the endpoint
+  * \param rdata The request that is starting the dialog
+  * \param[out] status On failure, the reason for failure in creating the dialog
+@@ -1847,6 +1852,44 @@ pjsip_dialog *ast_sip_create_dialog_uac(
+ pjsip_dialog *ast_sip_create_dialog_uas(const struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pj_status_t *status);
+ 
+ /*!
++ * \brief General purpose method for creating a UAS dialog with an endpoint
++ *
++ * This function creates and returns a locked, and referenced counted pjsip
++ * dialog object. The caller is thus responsible for freeing the allocated
++ * memory, decrementing the reference, and releasing the lock when done with
++ * the returned object.
++ *
++ * \note The safest way to unlock the object, and decrement its reference is by
++ *       calling pjsip_dlg_dec_lock. Alternatively, pjsip_dlg_dec_session can be
++ *       used to decrement the reference only.
++ *
++ * The dialog is returned locked and with a reference in order to ensure that the
++ * dialog object, and any of its associated objects (e.g. transaction) are not
++ * untimely destroyed. For instance, that could happen when a transport error
++ * occurs.
++ *
++ * As long as the caller maintains a reference to the dialog there should be no
++ * worry that it might unknowningly be destroyed. However, once the caller unlocks
++ * the dialog there is a danger that some of the dialog's internal objects could
++ * be lost and/or compromised. For example, when the aforementioned transport error
++ * occurs the dialog's associated transaction gets destroyed (see pjsip_dlg_on_tsx_state
++ * in sip_dialog.c, and mod_inv_on_tsx_state in sip_inv.c).
++ *
++ * In this case and before using the dialog again the caller should re-lock the
++ * dialog, check to make sure the dialog is still established, and the transaction
++ * still exists and has not been destroyed.
++ *
++ * \param endpoint A pointer to the endpoint
++ * \param rdata The request that is starting the dialog
++ * \param[out] status On failure, the reason for failure in creating the dialog
++ *
++ * \retval A locked, and reference counted pjsip_dialog object.
++ * \retval NULL on failure
++ */
++pjsip_dialog *ast_sip_create_dialog_uas_locked(const struct ast_sip_endpoint *endpoint,
++	pjsip_rx_data *rdata, pj_status_t *status);
++
++/*!
+  * \brief General purpose method for creating an rdata structure using specific information
+  * \since 13.15.0
+  *
+--- a/res/res_pjsip.c
++++ b/res/res_pjsip.c
+@@ -3293,7 +3293,11 @@ static int uas_use_sips_contact(pjsip_rx
+ 	return 0;
+ }
+ 
+-pjsip_dialog *ast_sip_create_dialog_uas(const struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pj_status_t *status)
++typedef pj_status_t (*create_dlg_uac)(pjsip_user_agent *ua, pjsip_rx_data *rdata,
++	const pj_str_t *contact, pjsip_dialog **p_dlg);
++
++static pjsip_dialog *create_dialog_uas(const struct ast_sip_endpoint *endpoint,
++	pjsip_rx_data *rdata, pj_status_t *status, create_dlg_uac create_fun)
+ {
+ 	pjsip_dialog *dlg;
+ 	pj_str_t contact;
+@@ -3328,11 +3332,7 @@ pjsip_dialog *ast_sip_create_dialog_uas(
+ 			(type != PJSIP_TRANSPORT_UDP && type != PJSIP_TRANSPORT_UDP6) ? ";transport=" : "",
+ 			(type != PJSIP_TRANSPORT_UDP && type != PJSIP_TRANSPORT_UDP6) ? pjsip_transport_get_type_name(type) : "");
+ 
+-#ifdef HAVE_PJSIP_DLG_CREATE_UAS_AND_INC_LOCK
+-	*status = pjsip_dlg_create_uas_and_inc_lock(pjsip_ua_instance(), rdata, &contact, &dlg);
+-#else
+-	*status = pjsip_dlg_create_uas(pjsip_ua_instance(), rdata, &contact, &dlg);
+-#endif
++	*status = create_fun(pjsip_ua_instance(), rdata, &contact, &dlg);
+ 	if (*status != PJ_SUCCESS) {
+ 		char err[PJ_ERR_MSG_SIZE];
+ 
+@@ -3345,11 +3345,46 @@ pjsip_dialog *ast_sip_create_dialog_uas(
+ 	dlg->sess_count++;
+ 	pjsip_dlg_set_transport(dlg, &selector);
+ 	dlg->sess_count--;
++
++	return dlg;
++}
++
++pjsip_dialog *ast_sip_create_dialog_uas(const struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pj_status_t *status)
++{
+ #ifdef HAVE_PJSIP_DLG_CREATE_UAS_AND_INC_LOCK
+-	pjsip_dlg_dec_lock(dlg);
++	pjsip_dialog *dlg;
++
++	dlg = create_dialog_uas(endpoint, rdata, status, pjsip_dlg_create_uas_and_inc_lock);
++	if (dlg) {
++		pjsip_dlg_dec_lock(dlg);
++	}
++
++	return dlg;
++#else
++	return create_dialog_uas(endpoint, rdata, status, pjsip_dlg_create_uas);
+ #endif
++}
++
++pjsip_dialog *ast_sip_create_dialog_uas_locked(const struct ast_sip_endpoint *endpoint,
++	pjsip_rx_data *rdata, pj_status_t *status)
++{
++#ifdef HAVE_PJSIP_DLG_CREATE_UAS_AND_INC_LOCK
++	return create_dialog_uas(endpoint, rdata, status, pjsip_dlg_create_uas_and_inc_lock);
++#else
++	/*
++	 * This is put here in order to be compatible with older versions of pjproject.
++	 * Best we can do in this case is immediately lock after getting the dialog.
++	 * However, that does leave a "gap" between creating and locking.
++	 */
++	pjsip_dialog *dlg;
++
++	dlg = create_dialog_uas(endpoint, rdata, status, pjsip_dlg_create_uas);
++	if (dlg) {
++		pjsip_dlg_inc_lock(dlg);
++	}
+ 
+ 	return dlg;
++#endif
+ }
+ 
+ int ast_sip_create_rdata_with_contact(pjsip_rx_data *rdata, char *packet, const char *src_name, int src_port,
+--- a/res/res_pjsip_pubsub.c
++++ b/res/res_pjsip_pubsub.c
+@@ -1441,7 +1441,7 @@ static struct sip_subscription_tree *cre
+ 	}
+ 	sub_tree->role = AST_SIP_NOTIFIER;
+ 
+-	dlg = ast_sip_create_dialog_uas(endpoint, rdata, dlg_status);
++	dlg = ast_sip_create_dialog_uas_locked(endpoint, rdata, dlg_status);
+ 	if (!dlg) {
+ 		if (*dlg_status != PJ_EEXISTS) {
+ 			ast_log(LOG_WARNING, "Unable to create dialog for SIP subscription\n");
+@@ -1462,8 +1462,16 @@ static struct sip_subscription_tree *cre
+ 	}
+ 
+ 	pjsip_evsub_create_uas(dlg, &pubsub_cb, rdata, 0, &sub_tree->evsub);
++
+ 	subscription_setup_dialog(sub_tree, dlg);
+ 
++	/*
++	 * The evsub and subscription setup both add dialog refs, so the dialog ref that
++	 * was added when the dialog was created (see ast_sip_create_dialog_uas_lock) can
++	 * now be removed. The lock should no longer be needed so can be removed too.
++	 */
++	pjsip_dlg_dec_lock(dlg);
++
+ #ifdef HAVE_PJSIP_EVSUB_GRP_LOCK
+ 	pjsip_evsub_add_ref(sub_tree->evsub);
+ #endif
+--- a/res/res_pjsip_session.c
++++ b/res/res_pjsip_session.c
+@@ -2050,6 +2050,75 @@ static enum sip_get_destination_result g
+ 	return SIP_GET_DEST_EXTEN_NOT_FOUND;
+ }
+ 
++/*
++ * /internal
++ * /brief Process initial answer for an incoming invite
++ *
++ * This function should only be called during the setup, and handling of a
++ * new incoming invite. Most, if not all of the time, this will be called
++ * when an error occurs and we need to respond as such.
++ *
++ * When a SIP session termination code is given for the answer it's assumed
++ * this call then will be the final bit of processing before ending session
++ * setup. As such, we've been holding a lock, and a reference on the invite
++ * session's dialog. So before returning this function removes that reference,
++ * and unlocks the dialog.
++ *
++ * \param inv_session The session on which to answer
++ * \param rdata The original request
++ * \param answer_code The answer's numeric code
++ * \param terminate_code The termination code if the answer fails
++ * \param notify Whether or not to call on_state_changed
++ *
++ * \retval 0 if invite successfully answered, -1 if an error occurred
++ */
++static int new_invite_initial_answer(pjsip_inv_session *inv_session, pjsip_rx_data *rdata,
++	int answer_code, int terminate_code, pj_bool_t notify)
++{
++	pjsip_tx_data *tdata = NULL;
++	int res = 0;
++
++	if (inv_session->state != PJSIP_INV_STATE_DISCONNECTED) {
++		if (pjsip_inv_initial_answer(
++				inv_session, rdata, answer_code, NULL, NULL, &tdata) != PJ_SUCCESS) {
++
++			pjsip_inv_terminate(inv_session, terminate_code ? terminate_code : answer_code, notify);
++			res = -1;
++		} else {
++			pjsip_inv_send_msg(inv_session, tdata);
++		}
++	}
++
++	if (answer_code >= 300) {
++		/*
++		 * A session is ending. The dialog has a reference that needs to be
++		 * removed and holds a lock that needs to be unlocked before returning.
++		 */
++		pjsip_dlg_dec_lock(inv_session->dlg);
++	}
++
++	return res;
++}
++
++/*
++ * /internal
++ * /brief Create and initialize a pjsip invite session
++
++ * pjsip_inv_session adds, and maintains a reference to the dialog upon a successful
++ * invite session creation until the session is destroyed. However, we'll wait to
++ * remove the reference that was added for the dialog when it gets created since we're
++ * not ready to unlock the dialog in this function.
++ *
++ * So, if this function successfully returns that means it returns with its newly
++ * created, and associated dialog locked and with two references (i.e. dialog's
++ * reference count should be 2).
++ *
++ * \param endpoint A pointer to the endpoint
++ * \param rdata The request that is starting the dialog
++ *
++ * \retval A pjsip invite session object
++ * \retval NULL on error
++ */
+ static pjsip_inv_session *pre_session_setup(pjsip_rx_data *rdata, const struct ast_sip_endpoint *endpoint)
+ {
+ 	pjsip_tx_data *tdata;
+@@ -2068,15 +2137,28 @@ static pjsip_inv_session *pre_session_se
+ 		}
+ 		return NULL;
+ 	}
+-	dlg = ast_sip_create_dialog_uas(endpoint, rdata, &dlg_status);
++
++	dlg = ast_sip_create_dialog_uas_locked(endpoint, rdata, &dlg_status);
+ 	if (!dlg) {
+ 		if (dlg_status != PJ_EEXISTS) {
+ 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
+ 		}
+ 		return NULL;
+ 	}
++
++	/*
++	 * The returned dialog holds a lock and has a reference added. Any paths where the
++	 * dialog invite session is not returned must unlock the dialog and remove its reference.
++	 */
++
+ 	if (pjsip_inv_create_uas(dlg, rdata, NULL, options, &inv_session) != PJ_SUCCESS) {
+ 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
++		/*
++		 * The acquired dialog holds a lock, and a reference. Since the dialog is not
++		 * going to be returned here it must first be unlocked and de-referenced. This
++		 * must be done prior to calling dialog termination.
++		 */
++		pjsip_dlg_dec_lock(dlg);
+ 		pjsip_dlg_terminate(dlg);
+ 		return NULL;
+ 	}
+@@ -2085,12 +2167,13 @@ static pjsip_inv_session *pre_session_se
+ 	inv_session->sdp_neg_flags = PJMEDIA_SDP_NEG_ALLOW_MEDIA_CHANGE;
+ #endif
+ 	if (pjsip_dlg_add_usage(dlg, &session_module, NULL) != PJ_SUCCESS) {
+-		if (pjsip_inv_initial_answer(inv_session, rdata, 500, NULL, NULL, &tdata) != PJ_SUCCESS) {
+-			pjsip_inv_terminate(inv_session, 500, PJ_FALSE);
+-		}
+-		pjsip_inv_send_msg(inv_session, tdata);
++		/* Dialog's lock and a reference are removed in new_invite_initial_answer */
++		new_invite_initial_answer(inv_session, rdata, 500, 500, PJ_FALSE);
++		/* Remove 2nd reference added at inv_session creation */
++		pjsip_dlg_dec_session(inv_session->dlg, &session_module);
+ 		return NULL;
+ 	}
++
+ 	return inv_session;
+ }
+ 
+@@ -2220,7 +2303,6 @@ static void handle_new_invite_request(pj
+ {
+ 	RAII_VAR(struct ast_sip_endpoint *, endpoint,
+ 			ast_pjsip_rdata_get_endpoint(rdata), ao2_cleanup);
+-	pjsip_tx_data *tdata = NULL;
+ 	pjsip_inv_session *inv_session = NULL;
+ 	struct ast_sip_session *session;
+ 	struct new_invite invite;
+@@ -2233,27 +2315,48 @@ static void handle_new_invite_request(pj
+ 		return;
+ 	}
+ 
++	/*
++	 * Upon a successful pre_session_setup the associated dialog is returned locked
++	 * and with an added reference. Well actually two references. One added when the
++	 * dialog itself was created, and another added when the pjsip invite session was
++	 * created and the dialog was added to it.
++	 *
++	 * In order to ensure the dialog's, and any of its internal attributes, lifetimes
++	 * we'll hold the lock and maintain the reference throughout the entire new invite
++	 * handling process. See ast_sip_create_dialog_uas_locked for more details but,
++	 * basically we do this to make sure a transport failure does not destroy the dialog
++	 * and/or transaction out from underneath us between pjsip calls. Alternatively, we
++	 * could probably release the lock if we needed to, but then we'd have to re-lock and
++	 * check the dialog and transaction prior to every pjsip call.
++	 *
++	 * That means any off nominal/failure paths in this function must remove the associated
++	 * dialog reference added at dialog creation, and remove the lock. As well the
++	 * referenced pjsip invite session must be "cleaned up", which should also then
++	 * remove its reference to the dialog at that time.
++	 *
++	 * Nominally we'll unlock the dialog, and release the reference when all new invite
++	 * process handling has successfully completed.
++	 */
++
+ #ifdef HAVE_PJSIP_INV_SESSION_REF
+ 	if (pjsip_inv_add_ref(inv_session) != PJ_SUCCESS) {
+ 		ast_log(LOG_ERROR, "Can't increase the session reference counter\n");
+-		if (inv_session->state != PJSIP_INV_STATE_DISCONNECTED) {
+-			if (pjsip_inv_initial_answer(inv_session, rdata, 500, NULL, NULL, &tdata) == PJ_SUCCESS) {
+-				pjsip_inv_terminate(inv_session, 500, PJ_FALSE);
+-			} else {
+-				pjsip_inv_send_msg(inv_session, tdata);
+-			}
++		/* Dialog's lock and a reference are removed in new_invite_initial_answer */
++		if (!new_invite_initial_answer(inv_session, rdata, 500, 500, PJ_FALSE)) {
++			/* Terminate the session if it wasn't done in the answer */
++			pjsip_inv_terminate(inv_session, 500, PJ_FALSE);
+ 		}
+ 		return;
+ 	}
+ #endif
+-
+ 	session = ast_sip_session_alloc(endpoint, NULL, inv_session, rdata);
+ 	if (!session) {
+-		if (pjsip_inv_initial_answer(inv_session, rdata, 500, NULL, NULL, &tdata) == PJ_SUCCESS) {
++		/* Dialog's lock and reference are removed in new_invite_initial_answer */
++		if (!new_invite_initial_answer(inv_session, rdata, 500, 500, PJ_FALSE)) {
++			/* Terminate the session if it wasn't done in the answer */
+ 			pjsip_inv_terminate(inv_session, 500, PJ_FALSE);
+-		} else {
+-			pjsip_inv_send_msg(inv_session, tdata);
+ 		}
++
+ #ifdef HAVE_PJSIP_INV_SESSION_REF
+ 		pjsip_inv_dec_ref(inv_session);
+ #endif
+@@ -2271,6 +2374,17 @@ static void handle_new_invite_request(pj
+ 	invite.rdata = rdata;
+ 	new_invite(&invite);
+ 
++	/*
++	 * The dialog lock and reference added at dialog creation time must be
++	 * maintained throughout the new invite process. Since we're pretty much
++	 * done at this point with things it's safe to go ahead and remove the lock
++	 * and the reference here. See ast_sip_create_dialog_uas_locked for more info.
++	 *
++	 * Note, any future functionality added that does work using the dialog must
++	 * be done before this.
++	 */
++	pjsip_dlg_dec_lock(inv_session->dlg);
++
+ 	ao2_ref(session, -1);
+ }
+ 

net/asterisk-13.x/patches/180-AST-2020-002-13.diff

@@ -0,0 +1,107 @@
+From 01b7ac0d590b0ad2e3e856d1a81fc87154ae68a0 Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Mon, 02 Nov 2020 10:29:31 -0600
+Subject: [PATCH] AST-2020-002 - res_pjsip: Stop sending INVITEs after challenge limit.
+
+If Asterisk sends out an INVITE and receives a challenge with a
+different nonce value each time, it will continuously send out INVITEs,
+even if the call is hung up. The endpoint must be configured for
+outbound authentication for this to occur. A limit has been set on
+outbound INVITEs so that, once reached, Asterisk will stop sending
+INVITEs and the transaction will terminate.
+
+ASTERISK-29013
+
+Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7
+---
+
+--- a/include/asterisk/res_pjsip.h
++++ b/include/asterisk/res_pjsip.h
+@@ -64,6 +64,9 @@ struct pjsip_tpselector;
+ /*! \brief Maximum number of ciphers supported for a TLS transport */
+ #define SIP_TLS_MAX_CIPHERS 64
+ 
++/*! Maximum number of challenges before assuming that we are in a loop */
++#define MAX_RX_CHALLENGES	10
++
+ /*!
+  * \brief Structure for SIP transport information
+  */
+--- a/include/asterisk/res_pjsip_session.h
++++ b/include/asterisk/res_pjsip_session.h
+@@ -161,6 +161,8 @@ struct ast_sip_session {
+ 	enum ast_sip_dtmf_mode dtmf;
+ 	/*! Initial incoming INVITE Request-URI.  NULL otherwise. */
+ 	pjsip_uri *request_uri;
++	/*! Number of challenges received during outgoing requests to determine if we are in a loop */
++	unsigned int authentication_challenge_count:4;
+ };
+ 
+ typedef int (*ast_sip_session_request_creation_cb)(struct ast_sip_session *session, pjsip_tx_data *tdata);
+--- a/res/res_pjsip.c
++++ b/res/res_pjsip.c
+@@ -3693,8 +3693,6 @@ static pj_bool_t does_method_match(const
+ 	return pj_stristr(&method, message_method) ? PJ_TRUE : PJ_FALSE;
+ }
+ 
+-/*! Maximum number of challenges before assuming that we are in a loop */
+-#define MAX_RX_CHALLENGES	10
+ #define TIMER_INACTIVE		0
+ #define TIMEOUT_TIMER2		5
+ 
+--- a/res/res_pjsip_session.c
++++ b/res/res_pjsip_session.c
+@@ -1184,7 +1184,6 @@ static pjsip_module session_reinvite_mod
+ 	.on_rx_request = session_reinvite_on_rx_request,
+ };
+ 
+-
+ void ast_sip_session_send_request_with_cb(struct ast_sip_session *session, pjsip_tx_data *tdata,
+ 		ast_sip_session_response_cb on_response)
+ {
+@@ -1470,12 +1469,17 @@ struct ast_sip_session *ast_sip_session_
+ 		ao2_ref(session, -1);
+ 		return NULL;
+ 	}
++
++	/* Track the number of challenges received on outbound requests */
++	session->authentication_challenge_count = 0;
++
+ 	AST_LIST_TRAVERSE(&session->supplements, iter, next) {
+ 		if (iter->session_begin) {
+ 			iter->session_begin(session);
+ 		}
+ 	}
+ 
++
+ 	/* Avoid unnecessary ref manipulation to return a session */
+ 	ret_session = session;
+ 	session = NULL;
+@@ -1642,6 +1646,11 @@ static pj_bool_t outbound_invite_auth(pj
+ 
+ 	session = inv->mod_data[session_module.id];
+ 
++	if (++session->authentication_challenge_count > MAX_RX_CHALLENGES) {
++		ast_debug(3, "Initial INVITE reached maximum number of auth attempts.\n");
++		return PJ_FALSE;
++	}
++
+ 	if (ast_sip_create_request_with_auth(&session->endpoint->outbound_auths, rdata, tsx,
+ 		&tdata)) {
+ 		return PJ_FALSE;
+@@ -2888,6 +2897,7 @@ static void session_inv_on_tsx_state_cha
+ 						ast_debug(1, "reINVITE received final response code %d\n",
+ 							tsx->status_code);
+ 						if ((tsx->status_code == 401 || tsx->status_code == 407)
++							&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
+ 							&& !ast_sip_create_request_with_auth(
+ 								&session->endpoint->outbound_auths,
+ 								e->body.tsx_state.src.rdata, tsx, &tdata)) {
+@@ -2962,6 +2972,7 @@ static void session_inv_on_tsx_state_cha
+ 						(int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name),
+ 						tsx->status_code);
+ 					if ((tsx->status_code == 401 || tsx->status_code == 407)
++						&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
+ 						&& !ast_sip_create_request_with_auth(
+ 							&session->endpoint->outbound_auths,
+ 							e->body.tsx_state.src.rdata, tsx, &tdata)) {

net/asterisk-15.x/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk15
 PKG_VERSION:=15.3.0
-PKG_RELEASE:=1
+PKG_RELEASE:=8
 
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases
@@ -557,8 +557,7 @@ CONFIGURE_ARGS+= \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-res-resolver-unbound),--with-unbound="$(STAGING_DIR)/usr",--without-unbound) \
 	$(if $(CONFIG_PACKAGE_$(PKG_NAME)-format-ogg-vorbis),--with-vorbis="$(STAGING_DIR)/usr",--without-vorbis) \
 	--without-vpb \
-	--with-z="$(STAGING_DIR)/usr" \
-	--with-sounds-cache="$(DL_DIR)"
+	--with-z="$(STAGING_DIR)/usr"
 
 ifeq ($(CONFIG_PACKAGE_$(PKG_NAME)-codec-speex)$(CONFIG_PACKAGE_$(PKG_NAME)-format-ogg-speex)$(CONFIG_PACKAGE_$(PKG_NAME)-func-speex),)
 CONFIGURE_ARGS+= \

net/asterisk-15.x/patches/110-AST-2018-007-15.diff

@@ -0,0 +1,49 @@
+From 380b5ae0a1e4a68bfb098319a7ab86d3d34c2fcb Mon Sep 17 00:00:00 2001
+From: Sean Bright <sean.bright@gmail.com>
+Date: Mon, 16 Apr 2018 15:13:58 -0400
+Subject: [PATCH] AST-2018-007: iostreams potential DoS when client connection closed prematurely
+
+Before Asterisk sends an HTTP response (at least in the case of errors),
+it attempts to read & discard the content of the request. If the client
+lies about the Content-Length, or the connection is closed from the
+client side before "Content-Length" bytes are sent, the request handling
+thread will busy loop.
+
+ASTERISK-27807
+
+Change-Id: I945c5fc888ed92be625b8c35039fc6d2aa89c762
+---
+
+diff --git a/main/iostream.c b/main/iostream.c
+index 4cddd43..20188cb 100644
+--- a/main/iostream.c
++++ b/main/iostream.c
+@@ -197,11 +197,18 @@
+ 					}
+ 				}
+ 				break;
++			case SSL_ERROR_SYSCALL:
++				/* Some non-recoverable I/O error occurred. The OpenSSL error queue may
++				 * contain more information on the error. For socket I/O on Unix systems,
++				 * consult errno for details. */
++				ast_debug(1, "TLS non-recoverable I/O error occurred: %s, %s\n", ERR_error_string(sslerr, err),
++					ssl_error_to_string(sslerr, res));
++				return -1;
+ 			default:
+ 				/* Report EOF for an undecoded SSL or transport error. */
+ 				ast_debug(1, "TLS transport or SSL error reading data:  %s, %s\n", ERR_error_string(sslerr, err),
+ 					ssl_error_to_string(sslerr, res));
+-				return 0;
++				return -1;
+ 			}
+ 			if (!ms) {
+ 				/* Report EOF for a timeout */
+@@ -317,7 +324,7 @@
+ 
+ 	while (remaining) {
+ 		ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining);
+-		if (ret < 0) {
++		if (ret <= 0) {
+ 			return ret;
+ 		}
+ 		remaining -= ret;

net/asterisk-15.x/patches/120-AST-2018-008-15.diff

@@ -0,0 +1,98 @@
+From f597032e833a4d3e8e710e5b1416ba780f002b8b Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Mon, 30 Apr 2018 17:38:58 -0500
+Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
+
+When endpoint specific ACL rules block a SIP request they respond with a
+403 forbidden.  However, if an endpoint is not identified then a 401
+unauthorized response is sent.  This vulnerability just discloses which
+requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
+access to the disclosed endpoints.
+
+* Made endpoint specific ACL rules now respond with a 401 unauthorized
+which is the same as if an endpoint were not identified.  The fix is
+accomplished by replacing the found endpoint with the artificial endpoint
+which always fails authentication.
+
+ASTERISK-27818
+
+Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
+---
+
+--- a/res/res_pjsip/pjsip_distributor.c
++++ b/res/res_pjsip/pjsip_distributor.c
+@@ -676,6 +676,26 @@ static void check_endpoint(pjsip_rx_data
+ 	ao2_unlock(unid);
+ }
+ 
++static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
++static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
++
++static void apply_acls(pjsip_rx_data *rdata)
++{
++	struct ast_sip_endpoint *endpoint;
++
++	/* Is the endpoint allowed with the source or contact address? */
++	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
++	if (endpoint != artificial_endpoint
++		&& (apply_endpoint_acl(rdata, endpoint)
++			|| apply_endpoint_contact_acl(rdata, endpoint))) {
++		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
++			ast_sorcery_object_get_id(endpoint));
++
++		/* Replace the rdata endpoint with the artificial endpoint. */
++		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
++	}
++}
++
+ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
+ {
+ 	struct ast_sip_endpoint *endpoint;
+@@ -694,6 +714,7 @@ static pj_bool_t endpoint_lookup(pjsip_r
+ 			ao2_unlink(unidentified_requests, unid);
+ 			ao2_ref(unid, -1);
+ 		}
++		apply_acls(rdata);
+ 		return PJ_FALSE;
+ 	}
+ 
+@@ -753,6 +774,8 @@ static pj_bool_t endpoint_lookup(pjsip_r
+ 			ast_sip_report_invalid_endpoint(name, rdata);
+ 		}
+ 	}
++
++	apply_acls(rdata);
+ 	return PJ_FALSE;
+ }
+ 
+@@ -836,16 +859,11 @@ static pj_bool_t authenticate(pjsip_rx_d
+ 
+ 	ast_assert(endpoint != NULL);
+ 
+-	if (endpoint!=artificial_endpoint) {
+-		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
+-			if (!is_ack) {
+-				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+-			}
+-			return PJ_TRUE;
+-		}
++	if (is_ack) {
++		return PJ_FALSE;
+ 	}
+ 
+-	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
++	if (ast_sip_requires_authentication(endpoint, rdata)) {
+ 		pjsip_tx_data *tdata;
+ 		struct unidentified_request *unid;
+ 
+@@ -881,6 +899,10 @@ static pj_bool_t authenticate(pjsip_rx_d
+ 			return PJ_TRUE;
+ 		}
+ 		pjsip_tx_data_dec_ref(tdata);
++	} else if (endpoint == artificial_endpoint) {
++		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
++		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
++		return PJ_TRUE;
+ 	}
+ 
+ 	return PJ_FALSE;

net/asterisk-15.x/patches/130-AST-2018-009-15.diff

@@ -0,0 +1,89 @@
+From 7d964e4b2e689f0dd7353e96d1782e92f59e9be6 Mon Sep 17 00:00:00 2001
+From: Sean Bright <sean.bright@gmail.com>
+Date: Thu, 16 Aug 2018 11:45:53 -0400
+Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade
+ requests
+
+The HTTP request processing in res_http_websocket allocates additional
+space on the stack for various headers received during an Upgrade request.
+An attacker could send a specially crafted request that causes this code
+to overflow the stack, resulting in a crash.
+
+* No longer allocate memory from the stack in a loop to parse the header
+values.  NOTE: There is a slight API change when using the passed in
+strings as is.  We now require the passed in strings to no longer have
+leading or trailing whitespace.  This isn't a problem as the only callers
+have already done this before passing the strings to the affected
+function.
+
+ASTERISK-28013 #close
+
+Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a
+---
+ res/res_http_websocket.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
+index aaaba7d..e7ce830 100644
+--- a/res/res_http_websocket.c
++++ b/res/res_http_websocket.c
+@@ -758,7 +758,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser)
+ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers)
+ {
+ 	struct ast_variable *v;
+-	char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL;
++	const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL;
++	char *requested_protocols = NULL, *protocol = NULL;
+ 	int version = 0, flags = 1;
+ 	struct ast_websocket_protocol *protocol_handler = NULL;
+ 	struct ast_websocket *session;
+@@ -777,16 +778,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 	/* Get the minimum headers required to satisfy our needs */
+ 	for (v = headers; v; v = v->next) {
+ 		if (!strcasecmp(v->name, "Upgrade")) {
+-			upgrade = ast_strip(ast_strdupa(v->value));
++			upgrade = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) {
+-			key = ast_strip(ast_strdupa(v->value));
++			key = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) {
+-			key1 = ast_strip(ast_strdupa(v->value));
++			key1 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) {
+-			key2 = ast_strip(ast_strdupa(v->value));
++			key2 = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) {
+-			requested_protocols = ast_strip(ast_strdupa(v->value));
+-			protos = ast_strdupa(requested_protocols);
++			protos = v->value;
+ 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) {
+ 			if (sscanf(v->value, "%30d", &version) != 1) {
+ 				version = 0;
+@@ -800,7 +800,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 			ast_sockaddr_stringify(&ser->remote_address));
+ 		ast_http_error(ser, 426, "Upgrade Required", NULL);
+ 		return 0;
+-	} else if (ast_strlen_zero(requested_protocols)) {
++	} else if (ast_strlen_zero(protos)) {
+ 		/* If there's only a single protocol registered, and the
+ 		 * client doesn't specify what protocol it's using, go ahead
+ 		 * and accept the connection */
+@@ -821,9 +821,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
+ 		return 0;
+ 	}
+ 
+-	/* Iterate through the requested protocols trying to find one that we have a handler for */
+-	while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
+-		protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
++	if (!protocol_handler && protos) {
++		requested_protocols = ast_strdupa(protos);
++		/* Iterate through the requested protocols trying to find one that we have a handler for */
++		while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
++			protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
++		}
+ 	}
+ 
+ 	/* If no protocol handler exists bump this back to the requester */
+-- 
+2.7.4
+

net/asterisk-15.x/patches/140-AST-2018-010-15.diff

@@ -0,0 +1,98 @@
+From ae857488d97f94535d7c4dbe6049ddcc211bcf32 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Thu, 25 Oct 2018 09:25:58 -0600
+Subject: [PATCH] AST-2018-010: Fix length of buffer needed for SRV and NAPTR results
+
+When dn_expand was being called on SRV and NAPTR results, the
+return value was being used to calculate the size of the buffer
+needed to store the host names.  Since dn_expand returns the
+length of the COMPRESSED name the buffer could be too short
+to hold the EXPANDED name.  The expanded name is NULL terminated
+so using strlen() is the correct way to determine the length
+actually needed for the buffer.
+
+ASTERISK-28127
+Reported by: Jan Hoffmann
+
+patches:
+  patch.diff submitted by janhoffmann (license 6986)
+
+Change-Id: I4d35d6c431c6c6836cb61d37b1378cc47f0b414d
+---
+
+diff --git a/main/dns_naptr.c b/main/dns_naptr.c
+index 5490b55..4d67816 100644
+--- a/main/dns_naptr.c
++++ b/main/dns_naptr.c
+@@ -393,6 +393,7 @@
+ 	int replacement_size;
+ 	const char *end_of_record;
+ 	enum flags_result flags_res;
++	size_t naptr_len;
+ 
+ 	ptr = dns_find_record(data, size, query->result->answer, query->result->answer_size);
+ 	ast_assert(ptr != NULL);
+@@ -435,7 +436,14 @@
+ 		return NULL;
+ 	}
+ 
+-	replacement_size = dn_expand((unsigned char *)query->result->answer, (unsigned char *) end_of_record, (unsigned char *) ptr, replacement, sizeof(replacement) - 1);
++	/*
++	 * The return value from dn_expand represents the size of the replacement
++	 * in the buffer which MAY be compressed.  Since the expanded replacement
++	 * is NULL terminated, you can use strlen() to get the expanded size.
++	 */
++	replacement_size = dn_expand((unsigned char *)query->result->answer,
++		(unsigned char *) end_of_record, (unsigned char *) ptr,
++		replacement, sizeof(replacement) - 1);
+ 	if (replacement_size < 0) {
+ 		ast_log(LOG_ERROR, "Failed to expand domain name: %s\n", strerror(errno));
+ 		return NULL;
+@@ -475,7 +483,9 @@
+ 		return NULL;
+ 	}
+ 
+-	naptr = ast_calloc(1, sizeof(*naptr) + size + flags_size + 1 + services_size + 1 + regexp_size + 1 + replacement_size + 1);
++	naptr_len = sizeof(*naptr) + size + flags_size + 1 + services_size + 1
++		+ regexp_size + 1 + strlen(replacement) + 1;
++	naptr = ast_calloc(1, naptr_len);
+ 	if (!naptr) {
+ 		return NULL;
+ 	}
+diff --git a/main/dns_srv.c b/main/dns_srv.c
+index b562e32..e11c84e 100644
+--- a/main/dns_srv.c
++++ b/main/dns_srv.c
+@@ -73,7 +73,13 @@
+ 		return NULL;
+ 	}
+ 
+-	host_size = dn_expand((unsigned char *)query->result->answer, (unsigned char *) end_of_record, (unsigned char *) ptr, host, sizeof(host) - 1);
++	/*
++	 * The return value from dn_expand represents the size of the replacement
++	 * in the buffer which MAY be compressed.  Since the expanded replacement
++	 * is NULL terminated, you can use strlen() to get the expanded size.
++	 */
++	host_size = dn_expand((unsigned char *)query->result->answer,
++		(unsigned char *) end_of_record, (unsigned char *) ptr, host, sizeof(host) - 1);
+ 	if (host_size < 0) {
+ 		ast_log(LOG_ERROR, "Failed to expand domain name: %s\n", strerror(errno));
+ 		return NULL;
+@@ -83,7 +89,7 @@
+ 		return NULL;
+ 	}
+ 
+-	srv = ast_calloc(1, sizeof(*srv) + size + host_size + 1);
++	srv = ast_calloc(1, sizeof(*srv) + size + strlen(host) + 1);
+ 	if (!srv) {
+ 		return NULL;
+ 	}
+@@ -94,8 +100,6 @@
+ 
+ 	srv->host = srv->data + size;
+ 	strcpy((char *)srv->host, host); /* SAFE */
+-	((char *)srv->host)[host_size] = '\0';
+-
+ 	srv->generic.data_ptr = srv->data;
+ 
+ 	return (struct ast_dns_record *)srv;

net/asterisk-15.x/patches/150-AST-2019-001-15.diff

@@ -0,0 +1,32 @@
+From 476d60f850c75ca9142aaf783992db74efea6a49 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Wed, 30 Jan 2019 12:25:55 -0700
+Subject: [PATCH] res_pjsip_sdp_rtp:  Fix return code from apply_negotiated_sdp_stream
+
+apply_negotiated_sdp_stream was returning a "1" when no joint
+capabilities were found on an outgoing call instead of a "-1".
+This indicated to res_pjsip_session that the handler DID handle
+the sdp when in fact it didn't.  Without the appropriate setup,
+a subsequent media frame coming in would have an invalid stream_num
+and cause a seg fault when the stream was attempted to be retrieved.
+
+apply_negotiated_sdp_stream now returns the correct "-1" and any
+media is now discarded before it reaches the core stream processing.
+
+ASTERISK-28620
+Reported by: Sotiris Ganouris
+
+Change-Id: Ia095cb16b4862f2f6ad6d2d2a77453fa2542371f
+---
+
+--- a/res/res_pjsip_sdp_rtp.c
++++ b/res/res_pjsip_sdp_rtp.c
+@@ -1722,7 +1722,7 @@ static int apply_negotiated_sdp_stream(s
+ 	}
+ 
+ 	if (set_caps(session, session_media, session_media_transport, remote_stream, 0, asterisk_stream)) {
+-		return 1;
++		return -1;
+ 	}
+ 
+ 	/* Set the channel uniqueid on the RTP instance now that it is becoming active */

net/asterisk-15.x/patches/160-AST-2019-003-15.diff

@@ -0,0 +1,37 @@
+From a8cc63a8b2b973d6d34251d74b8d4576d6796dce Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano@messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10917,7 +10917,13 @@ static int process_sdp(struct sip_pvt *p
+ 			    ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ 	}
+ 
+-	if (portno != -1 || vportno != -1 || tportno != -1) {
++	/* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++	 * video is not being transported, thus we continue in this function further up if that is
++	 * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++	 * stream however we need to check again to ensure that there is at least one joint codec
++	 * instead of assuming there is one.
++	 */
++	if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ 		/* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ 		   they are acceptable */
+ 		ast_format_cap_remove_by_type(p->jointcaps, AST_MEDIA_TYPE_UNKNOWN);

net/asterisk-15.x/patches/170-AST-2019-004-15.patch

@@ -0,0 +1,169 @@
+From f361e65dc2c90aaee9472f97b54083e0a2d49303 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@digium.com>
+Date: Tue, 20 Aug 2019 15:05:45 -0500
+Subject: [PATCH] AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media
+
+After receiving a 200 OK with a declined stream in response to a T.38
+initiated re-invite Asterisk would crash when attempting to dereference
+a NULL session media object.
+
+This patch checks to make sure the session media object is not NULL before
+attempting to use it.
+
+ASTERISK-28495
+patches:
+  ast-2019-004.patch submitted by Alexei Gradinari (license 5691)
+
+Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572
+---
+
+--- a/res/res_pjsip_t38.c
++++ b/res/res_pjsip_t38.c
+@@ -202,7 +202,6 @@ static int t38_automatic_reject(void *ob
+ {
+ 	RAII_VAR(struct ast_sip_session *, session, obj, ao2_cleanup);
+ 	RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(session, "t38"), ao2_cleanup);
+-	struct ast_sip_session_media *session_media;
+ 
+ 	if (!datastore) {
+ 		return 0;
+@@ -211,8 +210,7 @@ static int t38_automatic_reject(void *ob
+ 	ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n",
+ 		session->channel ? ast_channel_name(session->channel) : "<gone>");
+ 
+-	session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-	t38_change_state(session, session_media, datastore->data, T38_REJECTED);
++	t38_change_state(session, NULL, datastore->data, T38_REJECTED);
+ 	ast_sip_session_resume_reinvite(session);
+ 
+ 	return 0;
+@@ -312,28 +310,37 @@ static int t38_reinvite_response_cb(stru
+ 		int index;
+ 
+ 		session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-		t38_change_state(session, session_media, state, T38_ENABLED);
++		if (!session_media) {
++			ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
++					status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");
++		} else {
++			t38_change_state(session, session_media, state, T38_ENABLED);
+ 
+-		/* Stop all the streams in the stored away active state, they'll go back to being active once
+-		 * we reinvite back.
+-		 */
+-		for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
+-			struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
++			/* Stop all the streams in the stored away active state, they'll go back to being active once
++			 * we reinvite back.
++			 */
++			for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
++				struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
+ 
+-			if (session_media && session_media->handler && session_media->handler->stream_stop) {
+-				session_media->handler->stream_stop(session_media);
++				if (session_media && session_media->handler && session_media->handler->stream_stop) {
++					session_media->handler->stream_stop(session_media);
++				}
+ 			}
++
++			return 0;
+ 		}
+ 	} else {
+ 		session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-		t38_change_state(session, session_media, state, T38_REJECTED);
+-
+-		/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
+-		ast_sip_session_media_state_free(state->media_state);
+-		state->media_state = NULL;
+-		ast_sip_session_media_state_reset(session->pending_media_state);
+ 	}
+ 
++	/* If no session_media then response contained a declined stream, so disable */
++	t38_change_state(session, NULL, state, session_media ? T38_REJECTED : T38_DISABLED);
++
++	/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
++	ast_sip_session_media_state_free(state->media_state);
++	state->media_state = NULL;
++	ast_sip_session_media_state_reset(session->pending_media_state);
++
+ 	return 0;
+ }
+ 
+@@ -416,12 +423,10 @@ static int t38_interpret_parameters(void
+ 		/* Negotiation can not take place without a valid max_ifp value. */
+ 		if (!parameters->max_ifp) {
+ 			if (data->session->t38state == T38_PEER_REINVITE) {
+-				session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-				t38_change_state(data->session, session_media, state, T38_REJECTED);
++				t38_change_state(data->session, NULL, state, T38_REJECTED);
+ 				ast_sip_session_resume_reinvite(data->session);
+ 			} else if (data->session->t38state == T38_ENABLED) {
+-				session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-				t38_change_state(data->session, session_media, state, T38_DISABLED);
++				t38_change_state(data->session, NULL, state, T38_DISABLED);
+ 				ast_sip_session_refresh(data->session, NULL, NULL, NULL,
+ 					AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
+ 				state->media_state = NULL;
+@@ -444,6 +449,11 @@ static int t38_interpret_parameters(void
+ 			state->our_parms.version = MIN(state->our_parms.version, state->their_parms.version);
+ 			state->our_parms.rate_management = state->their_parms.rate_management;
+ 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++			if (!session_media) {
++				ast_log(LOG_ERROR, "Failed to negotiate parameters for reinvite on channel '%s' (No pending session media).\n",
++					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++				break;
++			}
+ 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
+ 			t38_change_state(data->session, session_media, state, T38_ENABLED);
+ 			ast_sip_session_resume_reinvite(data->session);
+@@ -458,8 +468,13 @@ static int t38_interpret_parameters(void
+ 			}
+ 			state->our_parms = *parameters;
+ 			session_media = media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++			if (!session_media) {
++				ast_log(LOG_ERROR, "Failed to negotiate parameters on channel '%s' (No default session media).\n",
++					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++				break;
++			}
+ 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
+-			t38_change_state(data->session, session_media, state, T38_LOCAL_REINVITE);
++			t38_change_state(data->session, NULL, state, T38_LOCAL_REINVITE);
+ 			ast_sip_session_refresh(data->session, NULL, t38_reinvite_sdp_cb, t38_reinvite_response_cb,
+ 				AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, media_state);
+ 		}
+@@ -468,12 +483,10 @@ static int t38_interpret_parameters(void
+ 	case AST_T38_REFUSED:
+ 	case AST_T38_REQUEST_TERMINATE:         /* Shutdown T38 */
+ 		if (data->session->t38state == T38_PEER_REINVITE) {
+-			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-			t38_change_state(data->session, session_media, state, T38_REJECTED);
++			t38_change_state(data->session, NULL, state, T38_REJECTED);
+ 			ast_sip_session_resume_reinvite(data->session);
+ 		} else if (data->session->t38state == T38_ENABLED) {
+-			session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-			t38_change_state(data->session, session_media, state, T38_DISABLED);
++			t38_change_state(data->session, NULL, state, T38_DISABLED);
+ 			ast_sip_session_refresh(data->session, NULL, NULL, NULL, AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
+ 			state->media_state = NULL;
+ 		}
+@@ -483,6 +496,11 @@ static int t38_interpret_parameters(void
+ 
+ 		if (data->session->t38state == T38_PEER_REINVITE) {
+ 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++			if (!session_media) {
++				ast_log(LOG_ERROR, "Failed to request parameters for reinvite on channel '%s' (No pending session media).\n",
++					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++				break;
++			}
+ 			parameters.max_ifp = ast_udptl_get_far_max_ifp(session_media->udptl);
+ 			parameters.request_response = AST_T38_REQUEST_NEGOTIATE;
+ 			ast_queue_control_data(data->session->channel, AST_CONTROL_T38_PARAMETERS, &parameters, sizeof(parameters));
+@@ -757,7 +775,7 @@ static int negotiate_incoming_sdp_stream
+ 
+ 	if ((session->t38state == T38_REJECTED) || (session->t38state == T38_DISABLED)) {
+ 		ast_debug(3, "Declining; T.38 state is rejected or declined\n");
+-		t38_change_state(session, session_media, state, T38_DISABLED);
++		t38_change_state(session, NULL, state, T38_DISABLED);
+ 		return -1;
+ 	}
+ 

net/asterisk-15.x/patches/180-AST-2019-006-16.diff

@@ -0,0 +1,73 @@
+From 8cdaa93e658a46e7baf6b606468b5e2c88a0133b Mon Sep 17 00:00:00 2001
+From: Ben Ford <bford@digium.com>
+Date: Mon, 21 Oct 2019 14:55:06 -0500
+Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request.
+
+If the name of a peer is known and a SIP request is sent using that
+peer's name, the address of the peer will change even if the request
+fails the authentication challenge. This means that an endpoint can
+be altered and even rendered unusuable, even if it was in a working
+state previously. This can only occur when the nat option is set to the
+default, or auto_force_rport.
+
+This change checks the result of authentication first to ensure it is
+successful before setting the address and the nat option.
+
+ASTERISK-28589 #close
+
+Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 6ac2e61..4d79a47 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -19245,18 +19245,6 @@
+ 		bogus_peer = NULL;
+ 	}
+ 
+-	/*  build_peer, called through sip_find_peer, is not able to check the
+-	 *  sip_pvt->natdetected flag in order to determine if the peer is behind
+-	 *  NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
+-	 *  are set on the peer.  So we check for that here and set the peer's
+-	 *  address accordingly.
+-	 */
+-	set_peer_nat(p, peer);
+-
+-	if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
+-		ast_sockaddr_copy(&peer->addr, &p->recv);
+-	}
+-
+ 	if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
+ 		ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
+ 		sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
+@@ -19325,6 +19313,21 @@
+ 		ast_string_field_set(p, peermd5secret, NULL);
+ 	}
+ 	if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
++
++		/* build_peer, called through sip_find_peer, is not able to check the
++		 * sip_pvt->natdetected flag in order to determine if the peer is behind
++		 * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
++		 * are set on the peer. So we check for that here and set the peer's
++		 * address accordingly. The address should ONLY be set once we are sure
++		 * authentication was a success. If, for example, an INVITE was sent that
++		 * matched the peer name but failed the authentication check, the address
++		 * would be updated, which is bad.
++		 */
++		set_peer_nat(p, peer);
++		if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
++			ast_sockaddr_copy(&peer->addr, &p->recv);
++		}
++
+ 		/* If we have a call limit, set flag */
+ 		if (peer->call_limit)
+ 			ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
+@@ -19424,6 +19427,7 @@
+ 		}
+ 	}
+ 	sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
++
+ 	return res;
+ }
+ 

net/asterisk-15.x/patches/190-AST-2019-007-16.diff

@@ -0,0 +1,46 @@
+From 7574be5110e049a44b8c8ead52cd1c2a5d442afa Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Thu, 24 Oct 2019 11:41:23 -0600
+Subject: [PATCH] manager.c:  Prevent the Originate action from running the Originate app
+
+If an AMI user without the "system" authorization calls the
+Originate AMI command with the Originate application,
+the second Originate could run the "System" command.
+
+Action: Originate
+Channel: Local/1111
+Application: Originate
+Data: Local/2222,app,System,touch /tmp/owned
+
+If the "system" authorization isn't set, we now block the
+Originate app as well as the System, Exec, etc. apps.
+
+ASTERISK-28580
+Reported by: Eliel Sardañons
+
+Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
+---
+
+diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
+new file mode 100644
+index 0000000..f2d3133
+--- /dev/null
++++ b/doc/UPGRADE-staging/AMI-Originate.txt
+@@ -0,0 +1,5 @@
++Subject: AMI
++
++The AMI Originate action, which optionally takes a dialplan application as
++an argument, no longer accepts "Originate" as the application due to
++security concerns.
+diff --git a/main/manager.c b/main/manager.c
+index f138801..1963151 100644
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -5744,6 +5744,7 @@
+ 				                                     EAGI(/bin/rm,-rf /)       */
+ 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+ 				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
++				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
+ 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
+ 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ 				)) {

net/freeswitch-stable-mod-bcg729/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=freeswitch-stable-mod-bcg729
 
 PKG_VERSION:=20170629
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_MAINTAINER:=Sebastian Kemper <sebastian_ml@gmx.net>
 
 PKG_LICENSE:=MPL-1.1

net/freeswitch-stable/Config.in

@@ -45,29 +45,6 @@ config FS_STABLE_WITH_SRTP
 	help
 	  Compile with SRTP support.
 
-config FS_STABLE_WITH_V8
-	bool "Compile with V8 support"
-	depends on arm||i386||mipsel||x86_64
-	default y if x86_64
-	help
-	  The sole purpose of this symbol is to prevent mod_v8 from being built
-	  by the build bots. Currently the only exception is x86_64. The build is
-	  time-consuming and the module is quite large, making it an unlikely
-	  choice for devices with limited resources.
-
-	  If you want mod_v8 to become available, select 'y'.
-
-config FS_STABLE_WITH_V8_SNAPSHOT
-	bool "Include heap snapshot"
-	depends on FS_STABLE_WITH_V8
-	default n
-	help
-	  V8 can be built with a heap snapshot for faster initialization. Default
-	  is 'n' because of seemingly random segmentation faults observed when
-	  generating the snapshot.
-
-	  Only select 'y' if you know what you are doing.
-
 config FS_STABLE_WITH_VPX
 	bool "Compile with VPx support"
 	depends on FS_STABLE_WITH_LIBYUV

net/freeswitch-stable/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2017 - 2018 OpenWrt.org
+# Copyright (C) 2017 Sebastian Kemper <sebastian_ml@gmx.net>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -9,13 +9,15 @@ include $(TOPDIR)/rules.mk
 
 PRG_NAME:=freeswitch
 PKG_NAME:=$(PRG_NAME)-stable
-PKG_VERSION:=1.6.20
-PKG_RELEASE:=7
+PKG_VERSION:=1.8.7
+PKG_RELEASE:=1
 PKG_MAINTAINER:=Sebastian Kemper <sebastian_ml@gmx.net>
 
 PKG_SOURCE:=$(PRG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://files.$(PRG_NAME).org/releases/$(PRG_NAME)
-PKG_HASH:=dbb0f73109171bd381772b247b8ef581f6a176964619082a1fe031b004086f6b
+PKG_HASH:=7d3cee32713db5f65e3d4703c6420038872d8f6efab8be4d58fbf66ffa993008
+
+PKG_CPE_ID:=cpe:/a:freeswitch:freeswitch
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PRG_NAME)-$(PKG_VERSION)
 
@@ -29,7 +31,7 @@ PKG_BUILD_DEPENDS:= \
 PKG_FIXUP:=autoreconf
 
 # With mod_ssml and mod_rayo enabled the parallel compiles always failed
-#PKG_BUILD_PARALLEL:=1
+PKG_BUILD_PARALLEL:=0
 PKG_INSTALL:=1
 
 PKG_LICENSE:= \
@@ -121,6 +123,7 @@ FS_STABLE_MOD_AVAILABLE:= \
 	event_test \
 	event_zmq \
 	expr \
+	fail2ban \
 	fifo \
 	format_cdr \
 	$(FTDM) \
@@ -160,6 +163,7 @@ FS_STABLE_MOD_AVAILABLE:= \
 	python \
 	radius_cdr \
 	random \
+	raven \
 	rayo \
 	redis \
 	rss \
@@ -203,9 +207,9 @@ FS_STABLE_MOD_AVAILABLE:= \
 	translate \
 	tts_commandline \
 	unimrcp \
-	v8 \
 	valet_parking \
 	verto \
+	video_filter \
 	vmd \
 	voicemail \
 	voicemail_ivr \
@@ -226,7 +230,6 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_FS_STABLE_WITH_PGSQL \
 	CONFIG_FS_STABLE_WITH_PNG \
 	CONFIG_FS_STABLE_WITH_SRTP \
-	CONFIG_FS_STABLE_WITH_V8_SNAPSHOT \
 	CONFIG_FS_STABLE_WITH_VPX \
 	CONFIG_FS_STABLE_WITH_ZRTP \
 	CONFIG_LIBC \
@@ -239,11 +242,26 @@ PKG_CONFIG_DEPENDS:= \
 
 include $(INCLUDE_DIR)/uclibc++.mk
 include $(INCLUDE_DIR)/package.mk
+# iconv support
+include $(INCLUDE_DIR)/nls.mk
+#######################################################
+# mod_gsmopen can't detect if iconv's inbuf is const. #
+#                                                     #
+#                  musl    uclibc                     #
+# libiconv-stub    -       -                          #
+# libiconv-full    -       const                      #
+#                                                     #
+#######################################################
+ifeq ($(ICONV_FULL)$(CONFIG_USE_UCLIBC),1y)
+TARGET_CFLAGS+=-DFS_STABLE_ICONV_INBUF_CONST
+endif
 
 FS_STABLE_PERL_FEED:=$(TOPDIR)/feeds/packages/lang/perl
 
 include $(TOPDIR)/feeds/packages/lang/python/python-host.mk
-include $(FS_STABLE_PERL_FEED)/perlmod.mk
+include $(FS_STABLE_PERL_FEED)/perlver.mk
+
+PERL_SITELIB:=/usr/lib/perl$(PERL_MAJOR)/$(PERL_VERSION2)
 
 FS_STABLE_PERL_LIBS:=$(shell grep "^libs=" \
 	$(FS_STABLE_PERL_FEED)/files/base.config | \
@@ -251,14 +269,6 @@ FS_STABLE_PERL_LIBS:=$(shell grep "^libs=" \
 
 FS_STABLE_PYTHON_SITE_DIR:=$(FS_STABLE_LIB_DIR)/python$(PYTHON_VERSION)/site-packages
 
-# musl and glibc include their own iconv, but uclibc does not
-ifneq ($(CONFIG_USE_UCLIBC),)
-TARGET_CPPFLAGS+= \
-	-I$(STAGING_DIR)/usr/lib/libiconv-full/include
-TARGET_LDFLAGS += \
-	-L$(STAGING_DIR)/usr/lib/libiconv-full/lib
-endif
-
 define Download/files
 define Download/$(1)
   FILE:=$(2)
@@ -361,11 +371,11 @@ $(call Package/$(PKG_NAME)/Default)
   USERID:=$(PRG_NAME)=372:$(PRG_NAME)=372
   DEPENDS:= \
 	  $(CXX_DEPENDS) \
+	  $(ICONV_DEPENDS) \
 	  +FS_STABLE_WITH_FREETYPE:libfreetype \
 	  +FS_STABLE_WITH_ODBC:unixodbc \
 	  +FS_STABLE_WITH_PGSQL:libpq \
 	  +FS_STABLE_WITH_PNG:libpng \
-	  +USE_UCLIBC:libiconv-full \
 	  +libcurl \
 	  +libedit \
 	  +libopenssl \
@@ -388,7 +398,7 @@ endef
 
 define Package/$(PKG_NAME)/conffiles
 $(FS_STABLE_SYSCONF_DIR)/$(PRG_NAME)
-$(FS_STABLE_SYSCONF_DIR)/default/$(PRG_NAME)
+$(FS_STABLE_SYSCONF_DIR)/config/$(PRG_NAME)
 $(FS_STABLE_SYSCONF_DIR)/init.d/$(PRG_NAME)
 endef
 
@@ -401,61 +411,42 @@ $(call Package/$(PKG_NAME)/install/lib,$(1),lib$(PRG_NAME))
 	$(INSTALL_DIR) $(1)$(FS_STABLE_IMAGES_DIR)
 	$(INSTALL_DIR) $(1)$(FS_STABLE_SCRIPTS_DIR)
 	$(INSTALL_DIR) $(1)$(FS_STABLE_SOUNDS_DIR)
-	$(INSTALL_DIR) $(1)$(FS_STABLE_SYSCONF_DIR)/default
+	$(INSTALL_DIR) $(1)$(FS_STABLE_SYSCONF_DIR)/config
+	$(INSTALL_DIR) $(1)$(FS_STABLE_SYSCONF_DIR)/hotplug.d/iface
 	$(INSTALL_DIR) $(1)$(FS_STABLE_SYSCONF_DIR)/init.d
 	$(INSTALL_DIR) $(1)$(FS_STABLE_TLS_DIR)
 	$(INSTALL_BIN) ./files/$(PRG_NAME).init \
 		$(1)$(FS_STABLE_SYSCONF_DIR)/init.d/$(PRG_NAME)
-	$(INSTALL_CONF) ./files/$(PRG_NAME).default \
-		$(1)$(FS_STABLE_SYSCONF_DIR)/default/$(PRG_NAME)
+	$(INSTALL_BIN) ./files/$(PRG_NAME).hotplug \
+		$(1)$(FS_STABLE_SYSCONF_DIR)/hotplug.d/iface/90-$(PRG_NAME)
+	$(INSTALL_CONF) ./files/$(PRG_NAME).config \
+		$(1)$(FS_STABLE_SYSCONF_DIR)/config/$(PRG_NAME)
 endef
 
 define Package/$(PKG_NAME)/postinst
 #!/bin/sh
 if [ -z "$${IPKG_INSTROOT}" ]; then
-  # Prevent $(PRG_NAME) from auto-starting after an upgrade. The modules may
-  # not be upgraded yet and the user configuration may need a revision.
-  sed -i '/^ENABLE_FREESWITCH="yes"/s/^/#/' \
-    $(FS_STABLE_SYSCONF_DIR)/default/$(PRG_NAME)
-
   echo
   echo "o-------------------------------------------------------------------o"
   echo "| FreeSWITCH note                                                   |"
   echo "o-------------------------------------------------------------------o"
-  echo "| Edit /etc/default/freeswitch to change basic init configuration.  |"
+  echo "| Edit /etc/config/freeswitch to change basic init configuration.   |"
+  echo "|                                                                   |"
+  echo "| Also visit the Wiki at:                                           |"
+  echo "| https://openwrt.org/docs/guide-user/services/voip/freeswitch      |"
   echo "o-------------------------------------------------------------=^_^=-o"
   echo
-fi
-exit 0
-endef
-
-define Package/$(PKG_NAME)-misc-hotplug
-$(call Package/$(PKG_NAME)/Default)
-  TITLE:=Hotplug script
-  DEPENDS:=$(PKG_NAME)
-  PKGARCH:=all
-endef
-
-define Package/$(PKG_NAME)-misc-hotplug/description
-This package includes a hotplug script for FreeSWITCH.
-endef
-
-define Package/$(PKG_NAME)-misc-hotplug/install
-	$(INSTALL_DIR) $(1)$(FS_STABLE_SYSCONF_DIR)/hotplug.d/iface
-	$(INSTALL_BIN) ./files/$(PRG_NAME).hotplug \
-		$(1)$(FS_STABLE_SYSCONF_DIR)/hotplug.d/iface/99-$(PRG_NAME)
-endef
-
-define Package/$(PKG_NAME)-misc-hotplug/postinst
-#!/bin/sh
-if [ -z "$${IPKG_INSTROOT}" ]; then
-  echo
+  [ -f /etc/hotplug.d/iface/99-freeswitch ] && {
     echo "o-------------------------------------------------------------------o"
-  echo "| FreeSWITCH hotplug note                                           |"
+    echo "| WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING   |"
     echo "o-------------------------------------------------------------------o"
-  echo "| See /etc/default/freeswitch for hotplug hints.                    |"
+    echo "| Please remove freeswitch-stable-misc-hotplug. The hotplug script  |"
+    echo "| is now part of the main freeswitch-stable package. Please run:    |"
+    echo "|                                                                   |"
+    echo "| opkg remove freeswitch-stable-misc-hotplug                        |"
     echo "o-------------------------------------------------------------=^_^=-o"
     echo
+  }
 fi
 exit 0
 endef
@@ -679,12 +670,6 @@ CONFIGURE_ARGS+= \
 	--with-erlang=no
 endif
 
-ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-v8),)
-CONFIGURE_ARGS+= \
-	--enable-static-v8 \
-	$(if $(CONFIG_FS_STABLE_WITH_V8_SNAPSHOT),,--disable-snapshot-v8)
-endif
-
 # Make mod_spandsp use fixed point math when soft float support is
 # enabled on target devices.
 ifeq ($(CONFIG_SOFT_FLOAT),y)
@@ -739,7 +724,7 @@ endif
 
 ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-misc-perl-esl)$(CONFIG_PACKAGE_$(PKG_NAME)-mod-perl),)
 CONFIGURE_VARS+= \
-	PERL="$(PERL_CMD)" \
+	PERL="$(STAGING_DIR_HOSTPKG)/usr/bin/perl$(PERL_VERSION)" \
 	PERL_CFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_REENTRANT -D_GNU_SOURCE -I$(STAGING_DIR)$(PERL_SITELIB)/CORE" \
 	PERL_INC="-I$(STAGING_DIR)$(PERL_SITELIB)/CORE" \
 	PERL_LDFLAGS="-Wl,-rpath,$(PERL_SITELIB)/CORE -L$(STAGING_DIR)$(PERL_SITELIB)/CORE -lperl" \
@@ -766,84 +751,6 @@ endif
 MAKE_VARS+= \
 	ac_cv_dev_urandom=yes
 
-ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-v8),)
-
-# arm
-ifeq ($(CONFIG_arm),y)
-  FS_STABLE_MYARCH:=arm
-  FS_STABLE_MYDEFINES:=v8_target_arch=arm
-  ifeq ($(CONFIG_arm_v6),y)
-    FS_STABLE_MYDEFINES+=arm_version=6
-  else
-    ifeq ($(CONFIG_arm_v7),y)
-      FS_STABLE_MYDEFINES+=arm_version=7
-    else
-      FS_STABLE_MYDEFINES+=arm_version=default
-    endif
-  endif
-  ifeq ($(CONFIG_VFP),y)
-    ifeq ($(CONFIG_VFPv3),y)
-      ifeq ($(CONFIG_NEON),y)
-        FS_STABLE_MYDEFINES+=arm_fpu=neon
-      else
-        FS_STABLE_MYDEFINES+=arm_fpu=vfpv3
-      endif
-    else
-      FS_STABLE_MYDEFINES+=arm_fpu=vfp
-    endif
-  else
-    FS_STABLE_MYDEFINES+=arm_fpu=default
-  endif
-  ifeq ($(CONFIG_SOFT_FLOAT),y)
-    FS_STABLE_MYDEFINES+=arm_float_abi=softfp
-  else
-    FS_STABLE_MYDEFINES+=arm_float_abi=hard
-  endif
-endif
-
-# i386
-ifeq ($(CONFIG_i386),y)
-  FS_STABLE_MYARCH:=ia32
-  FS_STABLE_MYDEFINES:=v8_target_arch=ia32
-endif
-
-# mipsel
-ifeq ($(CONFIG_mipsel),y)
-  FS_STABLE_MYARCH:=mipsel
-  FS_STABLE_MYDEFINES:=v8_target_arch=mipsel
-  ifeq ($(CONFIG_CPU_MIPS32),y)
-    ifeq ($(CONFIG_CPU_MIPS32_R2),y)
-      FS_STABLE_MYDEFINES+=mips_arch_variant=mips32r2
-    else
-      ifeq ($(CONFIG_CPU_MIPS32_R1),y)
-        FS_STABLE_MYDEFINES+=mips_arch_variant=mips32r1
-      endif
-    endif
-  endif
-  ifeq ($(CONFIG_SOFT_FLOAT),y)
-    FS_STABLE_MYDEFINES+=v8_use_mips_abi_hardfloat=false
-  else
-    FS_STABLE_MYDEFINES+=v8_use_mips_abi_hardfloat=true
-  endif
-endif
-
-# x86_64
-ifeq ($(CONFIG_x86_64),y)
-  FS_STABLE_MYARCH:=x64
-  FS_STABLE_MYDEFINES:=v8_target_arch=x64
-endif
-
-MAKE_VARS+= \
-	FS_STABLE_HOSTCC="$(HOSTCC)" \
-	FS_STABLE_HOSTCXX="$(HOSTCXX)" \
-	FS_STABLE_HOST_CFLAGS="$(HOST_CFLAGS)" \
-	FS_STABLE_HOST_LDFLAGS="$(HOST_LDFLAGS)" \
-	FS_STABLE_HOST_PYTHONPATH="$(HOST_PYTHONPATH)" \
-	FS_STABLE_MYARCH="$(FS_STABLE_MYARCH)" \
-	FS_STABLE_MYDEFINES="$(FS_STABLE_MYDEFINES)"
-
-endif
-
 # Make sphinxbase use fixed point math when soft float support is
 # enabled on target devices.
 ifeq ($(CONFIG_SOFT_FLOAT),y)
@@ -871,12 +778,8 @@ FS_STABLE_SPHINXMODEL_FILE:=communicator_semi_6000_20080321.tar.gz
 FS_STABLE_SPHINXMODEL_HASH:=dbb5e9fb85000a7cb97d6958a3ef8d77532dc55fc730ac6979705e8645cb0c18
 
 # mod_radius_cdr
-FS_STABLE_FREERADIUS_CLIENT_FILE:=freeradius-client-1.1.6.tar.gz
-FS_STABLE_FREERADIUS_CLIENT_HASH:=3fc609af328258e00345389d5478b099fe4ea3ad694d0472525ef3adab9cf053
-
-# mod_v8
-FS_STABLE_V8_FILE:=v8-3.24.14.tar.bz2
-FS_STABLE_V8_HASH:=395f4eaf5580b973b1e33fe0aa27f8d013ddf1b163ad76992c50dd91ff182828
+FS_STABLE_FREERADIUS_CLIENT_FILE:=freeradius-client-1.1.7.tar.gz
+FS_STABLE_FREERADIUS_CLIENT_HASH:=eada2861b8f4928e3ac6b5bbfe11e92cd6cdcacfce40cae1085e77c1b6add0e9
 
 ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-event-zmq),)
 $(eval $(call Download/files,zmq,$(FS_STABLE_ZEROMQ_FILE),$(FS_STABLE_ZEROMQ_URL),$(FS_STABLE_ZEROMQ_HASH)))
@@ -892,10 +795,6 @@ ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-radius-cdr),)
 $(eval $(call Download/files,freeradius-client,$(FS_STABLE_FREERADIUS_CLIENT_FILE),$(FS_STABLE_LIBS_URL),$(FS_STABLE_FREERADIUS_CLIENT_HASH)))
 endif
 
-ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-v8),)
-$(eval $(call Download/files,v8,$(FS_STABLE_V8_FILE),$(FS_STABLE_LIBS_URL),$(FS_STABLE_V8_HASH)))
-endif
-
 # Need to update LDFLAGS for libs/unimrcp, otherwise it will try to link to a
 # different apr/apr-util if found.
 # FS_STABLE_ANCHOR: string in build/acmacros/apr.m4 that will be replaced
@@ -905,13 +804,11 @@ FS_STABLE_APR_LIBS:=-L$(PKG_BUILD_DIR)/libs/apr -L$(PKG_BUILD_DIR)/libs/apr-util
 define Build/Prepare
 	$(call Build/Prepare/Default)
 
-	$(RM) -r $(PKG_BUILD_DIR)/libs/tiff-*
-
 	echo '#applications/mod_random' >> $(PKG_BUILD_DIR)/modules.conf
 	echo '#codecs/mod_yuv' >> $(PKG_BUILD_DIR)/modules.conf
 	echo '#event_handlers/mod_event_test' >> $(PKG_BUILD_DIR)/modules.conf
 
-	$(SED) 's|$(FS_STABLE_ANCHOR)|APR_SETVAR(LDFLAGS,$(FS_STABLE_APR_LIBS) $(TARGET_LDFLAGS))|' \
+	$(SED) 's|$(FS_STABLE_ANCHOR)|APR_SETVAR(LDFLAGS,[$(FS_STABLE_APR_LIBS) $(TARGET_LDFLAGS)])|' \
 		$(PKG_BUILD_DIR)/libs/unimrcp/build/acmacros/apr.m4
 endef
 
@@ -961,10 +858,6 @@ ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-radius-cdr),)
 	$(CP) $(DL_DIR)/$(FS_STABLE_FREERADIUS_CLIENT_FILE) $(PKG_BUILD_DIR)/libs
 endif
 
-ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-v8),)
-	$(CP) $(DL_DIR)/$(FS_STABLE_V8_FILE) $(PKG_BUILD_DIR)/libs
-endif
-
 # Compile FreeTDM first
 ifneq ($(CONFIG_PACKAGE_$(PKG_LIBFTDM)),)
 	$(call Build/Compile/Default,-C $(PKG_BUILD_DIR)/libs/$(FTDM))
@@ -1025,7 +918,6 @@ endef
 
 $(eval $(call BuildPackage,$(PKG_LIBFTDM)))
 $(eval $(call BuildPackage,$(PKG_NAME)))
-$(eval $(call BuildPackage,$(PKG_NAME)-misc-hotplug))
 $(eval $(call BuildPackage,$(PKG_NAME)-misc-perl-esl))
 $(eval $(call BuildPackage,$(PKG_NAME)-misc-python-esl))
 $(eval $(call BuildPackage,$(PKG_NAME)-misc-timezones))
@@ -1144,6 +1036,7 @@ $(eval $(call Package/$(PKG_NAME)/Module,event_socket,Event socket,Sends events
 $(eval $(call Package/$(PKG_NAME)/Module,event_test,Event test,Event demo module.,))
 $(eval $(call Package/$(PKG_NAME)/Module,event_zmq,ZMQ event,ZMQ event module.,@!USE_UCLIBCXX))
 $(eval $(call Package/$(PKG_NAME)/Module,expr,Expr,This module adds expr support for expression evaluation.,))
+$(eval $(call Package/$(PKG_NAME)/Module,fail2ban,Fail2ban logging,Provides support for Fail2ban logging.,))
 $(eval $(call Package/$(PKG_NAME)/Module,fifo,FIFO,This module adds a first-in first-out queue system.,))
 $(eval $(call Package/$(PKG_NAME)/Module,format_cdr,Multiformat CDR,A superset of mod_json_cdr and mod_xml_cdr.,))
 $(eval $(call Package/$(PKG_NAME)/Module,$(FTDM),FreeTDM endpoint,This module is the glue between FreeSWITCH and FreeTDM.,+$(PKG_LIBFTDM)))
@@ -1183,6 +1076,7 @@ $(eval $(call Package/$(PKG_NAME)/Module,prefix,Prefix match,This module provide
 $(eval $(call Package/$(PKG_NAME)/Module,python,Python,Python support module.,+python-light))
 $(eval $(call Package/$(PKG_NAME)/Module,radius_cdr,Radius CDR,Radius Call Detail Record handler.,))
 $(eval $(call Package/$(PKG_NAME)/Module,random,Entropy,This module extracts entropy from FreeSWITCH and feeds it into\n/dev/random.,))
+$(eval $(call Package/$(PKG_NAME)/Module,raven,Raven logging,Adds support for logging to Raven instances.,))
 $(eval $(call Package/$(PKG_NAME)/Module,rayo,Rayo,Rayo/XMPP 3PCC server for FreeSWITCH.,+$(PKG_NAME)-mod-ssml))
 $(eval $(call Package/$(PKG_NAME)/Module,redis,Redis limit backend,This module provides a mechanism to use Redis as a limit backend data\nstore.,))
 $(eval $(call Package/$(PKG_NAME)/Module,rss,RSS,Parses and reads XML based RSS feeds and reads the entries aloud via a TTS engine.,))
@@ -1226,9 +1120,9 @@ $(eval $(call Package/$(PKG_NAME)/Module,tone_stream,Tone stream,Tone generation
 $(eval $(call Package/$(PKG_NAME)/Module,translate,Number translation,This module implements number translation.,))
 $(eval $(call Package/$(PKG_NAME)/Module,tts_commandline,TTS command-line,Run a command-line and play the output file.,))
 $(eval $(call Package/$(PKG_NAME)/Module,unimrcp,UniMRCP,Allows communication with Media Resource Control Protocol servers.,))
-$(eval $(call Package/$(PKG_NAME)/Module,v8,V8,This package contains mod_v8 for FreeSWITCH.,@!USE_UCLIBCXX @FS_STABLE_WITH_V8 @arm||i386||mipsel||x86_64))
 $(eval $(call Package/$(PKG_NAME)/Module,valet_parking,Valet parking,This module implements the valet call parking strategy.,))
 $(eval $(call Package/$(PKG_NAME)/Module,verto,Verto,Verto signaling protocol.,))
+$(eval $(call Package/$(PKG_NAME)/Module,video_filter,Video filter chromakey,This module provides a media bug for chromakey functionality.,))
 $(eval $(call Package/$(PKG_NAME)/Module,vmd,Voicemail detection,This module detects voicemail beeps.,))
 $(eval $(call Package/$(PKG_NAME)/Module,voicemail,Voicemail,This module provides a voicemail system.,))
 $(eval $(call Package/$(PKG_NAME)/Module,voicemail_ivr,Voicemail IVR,This module provides an extensible voicemail IVR system.,))

net/freeswitch-stable/files/freeswitch.config

@@ -0,0 +1,23 @@
+
+config freeswitch 'general'
+	option enabled '0'
+	option user 'freeswitch'
+	option group 'freeswitch'
+	option log_stderr '1'
+	option log_stdout '1'
+	option options '-nonat -np'
+
+config freeswitch 'directories'
+	option cache '/tmp/freeswitch/cache'
+	option db '/tmp/freeswitch/db'
+	option log '/tmp/freeswitch/log'
+	option recordings '/tmp/freeswitch/recordings'
+	option storage '/tmp/freeswitch/storage'
+	option temp '/tmp/freeswitch/temp'
+
+config freeswitch 'hotplug'
+	#option interface 'wan'
+	#option mount_point '/mnt/usb'
+	option ntpd '0'
+	option timeout '60'
+

net/freeswitch-stable/files/freeswitch.default

@@ -1,44 +0,0 @@
-### FreeSWITCH configuration ###
-
-# Uncomment once you verified your configuration, otherwise the init script will
-# not start FreeSWITCH.
-#ENABLE_FREESWITCH="yes"
-
-#FS_USER=freeswitch
-#FS_GROUP=freeswitch
-
-#FS_DIR_CACHE="/tmp/freeswitch/cache"
-
-# Don't point FS_DIR_DB toward a flash drive, e.g. the flash drive of your
-# router. FreeSWITCH will be writing constantly to its databases, which would
-# degrade the flash over time. Point it to a tmpfs destination like /dev/shm or
-# /tmp instead in order for the writes to go to RAM.
-#FS_DIR_DB="/tmp/freeswitch/db"
-
-#FS_DIR_LOG="/tmp/freeswitch/log"
-#FS_DIR_RECORDINGS="/tmp/freeswitch/recordings"
-#FS_DIR_STORAGE="/tmp/freeswitch/storage"
-#FS_DIR_TEMP="/tmp/freeswitch/temp"
-
-# The following is added to the command line when starting FreeSWITCH:
-OPTIONS="-nonat -np"
-
-### Hotplug configuration ###
-
-# Only used by the FreeSWITCH hotplug script (available in a seperate package).
-
-# Provide the interface that needs to change its state to "up" (if unset the
-# hotplug script does nothing):
-#FS_HOTPLUG_INTERFACE="wan"
-
-# You can add conditions which need to be met before FreeSWITCH is started.
-
-# Uncomment to check if something is mounted here:
-#FS_HOTPLUG_MOUNTPOINT="/mnt/usb"
-
-# Uncomment to check if ntpd is running and has set the system time:
-#FS_HOTPLUG_NTPD="check"
-
-# Uncomment to change the default timeout of 60 seconds that the hotplug script
-# waits for a condition to turn from false to true:
-#FS_HOTPLUG_TIMEOUT="20"

net/freeswitch-stable/files/freeswitch.hotplug

@@ -1,53 +1,51 @@
 #!/bin/sh
 
-FS=freeswitch
-DEFAULT=/etc/default/$FS
-LOGGER="/usr/bin/logger -t ${FS}-hotplug"
+NAME=freeswitch
+COMMAND=/etc/init.d/$NAME
+
+LOGGER="/usr/bin/logger -t $NAME-hotplug"
 LOG_ERR="$LOGGER -p user.err --"
 LOG_NOTICE="$LOGGER -p user.notice --"
-LOG_WARN="$LOGGER -p user.warn --"
 
 [ "$ACTION" = ifup ] || exit 0
 
-[ -f $DEFAULT ] && . $DEFAULT
+. /lib/functions.sh
+config_load $NAME
 
-[ -n "$FS_HOTPLUG_INTERFACE" ] || exit 0
+config_get interface hotplug interface
 
-[ "$INTERFACE" = "$FS_HOTPLUG_INTERFACE" ] || exit 0
+[ "$INTERFACE" = "$interface" ] || exit 0
 
-pgrep $FS &> /dev/null
+pidof $NAME &> /dev/null
 if [ $? -eq 0 ]; then
-  $LOG_NOTICE Stopping $FS
-  /etc/init.d/$FS stop &> /dev/null
-  pgrep $FS &> /dev/null
-  if [ $? -eq 0 ]; then
-    $LOG_ERR Failed to stop $FS
-    exit 1
-  else
-    $LOG_NOTICE $FS stopped
-  fi
+  $LOG_NOTICE stopping $NAME
+  $COMMAND stop &> /dev/null
 fi
 
-[ "$FS_HOTPLUG_TIMEOUT" -gt 0 ] 2> /dev/null || unset FS_HOTPLUG_TIMEOUT
-TIMEOUT="${FS_HOTPLUG_TIMEOUT:-60}"
+config_get timeout hotplug timeout 60
 
-# Mount condition, idea lifted from OpenWrt wiki
-[ -n "$FS_HOTPLUG_MOUNTPOINT" ] && {
+[ "$timeout" -gt 0 ] 2> /dev/null || unset timeout
+timeout="${timeout:-60}"
 
-  if ! [ -d "$FS_HOTPLUG_MOUNTPOINT" ]; then
-    $LOG_ERR "$FS_HOTPLUG_MOUNTPOINT" not a valid mount point
+config_get mount_point hotplug mount_point
+
+# Mount condition, idea lifted from OpenWrt Wiki
+[ -n "$mount_point" ] && {
+
+  if ! [ -d "$mount_point" ]; then
+    $LOG_ERR "$mount_point" not a valid mount point
     exit 1
   fi
 
-  mnt="$FS_HOTPLUG_MOUNTPOINT"
+  mnt="$mount_point"
   notReady=start
-  timeout=$TIMEOUT
+  tmp_timeout=$timeout
 
-  while [ -n "$notReady" -a $timeout -gt 0 ]; do
+  while [ -n "$notReady" -a $tmp_timeout -gt 0 ]; do
     if [ "$notReady" != start ]; then
-      $LOG_NOTICE "$mnt" not yet mounted, timeout in $timeout s
+      $LOG_NOTICE "$mnt" not yet mounted, timeout in $tmp_timeout s
       sleep 5
-      timeout=$(($timeout-5))
+      tmp_timeout=$(($tmp_timeout-5))
     fi
 
     notReady=
@@ -60,7 +58,7 @@ TIMEOUT="${FS_HOTPLUG_TIMEOUT:-60}"
 
   if [ -n "$notReady" ]; then
     $LOG_ERR "$mnt" still not mounted
-    $LOG_ERR Not starting $FS
+    $LOG_ERR not starting $NAME
     exit 1
   else
     $LOG_NOTICE "$mnt" mounted
@@ -68,8 +66,10 @@ TIMEOUT="${FS_HOTPLUG_TIMEOUT:-60}"
 
 }
 
+config_get_bool ntpd hotplug ntpd 0
+
 # ntpd condition
-[ -n "$FS_HOTPLUG_NTPD" ] && {
+[ $ntpd -eq 1 ] && {
 
   type ntpq &> /dev/null
   [ $? -eq 0 ] || {
@@ -77,24 +77,19 @@ TIMEOUT="${FS_HOTPLUG_TIMEOUT:-60}"
     exit 1
   }
 
-  pgrep ntpd &> /dev/null || {
+  pidof ntpd &> /dev/null || {
     $LOG_ERR ntpd not running
     exit 1
   }
 
   notReady=start
-  timeout=$TIMEOUT
+  tmp_timeout=$timeout
 
-  result=$(uci get 'system.ntp.enabled' 2> /dev/null)
-  [ "$result" -eq 1 ] 2> /dev/null && {
-    $LOG_WARN BusyBox NTP client _and_ ntpd running
-  }
-
-  while [ -n "$notReady" -a $timeout -gt 0 ]; do
+  while [ -n "$notReady" -a $tmp_timeout -gt 0 ]; do
     if [ "$notReady" != start ]; then
-      $LOG_NOTICE System time not in sync yet, timeout in $timeout s
+      $LOG_NOTICE system time not in sync yet, timeout in $tmp_timeout s
       sleep 5
-      timeout=$(($timeout-5))
+      tmp_timeout=$(($tmp_timeout-5))
     fi
 
     notReady=
@@ -102,7 +97,7 @@ TIMEOUT="${FS_HOTPLUG_TIMEOUT:-60}"
     result=$(ntpq -c 'timeout 300' -c 'rv 0 stratum' 2> /dev/null | \
                     awk -F '=' '{print $2}' | grep -o -E '^[0-9]+')
     if [ -z $result ]; then
-      $LOG_WARN Failed to extract stratum from ntpd
+      $LOG_ERR failed to extract stratum from ntpd
       notReady="unable to extract stratum"
     else
       $LOG_NOTICE ntpd stratum $result
@@ -110,7 +105,7 @@ TIMEOUT="${FS_HOTPLUG_TIMEOUT:-60}"
         result=$(ntpq -c 'timeout 300' -c 'rv 0 offset' 2> /dev/null \
                  | awk -F '=' '{print $2}' | grep -o -E '^-?[0-9]+')
         if [ -z $result ]; then
-          $LOG_WARN Failed to extract offset from ntpd
+          $LOG_ERR failed to extract offset from ntpd
           notReady="unable to extract offset"
         else
           # "-0" looks stupid, so remove "-"
@@ -126,22 +121,21 @@ TIMEOUT="${FS_HOTPLUG_TIMEOUT:-60}"
   done
 
   if [ -n "$notReady" ]; then
-    $LOG_ERR System time still not in sync
-    $LOG_ERR Not starting $FS
+    $LOG_ERR system time still not in sync
+    $LOG_ERR not starting $NAME
     exit 1
   else
-    $LOG_NOTICE System time in sync
+    $LOG_NOTICE system time in sync
   fi
 
 }
 
-/etc/init.d/$FS start &> /dev/null
-# Wait a bit in order for pgrep to be able to find the new process
+$COMMAND start &> /dev/null
 sleep 1
-pgrep $FS &>/dev/null
+pidof $NAME &>/dev/null
 if [ $? -eq 0 ]; then
-  $LOG_NOTICE Started $FS due to \"ifup "$INTERFACE"\" event
+  $LOG_NOTICE started $NAME due to \"ifup "$INTERFACE"\" event
 else
-  $LOG_ERR Start of $FS due to \"ifup "$INTERFACE"\" event failed
+  $LOG_ERR start of $NAME due to \"ifup "$INTERFACE"\" event failed
   exit 1
 fi

net/freeswitch-stable/files/freeswitch.init

@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-# Copyright (C) 2017 OpenWrt.org
+# Copyright (C) 2017 - 2018 OpenWrt.org
 
 START=90
 
@@ -7,124 +7,123 @@ USE_PROCD=1
 
 #PROCD_DEBUG=1
 
-FS=freeswitch
-DEFAULT=/etc/default/$FS
-LOGGER="/usr/bin/logger -p user.err -s -t $FS"
-OPTIONS=
-PROG=/usr/bin/$FS
-TIMEOUT=30
+NAME=freeswitch
+COMMAND=/usr/bin/$NAME
 
-[ -f $DEFAULT ] && . $DEFAULT
-
-fs_user="${FS_USER:-$FS}"
-fs_group="${FS_GROUP:-$FS}"
-
-fs_dir_etc="/etc/$FS"
-fs_dir_localstate="/var/lib/$FS"
-fs_dir_run="/var/run/$FS"
-
-fs_dir_cache="${FS_DIR_CACHE:-/tmp/$FS/cache}"
-fs_dir_db="${FS_DIR_DB:-/tmp/$FS/db}"
-fs_dir_log="${FS_DIR_LOG:-/tmp/$FS/log}"
-fs_dir_recordings="${FS_DIR_RECORDINGS:-/tmp/$FS/recordings}"
-fs_dir_storage="${FS_DIR_STORAGE:-/tmp/$FS/storage}"
-fs_dir_temp="${FS_DIR_TEMP:-/tmp/$FS/temp}"
+LOGGER="/usr/bin/logger -p user.err -s -t $NAME --"
 
 start_service() {
-  local dir=
+  local dir
+  local enabled
 
-  if [ "$ENABLE_FREESWITCH" != yes ]; then
-    $LOGGER User configuration incomplete - not starting $FS
-    $LOGGER Check ENABLE_FREESWITCH in $DEFAULT
+  local user
+  local group
+
+  local log_stderr
+  local log_stdout
+
+  local dir_cache
+  local dir_db
+  local dir_etc=/etc/$NAME
+  local dir_localstate=/var/lib/$NAME
+  local dir_log
+  local dir_recordings
+  local dir_run=/var/run/$NAME
+  local dir_storage
+  local dir_temp
+
+  local options
+
+  config_load $NAME
+
+  config_get_bool enabled general enabled 0
+  if [ $enabled -eq 0 ]; then
+    $LOGGER service not enabled in /etc/config/$NAME
     exit 1
   fi
 
-  for dir in "$fs_dir_cache" "$fs_dir_db" "$fs_dir_localstate" \
-    "$fs_dir_log" "$fs_dir_recordings" "$fs_dir_run" "$fs_dir_storage" \
-    "$fs_dir_temp"
-  do
-    [ -n "$dir" ] && {
-      mkdir -p "$dir"
-      chown "$fs_user":"$fs_group" "$dir"
-      chmod 750 "$dir"
-    }
-  done
+  config_get user  general user  $NAME
+  config_get group general group $NAME
 
-  #[ -d "$fs_dir_etc" ] && {
-  #  find "$fs_dir_etc" -type f -exec chown root:"$fs_group" {} \;
-  #  find "$fs_dir_etc" -type f -exec chmod 640 {} \;
-  #}
+  config_get_bool log_stderr general log_stderr 1
+  config_get_bool log_stdout general log_stdout 1
+
+  config_get dir_cache      directories cache      /tmp/$NAME/cache
+  config_get dir_db         directories db         /tmp/$NAME/db
+  config_get dir_log        directories log        /tmp/$NAME/log
+  config_get dir_recordings directories recordings /tmp/$NAME/recordings
+  config_get dir_storage    directories storage    /tmp/$NAME/storage
+  config_get dir_temp       directories temp       /tmp/$NAME/temp
+
+  user_exists "$user" || {
+    $LOGGER user \""$user"\" does not exist
+    exit 1
+  }
+
+  group_exists "$group" || {
+    $LOGGER group \""$group"\" does not exist
+    exit 1
+  }
+
+  # do not touch directories that already exist
+  # posix shell does not support arrays, hence using awk
+  awk \
+    -v user="$user" \
+    -v group="$group" \
+    -v a="$dir_cache" \
+    -v b="$dir_db" \
+    -v c="$dir_localstate" \
+    -v d="$dir_log" \
+    -v e="$dir_recordings" \
+    -v f="$dir_run" \
+    -v g="$dir_storage" \
+    -v h="$dir_temp" \
+    '
+      BEGIN {
+        dir[0]=a
+        dir[1]=b
+        dir[2]=c
+        dir[3]=d
+        dir[4]=e
+        dir[5]=f
+        dir[6]=g
+        dir[7]=h
+        for (x in dir) {
+          if (system("test ! -e \"" dir[x] "\"" )) {
+            delete dir[x]
+          }
+        }
+        for (x in dir) {
+          system("mkdir -p \"" dir[x] "\"" )
+          system("chmod 750 \"" dir[x] "\"" )
+          system("chown \"" user "\":\"" group "\" \"" dir[x] "\"" )
+        }
+      }
+    '
+
+  config_get options general options
 
   procd_open_instance
   # starting with full path seems cleaner judging by 'ps' output
-  procd_set_param command $PROG
+  procd_set_param command $COMMAND
   # need to specify all or none of -conf, -log, and -db
   procd_append_param command \
-    -cache "$fs_dir_cache" \
-    -conf "$fs_dir_etc" \
-    -db "$fs_dir_db" \
-    -g "$fs_group" \
-    -log "$fs_dir_log" \
-    -recordings "$fs_dir_recordings" \
-    -run "$fs_dir_run" \
-    -storage "$fs_dir_storage" \
-    -temp "$fs_dir_temp" \
-    -u "$fs_user" \
-    $OPTIONS \
-    -nc \
-    -nf
+    -cache "$dir_cache" \
+    -conf "$dir_etc" \
+    -db "$dir_db" \
+    -g "$group" \
+    -log "$dir_log" \
+    -recordings "$dir_recordings" \
+    -run "$dir_run" \
+    -storage "$dir_storage" \
+    -temp "$dir_temp" \
+    -u "$user" \
+    $options \
+    -c
   # forward stderr to logd
-  procd_set_param stderr 1
+  procd_set_param stderr $log_stderr
+  # same for stdout
+  procd_set_param stdout $log_stdout
   procd_close_instance
 }
 
-stop_service() {
-  local retval=
-  local mypid=
-  local timeout=$TIMEOUT
-
-  pgrep $FS &> /dev/null
-  [ $? -ne 0 ] && exit 0
-
-  [ -f "$fs_dir_run"/${FS}.pid ]
-  retval=$?
-
-  # init script could find itself in a scenario where FS was started
-  # very recently, so make it wait a while for a pid file to appear
-  while [ $retval -ne 0 -a $timeout -gt 0 ]; do
-    sleep 1
-    [ -f "$fs_dir_run"/${FS}.pid ]
-    retval=$?
-    timeout=$(($timeout-1))
-  done
-
-  [ $retval -eq 0 ] || {
-    $LOGGER PID file does not exist
-    exit 1
-  }
-
-  mypid=$(cat "$fs_dir_run"/${FS}.pid)
-
-  [ "$mypid" -gt 1 ] 2> /dev/null || {
-    $LOGGER PID file contains garbage
-    exit 1
-  }
-
-  timeout=$TIMEOUT
-  kill $mypid 2>/dev/null
-  pgrep $FS | grep -w $mypid &>/dev/null
-  retval=$?
-
-  while [ $retval -eq 0 -a $timeout -gt 0 ]; do
-    sleep 10
-    pgrep $FS | grep -w $mypid &>/dev/null
-    retval=$?
-    [ $retval -eq 0 ] && kill $mypid 2>/dev/null
-    timeout=$(($timeout-10))
-  done
-
-  [ $retval -ne 1 ] && {
-    $LOGGER Failed to stop $FS
-    exit 1
-  }
-}

net/freeswitch-stable/patches/020-fix-fs_cli-typo.patch

@@ -0,0 +1,27 @@
+commit f76230b16ed6e28847a00e1fa4edd46d19a52251
+Author: Sebastian Kemper <sebastian_ml@gmx.net>
+Date:   Thu Aug 2 23:38:43 2018 +0200
+
+    FS-11309: [fs_cli] fix typo
+    
+    Commit bc3e1c9e7de1855eec454bba467fd2586e5e251b introduced a typo that
+    results in EL_REFRESH never being used, even if available. This can
+    cause the screen to garble.
+    
+    This fixes the typo.
+    
+    Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
+
+diff --git a/libs/esl/fs_cli.c b/libs/esl/fs_cli.c
+index b4a5838175..d52422dd4c 100644
+--- a/libs/esl/fs_cli.c
++++ b/libs/esl/fs_cli.c
+@@ -674,7 +674,7 @@ static void redisplay(void)
+ 	esl_mutex_lock(MUTEX);
+ 	{
+ #ifdef HAVE_LIBEDIT
+-#ifdef XHAVE_DECL_EL_REFRESH
++#ifdef HAVE_DECL_EL_REFRESH
+ #ifdef HAVE_EL_WSET
+ 		/* Current libedit versions don't implement EL_REFRESH in eln.c so
+ 		 * use the wide version instead. */

net/freeswitch-stable/patches/030-fix-configure-ac.patch

@@ -31,7 +31,7 @@
  else
      CC_FOR_BUILD='$(CC)'
  fi
-@@ -667,7 +643,7 @@ AC_ARG_ENABLE(core-pgsql-pkgconfig,
+@@ -649,7 +625,7 @@ AC_ARG_ENABLE(core-pgsql-pkgconfig,
  	[AS_HELP_STRING([--disable-core-pgsql-pkgconfig], [Use pg_config to get PGQSL build options])],[enable_core_pgsql_pkgconfig="$enableval"],[enable_core_pgsql_pkgconfig="yes"])
  
  if test x"$enable_core_pgsql_support" = x"yes" ; then
@@ -40,7 +40,7 @@
    AC_PATH_PROG([PKG_CONFIG], [pkg-config], [no])
      if test "$PKG_CONFIG" = "no" \
         || test x"$enable_core_pgsql_pkgconfig" = x"no" \
-@@ -1555,13 +1531,7 @@ AC_CHECK_PROG(PERL,perl,[ac_cv_have_perl
+@@ -1614,13 +1590,7 @@ AC_CHECK_PROG(PERL,perl,[ac_cv_have_perl
  # -a "x$ac_cv_have_EXTERN_h" != "xno"
  
  if test "x$ac_cv_have_perl" != "xno"; then
@@ -55,7 +55,7 @@
  
     save_CFLAGS="$CFLAGS"
     CFLAGS="$PERL_CFLAGS"
-@@ -1656,24 +1626,12 @@ then
+@@ -1715,24 +1685,12 @@ then
  		if test "$python_has_distutils" != "no" ; then
  			AC_MSG_CHECKING([location of site-packages])
  

net/freeswitch-stable/patches/040-gentls_cert_update_message_digest.patch

@@ -0,0 +1,51 @@
+commit 70d1cbafe4ab0176cd9fc01f740e34cd1bae326b
+Author: Sebastian Kemper <sebastian_ml@gmx.net>
+Date:   Wed Nov 13 20:29:50 2019 +0100
+
+    [gentls_cert] Update message digest
+    
+    Debian Buster updated /etc/ssl/openssl.cnf to default to
+    
+    MinProtocol = TLSv1.2
+    CipherString = DEFAULT@SECLEVEL=2
+    
+    gentls_cert currently uses SHA1 as message digest. According to OpenSSL
+    documentation this only offers 80 bit of security. 80 bits is enough for
+    security level 1, but not 2.
+    
+    The OpenSSL default MD nowadays is SHA256. This commit updates
+    gentls_cert to use it.
+    
+    Issue was reported on the FS mailing list. The certificates created by
+    gentls_cert caused "md too weak" errors and clients were unable to
+    connect.
+    
+    Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
+
+diff --git a/scripts/gentls_cert.in b/scripts/gentls_cert.in
+index 43aa8ac605..dd56c9f6dc 100644
+--- a/scripts/gentls_cert.in
++++ b/scripts/gentls_cert.in
+@@ -89,7 +89,7 @@ setup_ca() {
+ 
+ 	openssl req -out "${CONFDIR}/CA/cacert.pem" \
+ 		-new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \
+-		-config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1
++		-config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha256 >/dev/null || exit 1
+ 	cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
+ 	cp $TMPFILE.cfg /tmp/ssl.cfg
+ 	rm "${TMPFILE}.cfg"
+@@ -131,11 +131,11 @@ generate_cert() {
+ 
+ 	openssl req -new -out "${TMPFILE}.req" \
+ 		-newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \
+-		-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
++		-config "${TMPFILE}.cfg" -nodes -sha256 >/dev/null || exit 1
+ 
+ 	openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
+ 		-in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
+-		-extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1
++		-extensions "${EXTENSIONS}" -days ${DAYS} -sha256 >/dev/null || exit 1
+ 
+ 	cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
+ 

net/freeswitch-stable/patches/120-fix-copts.diff

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1941,7 +1941,12 @@ AC_SUBST(OUR_DISABLED_INSTALL_MODS)
+@@ -2018,7 +2018,12 @@ AC_SUBST(OUR_DISABLED_INSTALL_MODS)
  AC_SUBST(OUR_DISABLED_UNINSTALL_MODS)
  AC_SUBST(AM_MAKEFLAGS)
  

net/freeswitch-stable/patches/140-libvpx-cross.patch

@@ -1,6 +1,6 @@
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -549,8 +549,13 @@ libs/libedit/src/.libs/libedit.a:
+@@ -577,8 +577,13 @@ libs/libedit/src/.libs/libedit.a:
  libs/libzrtp/libzrtp.a:
  	cd libs/libzrtp && $(MAKE)
  
@@ -8,10 +8,10 @@
 +# - added CROSS and set target to generic-gnu for cross-compile
 +# - added CPPFLAGS to CFLAGS, otherwise they would be ignored
 +# - disabled optimizations that would override OpenWrt's CFLAGS
-+# - added a size limit like Debian does to address CVE-2017-0641
++
  libs/libvpx/Makefile:
--	cd libs/libvpx && CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --extra-cflags="$(VISIBILITY_FLAG)"
-+	cd libs/libvpx && CROSS="$(CROSS)" CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS) $(CPPFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --target=generic-gnu --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --extra-cflags="$(VISIBILITY_FLAG)" --disable-optimizations --size-limit=16384x16384
+-	cd libs/libvpx && CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --size-limit=16384x16384 --extra-cflags="$(VISIBILITY_FLAG)"
++	cd libs/libvpx && CROSS="$(CROSS)" CC="$(CC)" CXX="$(CXX)" CFLAGS="$(CFLAGS) $(CPPFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --target=generic-gnu --enable-pic --disable-docs --disable-examples --disable-install-bins --disable-install-srcs --disable-unit-tests --size-limit=16384x16384 --extra-cflags="$(VISIBILITY_FLAG)" --disable-optimizations
  
  libs/libvpx/libvpx.a: libs/libvpx/Makefile
  	@cd libs/libvpx && $(MAKE)

net/freeswitch-stable/patches/240-mod_v8.patch

@@ -1,87 +0,0 @@
---- a/src/mod/languages/mod_v8/Makefile.am
-+++ b/src/mod/languages/mod_v8/Makefile.am
-@@ -15,12 +15,17 @@ V8_LIBEXT=dylib
- V8_BUILDPARAMS=snapshot=off i18nsupport=off
- V8_SNAPSHOT=nosnapshot
- else
--V8_LIBDIR=$(V8_BUILDDIR)/out/native/lib.target
-+V8_LIBDIR=$(V8_BUILDDIR)/out/$(FS_STABLE_MYARCH).release/lib.target
- V8_LIBEXT=so
- # Some gcc versions report warnings incorrectly
- V8_BUILDPARAMS=strictaliasing=off werror=no i18nsupport=off
-+if DISABLE_SNAPSHOT_V8
-+V8_BUILDPARAMS+=snapshot=off
-+V8_SNAPSHOT=nosnapshot
-+else
- V8_SNAPSHOT=snapshot
- endif
-+endif
- 
- if ENABLE_STATIC_V8
- # Build the static lib version of V8
-@@ -29,8 +34,8 @@ V8_STATIC_DIR=$(V8_BUILDDIR)/out/native
- V8_ICU_STATIC_DIR=$(V8_BUILDDIR)/out/native
- V8_CXXFLAGS =
- else
--V8_STATIC_DIR=$(V8_BUILDDIR)/out/native/obj.target/tools/gyp
--V8_ICU_STATIC_DIR=$(V8_BUILDDIR)/out/native/obj.target/third_party/icu
-+V8_STATIC_DIR=$(V8_BUILDDIR)/out/$(FS_STABLE_MYARCH).release/obj.target/tools/gyp
-+V8_ICU_STATIC_DIR=$(V8_BUILDDIR)/out/$(FS_STABLE_MYARCH).release/obj.target/third_party/icu
- V8_CXXFLAGS = -fPIC
- endif
- V8LIB=$(V8_STATIC_DIR)/libv8_base*.a
-@@ -46,11 +51,6 @@ else
- V8_EXTRA_BUILD_PARAMS=--no-parallel
- endif
- 
--# Try to find the target platform for our configured CXX compiler
--# Parse the result one extra time to handle different i386 platforms (i386, i486 etc)
--CXX_TARGET_PLATFORM := $(shell $(CXX) -v 2>&1 | grep Target | cut '-d:' -f2 | cut '-d-' -f1 | tr -d ' ')
--CXX_TARGET_PLATFORM_I386 := $(shell echo "$(CXX_TARGET_PLATFORM)" | sed 's/^\(.\{1\}\)\(.\{1\}\)/\13/')
--
- MODNAME=mod_v8
- 
- AM_CFLAGS    += -I. -I./include -I$(switch_srcdir)/src/mod/languages/mod_v8/include -I$(V8_DIR)/include
-@@ -121,21 +121,13 @@ $(V8_DIR)/.stamp-patch: $(V8_DIR)
- 
- $(V8LIB): $(V8_DIR) $(V8_DIR)/.stamp-patch
- 	mkdir -p $(V8_BUILDDIR)
--	if test "$(CXX_TARGET_PLATFORM)" = "x86_64"; then \
--	   defines="v8_target_arch=x64 target_arch=x64"; \
--	else \
--	   if test "$(CXX_TARGET_PLATFORM)" = "arm"; then \
--	      defines="v8_target_arch=arm target_arch=arm"; \
--	   else \
--	      if test "$(CXX_TARGET_PLATFORM_I386)" = "i386"; then \
--	         defines="v8_target_arch=ia32 target_arch=ia32"; \
--	      fi; \
--	   fi; \
--	fi; \
--	cd $(V8_BUILDDIR) && CFLAGS="$(V8_CXXFLAGS)" CXXFLAGS="$(V8_CXXFLAGS)" \
--	LINK=@CXX@ CXX=@CXX@ GYPFLAGS="$(V8_EXTRA_BUILD_PARAMS)" GYP_DEFINES="$$defines" \
--	OUTDIR=$(V8_BUILDDIR)/out \
--	PYTHONPATH="$(V8_DIR)/build/gyp/pylib:$(PYTHONPATH)" $(MAKE) -C $(V8_DIR) $(V8_BUILDPARAMS) native
-+	cd $(V8_BUILDDIR) && sed -i "/'want_separate_host_toolset': 0,/s/0/1/" build/standalone.gypi && \
-+	$(DEFAULT_VARS) CFLAGS+="$(V8_CXXFLAGS)" CXXFLAGS+="$(V8_CXXFLAGS)" \
-+	LINK=@CXX@ CXX=@CXX@ GYPFLAGS="$(V8_EXTRA_BUILD_PARAMS)" OUTDIR=./out/ \
-+	PYTHONPATH="$(V8_DIR)/build/gyp/pylib:$(FS_STABLE_HOST_PYTHONPATH)" $(MAKE) -C $(V8_DIR) \
-+	CC.host="$(FS_STABLE_HOSTCC)" CFLAGS.host="$(FS_STABLE_HOST_CFLAGS)" CXX.host="$(FS_STABLE_HOSTCXX)" \
-+	CXXFLAGS.host="$(FS_STABLE_HOST_CFLAGS)" LDFLAGS.host="$(FS_STABLE_HOST_LDFLAGS)" \
-+	$(V8_BUILDPARAMS) $(FS_STABLE_MYDEFINES) $(FS_STABLE_MYARCH).release
- 
- if ENABLE_STATIC_V8
- install-exec-local: $(V8LIB)
---- a/configure.ac
-+++ b/configure.ac
-@@ -1519,6 +1519,11 @@ AC_ARG_ENABLE(parallel-build-v8,
- [AS_HELP_STRING([--disable-parallel-build-v8], [Disable parallel build of V8])], [enable_parallel_build_v8="$enableval"], [enable_parallel_build_v8="yes"])
- AM_CONDITIONAL([ENABLE_PARALLEL_BUILD_V8],[test "x$enable_parallel_build_v8" != "xno"])
- 
-+# Option to force heap snapshot generation of Google's V8 to off
-+AC_ARG_ENABLE(snapshot-v8,
-+[AS_HELP_STRING([--disable-snapshot-v8], [Disable heap snapshot generation of V8])], [enable_snapshot_v8="$enableval"], [enable_snapshot_v8="yes"])
-+AM_CONDITIONAL([DISABLE_SNAPSHOT_V8],[test "x$enable_snapshot_v8" != "xyes"])
-+
- AM_CONDITIONAL([HAVE_ODBC],[test "x$enable_core_odbc_support" != "xno"])
- AM_CONDITIONAL([HAVE_MYSQL],[test "$found_mysql" = "yes"])
- 

net/freeswitch-stable/patches/270-fix-uclibc-iconv-in-gsmopen.patch

@@ -1,62 +1,67 @@
 --- a/src/mod/endpoints/mod_gsmopen/gsmopen_protocol.cpp
 +++ b/src/mod/endpoints/mod_gsmopen/gsmopen_protocol.cpp
-@@ -2521,11 +2521,11 @@ int ucs2_to_utf8(private_t *tech_pvt, ch
+@@ -104,6 +104,12 @@ int gettimeofday(struct timeval *tv, str
+ /***************/
+ #endif /* WIN32 */
+ 
++#if defined(FS_STABLE_ICONV_INBUF_CONST)
++#define ICONV_INBUF_TYPE const char **
++#else
++#define ICONV_INBUF_TYPE char **
++#endif
++
+ int gsmopen_serial_init(private_t *tech_pvt, int controldevice_speed)
+ {
+ 	if (!tech_pvt)
+@@ -2521,11 +2527,7 @@ int ucs2_to_utf8(private_t *tech_pvt, ch
  	DEBUGA_GSMOPEN("1 ciao in=%s, inleft=%d, out=%s, outleft=%d, converted=%s, utf8_out=%s\n",
  				   GSMOPEN_P_LOG, inbuf, (int) inbytesleft, outbuf, (int) outbytesleft, converted, utf8_out);
  
 -#ifdef WIN32
-+#ifdef __UCLIBC__ // libiconv-full needs this conversion
- 	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#else // WIN32
-+#else
- 	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#endif // WIN32
-+#endif
++	iconv_res = iconv(iconv_format, (ICONV_INBUF_TYPE)&inbuf, &inbytesleft, &outbuf, &outbytesleft);
  	if (iconv_res == (size_t) -1) {
  		DEBUGA_GSMOPEN("2 ciao in=%s, inleft=%d, out=%s, outleft=%d, converted=%s, utf8_out=%s\n",
  					   GSMOPEN_P_LOG, inbuf, (int) inbytesleft, outbuf, (int) outbytesleft, converted, utf8_out);
-@@ -2560,11 +2560,11 @@ int utf8_to_iso_8859_1(private_t *tech_p
+@@ -2560,11 +2562,7 @@ int utf8_to_iso_8859_1(private_t *tech_p
  
  	DEBUGA_GSMOPEN("in=%s, inleft=%d, out=%s, outleft=%d, utf8_in=%s, iso_8859_1_out=%s\n",
  				   GSMOPEN_P_LOG, inbuf, (int) inbytesleft, outbuf, (int) outbytesleft, utf8_in, iso_8859_1_out);
 -#ifdef WIN32
-+#ifdef __UCLIBC__
- 	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#else // WIN32
-+#else
- 	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#endif // WIN32
-+#endif
++	iconv_res = iconv(iconv_format, (ICONV_INBUF_TYPE)&inbuf, &inbytesleft, &outbuf, &outbytesleft);
  	if (iconv_res == (size_t) -1) {
  		DEBUGA_GSMOPEN("cannot translate in iso_8859_1 error: %s (errno: %d)\n", GSMOPEN_P_LOG, strerror(errno), errno);
  		return -1;
-@@ -2597,11 +2597,11 @@ int iso_8859_1_to_utf8(private_t *tech_p
+@@ -2597,11 +2595,7 @@ int iso_8859_1_to_utf8(private_t *tech_p
  	}
  
  	inbytesleft = strlen(iso_8859_1_in) * 2;
 -#ifdef WIN32
-+#ifdef __UCLIBC__
- 	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#else // WIN32
-+#else
- 	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#endif // WIN32
-+#endif
++	iconv_res = iconv(iconv_format, (ICONV_INBUF_TYPE)&inbuf, &inbytesleft, &outbuf, &outbytesleft);
  	if (iconv_res == (size_t) -1) {
  		DEBUGA_GSMOPEN("ciao in=%s, inleft=%d, out=%s, outleft=%d, utf8_out=%s\n",
  					   GSMOPEN_P_LOG, inbuf, (int) inbytesleft, outbuf, (int) outbytesleft, utf8_out);
-@@ -2642,11 +2642,11 @@ int utf8_to_ucs2(private_t *tech_pvt, ch
+@@ -2642,11 +2636,7 @@ int utf8_to_ucs2(private_t *tech_pvt, ch
  
  	DEBUGA_GSMOPEN("in=%s, inleft=%d, out=%s, outleft=%d, utf8_in=%s, converted=%s\n",
  				   GSMOPEN_P_LOG, inbuf, (int) inbytesleft, outbuf, (int) outbytesleft, utf8_in, converted);
 -#ifdef WIN32
-+#ifdef __UCLIBC__
- 	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, (const char **) &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#else // WIN32
-+#else
- 	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+-	iconv_res = iconv(iconv_format, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
 -#endif // WIN32
-+#endif
++	iconv_res = iconv(iconv_format, (ICONV_INBUF_TYPE)&inbuf, &inbytesleft, &outbuf, &outbytesleft);
  	if (iconv_res == (size_t) -1) {
  		ERRORA("error: %s %d\n", GSMOPEN_P_LOG, strerror(errno), errno);
  		return -1;

net/freeswitch-stable/patches/300-fix-memory-leak-in-mod_event_multicast.patch

@@ -0,0 +1,37 @@
+From ae56352cfff570f1b7ac0748aa339bd7bf373794 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Sat, 9 Jun 2018 19:02:41 -0300
+Subject: [PATCH] mod_event_multicast.c: fix memory leak
+
+Fixed two memory leaks with openssl 1.1.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+---
+ src/mod/event_handlers/mod_event_multicast/mod_event_multicast.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mod/event_handlers/mod_event_multicast/mod_event_multicast.c b/src/mod/event_handlers/mod_event_multicast/mod_event_multicast.c
+index f591855a3e..fb952ce740 100644
+--- a/src/mod/event_handlers/mod_event_multicast/mod_event_multicast.c
++++ b/src/mod/event_handlers/mod_event_multicast/mod_event_multicast.c
+@@ -324,7 +324,7 @@ static void event_handler(switch_event_t *event)
+ 									  &tmplen, (unsigned char *) MAGIC, (int) strlen((char *) MAGIC));
+ 					outlen += tmplen;
+ 					EVP_EncryptFinal(ctx, (unsigned char *) buf + SWITCH_UUID_FORMATTED_LENGTH + outlen, &tmplen);
+-					EVP_CIPHER_CTX_cleanup(ctx);
++					EVP_CIPHER_CTX_free(ctx);
+ #else
+ 					EVP_CIPHER_CTX_init(&ctx);
+ 					EVP_EncryptInit(&ctx, EVP_bf_cbc(), NULL, NULL);
+@@ -570,7 +570,7 @@ SWITCH_MODULE_RUNTIME_FUNCTION(mod_event_multicast_runtime)
+ 			EVP_DecryptInit(ctx, NULL, (unsigned char *) globals.psk, (unsigned char *) uuid_str);
+ 			EVP_DecryptUpdate(ctx, (unsigned char *) tmp, &outl, (unsigned char *) packet, (int) len);
+ 			EVP_DecryptFinal(ctx, (unsigned char *) tmp + outl, &tmplen);
+-			EVP_CIPHER_CTX_cleanup(ctx);
++			EVP_CIPHER_CTX_free(ctx);
+ #else
+ 			EVP_CIPHER_CTX_init(&ctx);
+ 			EVP_DecryptInit(&ctx, EVP_bf_cbc(), NULL, NULL);
+-- 
+2.16.4
+

net/freeswitch-stable/patches/310-use-system-tiff.patch

@@ -1,87 +0,0 @@
-commit 34c48368dcfef09ba4a694256aa9615d91252461
-Author: Mike Jerris <mike@jerris.com>
-Date:   Tue Mar 14 17:39:05 2017 -0500
-
-    FS-10074: [libtiff] stop using embedded libtiff.  Build now requires system libtiff
-
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -125,7 +125,6 @@ CORE_CFLAGS += -DSWITCH_HAVE_YUV
- endif
- CORE_CFLAGS += -I$(switch_srcdir)/libs/srtp/crypto/include -Ilibs/srtp/crypto/include
- CORE_CFLAGS += -I$(switch_builddir)/libs/spandsp/src -I$(switch_srcdir)/libs/spandsp/src 
--CORE_CFLAGS += -I$(switch_builddir)/libs/tiff-4.0.2/libtiff -I$(switch_srcdir)/libs/tiff-4.0.2/libtiff
- if ENABLE_LIBVPX
- CORE_CFLAGS += -DSWITCH_HAVE_VPX
- endif
-@@ -736,11 +735,6 @@ sndfile-reconf:
- 	cd libs/libsndfile && ./config.status --recheck
- 	cd libs/libsndfile && ./config.status
- 
--tiff-reconf:
--	cd libs/tiff-4.0.2 && autoreconf -fi
--	cd libs/tiff-4.0.2 && sh ./configure.gnu $(MY_DEFAULT_ARGS)
--	cd libs/tiff-4.0.2 && make
--
- python-reconf:
- 	rm -f src/mod/languages/mod_python/Makefile
- 	./config.status
-@@ -762,7 +756,7 @@ iks-reconf:
- 	cd libs/iksemel && sh ./configure.gnu $(MY_DEFAULT_ARGS)
- 	$(MAKE) mod_dingaling-clean
- 
--spandsp-reconf: tiff-reconf
-+spandsp-reconf:
- 	cd libs/spandsp && $(MAKE) clean || echo
- 	cd libs/spandsp && autoreconf -fi
- 	cd libs/spandsp && sh ./configure.gnu $(MY_DEFAULT_ARGS)
---- a/configure.ac
-+++ b/configure.ac
-@@ -1969,7 +1969,6 @@ AC_CONFIG_SUBDIRS([libs/libdingaling])
- AC_CONFIG_SUBDIRS([libs/sofia-sip])
- AC_CONFIG_SUBDIRS([libs/freetdm])
- AC_CONFIG_SUBDIRS([libs/unimrcp])
--AC_CONFIG_SUBDIRS([libs/tiff-4.0.2])
- AC_CONFIG_SUBDIRS([libs/spandsp])
- if test "x${enable_zrtp}" = "xyes"; then
-    AC_CONFIG_SUBDIRS([libs/libzrtp])
---- a/libs/spandsp/configure.gnu
-+++ b/libs/spandsp/configure.gnu
-@@ -1,4 +1,4 @@
- #! /bin/sh
- srcpath=$(dirname $0 2>/dev/null )  || srcpath="." 
--$srcpath/configure "$@" --disable-shared --with-pic --enable-builtin-tiff
-+$srcpath/configure "$@" --disable-shared --with-pic
- 
---- a/src/mod/applications/mod_spandsp/Makefile.am
-+++ b/src/mod/applications/mod_spandsp/Makefile.am
-@@ -1,24 +1,17 @@
- include $(top_srcdir)/build/modmake.rulesam
- MODNAME=mod_spandsp
- 
--TIFF_DIR=$(switch_srcdir)/libs/tiff-4.0.2
--TIFF_BUILDDIR=$(switch_builddir)/libs/tiff-4.0.2
--TIFF_LA=$(TIFF_BUILDDIR)/libtiff/libtiff.la
- SPANDSP_DIR=$(switch_srcdir)/libs/spandsp
- SPANDSP_BUILDDIR=$(switch_builddir)/libs/spandsp
- SPANDSP_LA=$(SPANDSP_BUILDDIR)/src/libspandsp.la
- 
- mod_LTLIBRARIES = mod_spandsp.la
- mod_spandsp_la_SOURCES  = mod_spandsp.c udptl.c mod_spandsp_fax.c mod_spandsp_dsp.c mod_spandsp_codecs.c mod_spandsp_modem.c
--mod_spandsp_la_CFLAGS   = $(AM_CFLAGS)
--mod_spandsp_la_CPPFLAGS = -I$(SPANDSP_DIR)/src -I$(TIFF_DIR)/libtiff -I$(TIFF_BUILDDIR)/libtiff -I$(SPANDSP_BUILDDIR)/src -I$(TIFF_BUILDDIR)/libtiff -I.
--mod_spandsp_la_LIBADD   = $(switch_builddir)/libfreeswitch.la $(SPANDSP_LA) $(TIFF_LA) $(SPANDSP_LA_JBIG) $(SPANDSP_LA_LZMA) -ljpeg -lz
-+mod_spandsp_la_CFLAGS   = $(AM_CFLAGS) 
-+mod_spandsp_la_CPPFLAGS = -I$(SPANDSP_DIR)/src -I$(SPANDSP_BUILDDIR)/src -I.
-+mod_spandsp_la_LIBADD   = $(switch_builddir)/libfreeswitch.la $(SPANDSP_LA) $(SPANDSP_LA_JBIG) $(SPANDSP_LA_LZMA) -ljpeg -lz -ltiff
- mod_spandsp_la_LDFLAGS  = -avoid-version -module -no-undefined -shared
- 
--$(SPANDSP_LA): $(TIFF_LA) $(SPANDSP_DIR) $(SPANDSP_DIR)/.update
--	cd $(SPANDSP_BUILDDIR) && $(MAKE) CPPFLAGS="$(CPPFLAGS) -I$(TIFF_BUILDDIR)/libtiff -I$(TIFF_DIR)/libtiff" CFLAGS="$(CFLAGS)"
--	$(TOUCH_TARGET)
--
--$(TIFF_LA): $(TIFF_DIR) $(TIFF_DIR)/.update
--	cd $(TIFF_BUILDDIR) && $(MAKE)
-+$(SPANDSP_LA): $(SPANDSP_DIR) $(SPANDSP_DIR)/.update
-+	cd $(SPANDSP_BUILDDIR) && $(MAKE) CPPFLAGS="$(CPPFLAGS)" CFLAGS="$(CFLAGS)"
- 	$(TOUCH_TARGET)

net/freeswitch-stable/patches/311-use-system-tiff.patch

@@ -1,34 +0,0 @@
-commit f51ab63c2628e3ff21bd8a301dbacbc23766554a
-Author: Mike Jerris <mike@jerris.com>
-Date:   Wed Mar 15 09:57:03 2017 -0500
-
-    FS-10074: [libtiff] stop using embedded libtiff.  Build now requires system libtiff
-
---- a/debian/bootstrap.sh
-+++ b/debian/bootstrap.sh
-@@ -310,6 +310,7 @@ Build-Depends:
-  libpcre3-dev,
-  libedit-dev (>= 2.11),
-  libsqlite3-dev,
-+ libtiff5-dev,
-  wget, pkg-config,
-  yasm,
- # core codecs
---- a/freeswitch.spec
-+++ b/freeswitch.spec
-@@ -150,6 +150,7 @@ BuildRequires: openssl-devel >= 1.0.1e
- BuildRequires: pcre-devel 
- BuildRequires: speex-devel 
- BuildRequires: sqlite-devel
-+BuildRequires: libtiff-devel
- BuildRequires: ldns-devel
- BuildRequires: libedit-devel
- BuildRequires: perl
-@@ -208,6 +209,7 @@ Requires: ncurses
- Requires: pcre
- Requires: speex
- Requires: sqlite
-+Requires: libtiff
- Requires: libedit
- Requires: openssl >= 1.0.1e
- Requires: unixODBC

net/freeswitch-stable/patches/312-use-system-tiff.patch

@@ -1,41 +0,0 @@
-commit 920d10afe725566a33c1c570d99ad2dc99625712
-Author: Mike Jerris <mike@jerris.com>
-Date:   Wed Mar 15 15:00:15 2017 -0500
-
-    FS-10074: [libtiff] stop using embedded libtiff.  Build now requires system libtiff
-
---- a/src/mod/endpoints/mod_skypopen/Makefile.am
-+++ b/src/mod/endpoints/mod_skypopen/Makefile.am
-@@ -1,10 +1,6 @@
- include $(top_srcdir)/build/modmake.rulesam
- MODNAME=mod_skypopen
- 
--TIFF_DIR=$(switch_srcdir)/libs/tiff-4.0.2
--TIFF_BUILDDIR=$(switch_builddir)/libs/tiff-4.0.2
--TIFF_LA=$(TIFF_BUILDDIR)/libtiff/libtiff.la
--
- SPANDSP_DIR=$(switch_srcdir)/libs/spandsp
- SPANDSP_BUILDDIR=$(switch_builddir)/libs/spandsp
- SPANDSP_LA=$(SPANDSP_BUILDDIR)/src/libspandsp.la
-@@ -12,16 +8,12 @@ SPANDSP_LA=$(SPANDSP_BUILDDIR)/src/libsp
- mod_LTLIBRARIES = mod_skypopen.la
- mod_skypopen_la_SOURCES  = mod_skypopen.c skypopen_protocol.c
- mod_skypopen_la_CFLAGS   = $(AM_CFLAGS)
--mod_skypopen_la_CPPFLAGS = -I$(SPANDSP_DIR)/src -I$(TIFF_DIR)/libtiff -I$(SPANDSP_BUILDDIR)/src -I$(TIFF_BUILDDIR)/libtiff -I.
--mod_skypopen_la_LIBADD   = $(switch_builddir)/libfreeswitch.la $(SPANDSP_LA) $(TIFF_LA)
-+mod_skypopen_la_CPPFLAGS = -I$(SPANDSP_DIR)/src -I$(SPANDSP_BUILDDIR)/src -I.
-+mod_skypopen_la_LIBADD   = $(switch_builddir)/libfreeswitch.la $(SPANDSP_LA)
- mod_skypopen_la_LDFLAGS  = -avoid-version -module -no-undefined -shared -lX11
- 
--BUILT_SOURCES = $(TIFF_LA) $(SPANDSP_LA)
--
--$(SPANDSP_LA): $(TIFF_LA) $(SPANDSP_DIR) $(SPANDSP_DIR)/.update
--	cd $(SPANDSP_BUILDDIR) && $(MAKE) CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS) -I$(TIFF_BUILDDIR)/libtiff -I$(TIFF_DIR)/libtiff"
--	$(TOUCH_TARGET)
-+BUILT_SOURCES = $(SPANDSP_LA)
- 
--$(TIFF_LA): $(TIFF_DIR) $(TIFF_DIR)/.update
--	cd $(TIFF_BUILDDIR) && $(MAKE)
-+$(SPANDSP_LA): $(SPANDSP_DIR) $(SPANDSP_DIR)/.update
-+	cd $(SPANDSP_BUILDDIR) && $(MAKE) CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)"
- 	$(TOUCH_TARGET)

net/freeswitch-stable/patches/313-use-system-tiff.patch

@@ -1,41 +0,0 @@
-commit 4a7c459e37d77b05f258001ccae99935fb660caf
-Author: Mike Jerris <mike@jerris.com>
-Date:   Wed Mar 15 15:02:04 2017 -0500
-
-    FS-10074: [libtiff] stop using embedded libtiff.  Build now requires system libtiff
-
---- a/src/mod/endpoints/mod_gsmopen/Makefile.am
-+++ b/src/mod/endpoints/mod_gsmopen/Makefile.am
-@@ -1,10 +1,6 @@
- include $(top_srcdir)/build/modmake.rulesam
- MODNAME=mod_gsmopen
- 
--TIFF_DIR=$(switch_srcdir)/libs/tiff-4.0.2
--TIFF_BUILDDIR=$(switch_builddir)/libs/tiff-4.0.2
--TIFF_LA=$(TIFF_BUILDDIR)/libtiff/libtiff.la
--
- SPANDSP_DIR=$(switch_srcdir)/libs/spandsp
- SPANDSP_BUILDDIR=$(switch_builddir)/libs/spandsp
- SPANDSP_LA=$(SPANDSP_BUILDDIR)/src/libspandsp.la
-@@ -12,16 +8,12 @@ SPANDSP_LA=$(SPANDSP_BUILDDIR)/src/libsp
- mod_LTLIBRARIES = mod_gsmopen.la
- mod_gsmopen_la_SOURCES  = mod_gsmopen.cpp gsmopen_protocol.cpp 
- mod_gsmopen_la_CXXFLAGS = $(SWITCH_AM_CXXFLAGS)
--mod_gsmopen_la_CPPFLAGS = -I$(SPANDSP_DIR)/src -I$(TIFF_DIR)/libtiff -I$(SPANDSP_BUILDDIR)/src -I$(TIFF_BUILDDIR)/libtiff -I.
--mod_gsmopen_la_LIBADD   = $(switch_builddir)/libfreeswitch.la $(SPANDSP_LA) $(TIFF_LA)
-+mod_gsmopen_la_CPPFLAGS = -I$(SPANDSP_DIR)/src -I$(SPANDSP_BUILDDIR)/src -I.
-+mod_gsmopen_la_LIBADD   = $(switch_builddir)/libfreeswitch.la $(SPANDSP_LA)
- mod_gsmopen_la_LDFLAGS  = -avoid-version -module -no-undefined -lctb-0.16 -lgsmme
- 
--BUILT_SOURCES = $(TIFF_LA) $(SPANDSP_LA)
--
--$(SPANDSP_LA): $(TIFF_LA) $(SPANDSP_DIR) $(SPANDSP_DIR)/.update
--	cd $(SPANDSP_BUILDDIR) && $(MAKE) CPPFLAGS="$(CPPFLAGS) -I$(TIFF_BUILDDIR)/libtiff -I$(TIFF_DIR)/libtiff" CFLAGS="$(CFLAGS)"
--	$(TOUCH_TARGET)
-+BUILT_SOURCES = $(SPANDSP_LA)
- 
--$(TIFF_LA): $(TIFF_DIR) $(TIFF_DIR)/.update
--	cd $(TIFF_BUILDDIR) && $(MAKE)
-+$(SPANDSP_LA): $(SPANDSP_DIR) $(SPANDSP_DIR)/.update
-+	cd $(SPANDSP_BUILDDIR) && $(MAKE) CPPFLAGS="$(CPPFLAGS)" CFLAGS="$(CFLAGS)"
- 	$(TOUCH_TARGET)

net/freeswitch-stable/patches/314-use-system-tiff.patch

@@ -1,92 +0,0 @@
-commit 7a4c76119114b82d26dab5d5adfe5a2429e32434
-Author: Mike Jerris <mike@jerris.com>
-Date:   Thu Mar 16 11:29:08 2017 -0500
-
-    FS-10074: [libtiff] remove more libtiff references
-
---- a/debian/copyright
-+++ b/debian/copyright
-@@ -1700,27 +1700,6 @@ Copyright: 2007 <robs@users.sourceforge.
-  2007-2009 Erik de Castro Lopo <erikd@mega-nerd.com>
- License: LGPL-2+
- 
--Files: libs/tiff-4.0.2/*
--Copyright: 1988-1997 Sam Leffler
-- 1991-1997 Silicon Graphics, Inc.
-- 2006-2010 Richard Nolde
-- 1999-2000 Frank Warmerdam
-- 1990 by Digital Equipment Corporation, Maynard, Massachusetts.
-- 1990 by Sun Microsystems, Inc.
-- Joris Van Damme <info@awaresystems.be>
-- AWare Systems <http://www.awaresystems.be/>
--License: MIT/X11 (BSD like)
--
--Files: libs/tiff-4.0.2/port/getopt.c
-- libs/tiff-4.0.2/port/strcasecmp.c
-- libs/tiff-4.0.2/port/lfind.c
--Copyright: 1987, 1993, 1994, The Regents of the University of California.
--License: BSD-3-clause
--
--Files: libs/tiff-4.0.2/port/strtoull.c
--Copyright: 1992, 1993, The Regents of the University of California.
--License: BSD-4-clause
--
- Files: src/switch_dso.c
- Copyright: 2008 Michael Jerris
- License: BSD-like
---- a/debian/license-reconcile.yml
-+++ b/debian/license-reconcile.yml
-@@ -186,21 +186,6 @@ Rules:
-    Copyright: 1999-2009 Erik de Castro Lopo <erikd@mega-nerd.com>
-    Justification: prevent false-psitive copyright detection
-   -
--   Glob: libs/tiff-4.0.2/libtiff/tif_tile.c
--   Matches: Copyright\s(c)\s1991-1997\sSam\sLeffler
--   Matches: copyright\snotices\sand\sthis\spermission\snotice\sappear\sin
--   Copyright: 1991-1997 Sam Leffler
--  -
--   Glob: libs/tiff-4.0.2/*
--   Matches: Additions\s\(c\)\sRichard\sNolde\s2006-2010
--   Matches: copyright\snotices\sand\sthis\spermission\snotice\sappear\sin
--   Copyright: 2006-2010 Richard Nolde
--  -
--   Glob: libs/tiff-4.0.2/libtiff/tiffvers.h
--   Matches: 1988-1996\sSam\sLeffler..Copyright\s\(c\)\s1991-1996\sSilicon\sGraphics,\sInc.
--   Copyright: 1991-1996 Sam Leffler
--   Copyright: 1991-1996 Silicon Graphics, Inc
--  -
-    Glob: src/mod/endpoints/mod_khomp/*
-    Matches: The\scontents\sof\sthis\sfile\sare\ssubject\sto\sthe\sMozilla\sPublic\sLicense\sVersion\s1.1
-    Matches: Alternatively,\sthe\scontents\sof\sthis\sfile\smay\sbe\sused\sunder\sthe\sterms\sof\sthe
---- a/docs/Doxygen.conf
-+++ b/docs/Doxygen.conf
-@@ -1240,15 +1240,9 @@ SEARCH_INCLUDES        = YES
- # contain include files that are not input files but should be processed by
- # the preprocessor.
- 
--INCLUDE_PATH           =../libs/apr ../libs/apr-util \
--			../libs/iksemel ../libs/ilbc ../libs/js \
--			../libs/libg722_1 ../libs/libnatpmp \
--			../libs/libsndfile ../libs/miniupnpc  \
--			../libs/portaudio ../libs/sofia-sip ../libs/spandsp \
--			../libs/srtp \
--			../libs/tiff-4.0.2 ../libs/udns \
--			../libs/unimrcp ../libs/voipcodecs ../libs/win32 \
--			../libs/xmlrpc-c
-+INCLUDE_PATH           =../libs/apr ../libs/apr-util ../libs/iksemel ../libs/libnatpmp \
-+			../libs/miniupnpc ../libs/sofia-sip ../libs/spandsp \
-+			../libs/srtp ../libs/unimrcp ../libs/win32 ../libs/xmlrpc-c
- 
- # You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
- # patterns (like *.h and *.hpp) to filter out the header-files in the
---- a/rebootstrap.sh
-+++ b/rebootstrap.sh
-@@ -8,7 +8,7 @@ BGJOB=false
- VERBOSE=false
- BASEDIR=`pwd`;
- LIBDIR=${BASEDIR}/libs;
--SUBDIRS="apr libzrtp iksemel libdingaling sofia-sip srtp freetdm spandsp unimrcp tiff-4.0.2 fs";
-+SUBDIRS="apr libzrtp iksemel libdingaling sofia-sip srtp freetdm spandsp unimrcp fs";
- 
- while getopts 'jhd:v' o; do 
-   case "$o" in

net/freeswitch-stable/patches/340-libvpx-CVE-2017-13194.patch

@@ -1,45 +0,0 @@
-Subject: Fix OOB caused by odd frame width, CVE-2017-13194
-Origin: https://android.googlesource.com/platform/external/libvpx/+/55cd1dd7c8d0a3de907d22e0f12718733f4e41d
-
-diff --git a/libs/libvpx/libvpx/vpx/src/vpx_image.c b/libs/libvpx/libvpx/vpx/src/vpx_image.c
-index dba439c..af7c529 100644
---- a/libs/libvpx/vpx/src/vpx_image.c
-+++ b/libs/libvpx/vpx/src/vpx_image.c
-@@ -88,11 +88,10 @@
-     default: ycs = 0; break;
-   }
- 
--  /* Calculate storage sizes given the chroma subsampling */
--  align = (1 << xcs) - 1;
--  w = (d_w + align) & ~align;
--  align = (1 << ycs) - 1;
--  h = (d_h + align) & ~align;
-+  /* Calculate storage sizes. If the buffer was allocated externally, the width
-+   * and height shouldn't be adjusted. */
-+  w = d_w;
-+  h = d_h;
-   s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
-   s = (s + stride_align - 1) & ~(stride_align - 1);
-   stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
-@@ -111,9 +110,18 @@
-   img->img_data = img_data;
- 
-   if (!img_data) {
--    const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR)
--                                    ? (uint64_t)h * s * bps / 8
--                                    : (uint64_t)h * s;
-+    uint64_t alloc_size;
-+    /* Calculate storage sizes given the chroma subsampling */
-+    align = (1 << xcs) - 1;
-+    w = (d_w + align) & ~align;
-+    align = (1 << ycs) - 1;
-+    h = (d_h + align) & ~align;
-+
-+    s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
-+    s = (s + stride_align - 1) & ~(stride_align - 1);
-+    stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
-+    alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
-+                                            : (uint64_t)h * s;
- 
-     if (alloc_size != (size_t)alloc_size) goto fail;
- 

net/freeswitch-stable/patches/360-fix-APR_TRY_COMPILE_NO_WARNING.patch

@@ -0,0 +1,50 @@
+--- a/libs/apr-util/build/apr_common.m4
++++ b/libs/apr-util/build/apr_common.m4
+@@ -493,13 +493,15 @@ AC_DEFUN([APR_TRY_COMPILE_NO_WARNING],
+  if test "$ac_cv_prog_gcc" = "yes"; then 
+    CFLAGS="$CFLAGS -Werror"
+  fi
+- AC_COMPILE_IFELSE([AC_LANG_SOURCE([
+-  [#include "confdefs.h"
+-  ]
+-  [[$1]]
+-  [int main(int argc, const char *const *argv) {]
+-  [[$2]]
+-  [   return 0; }]])],
++ AC_COMPILE_IFELSE(
++  [AC_LANG_SOURCE(
++   [#include "confdefs.h"
++   ]
++   [[$1]]
++   [int main(int argc, const char *const *argv) {]
++   [[$2]]
++   [   return 0; }]
++  )],
+   [$3], [$4])
+  CFLAGS=$apr_save_CFLAGS
+ ])
+--- a/libs/apr/build/apr_common.m4
++++ b/libs/apr/build/apr_common.m4
+@@ -493,13 +493,15 @@ AC_DEFUN([APR_TRY_COMPILE_NO_WARNING],
+  if test "$ac_cv_prog_gcc" = "yes"; then 
+    CFLAGS="$CFLAGS -Werror"
+  fi
+- AC_COMPILE_IFELSE([AC_LANG_SOURCE([
+-  [#include "confdefs.h"
+-  ]
+-  [[$1]]
+-  [int main(int argc, const char *const *argv) {]
+-  [[$2]]
+-  [   return 0; }]])],
++ AC_COMPILE_IFELSE(
++  [AC_LANG_SOURCE(
++   [#include "confdefs.h"
++   ]
++   [[$1]]
++   [int main(int argc, const char *const *argv) {]
++   [[$2]]
++   [   return 0; }]
++  )],
+   [$3], [$4])
+  CFLAGS=$apr_save_CFLAGS
+ ])

net/freeswitch-stable/patches/370-procd-compat.patch

@@ -0,0 +1,19 @@
+--- a/src/switch_console.c
++++ b/src/switch_console.c
+@@ -1051,10 +1051,12 @@ static void *SWITCH_THREAD_FUNC console_
+ 	while (running) {
+ 		int32_t arg = 0;
+ 
+-		if (getppid() == 1) {
+-			switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "We've become an orphan, no more console for us.\n");
+-			break;
+-		}
++		// Parent PID is 1 when started by procd - so FS is not an orphan.
++		// Plus we still want the output.
++		//if (getppid() == 1) {
++		//	switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "We've become an orphan, no more console for us.\n");
++		//	break;
++		//}
+ 
+ 		switch_core_session_ctl(SCSC_CHECK_RUNNING, &arg);
+ 		if (!arg) {

net/freeswitch-stable/patches/380-disable-luajit.patch

@@ -0,0 +1,11 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -571,7 +571,7 @@ AC_SUBST(SYS_XMLRPC_CFLAGS)
+ AC_SUBST(SYS_XMLRPC_LDFLAGS)
+ AM_CONDITIONAL([SYSTEM_XMLRPCC],[test "${enable_xmlrpcc}" = "yes"])
+ 
+-for luaversion in luajit lua5.2 lua-5.2 lua52 lua5.1 lua-5.1 lua; do
++for luaversion in lua5.2 lua-5.2 lua52 lua5.1 lua-5.1 lua; do
+   PKG_CHECK_MODULES([LUA],[${luaversion}],[have_lua=yes],[have_lua=no])
+   if test ${have_lua} = yes; then
+     break

net/freeswitch-stable/patches/390-t38-reinvite-488-fix.patch

@@ -0,0 +1,66 @@
+commit 167294ea2649afd0ffedf4520b0f308979c3ca2a
+Author: Sebastian Kemper <sebastian_ml@gmx.net>
+Date:   Fri Oct 18 18:28:07 2019 +0200
+
+    [mod-sofia] Fix reINVITE after T38 is rejected
+    
+    From FS-11833.
+    
+    After FS sends a reINVITE to T38 which gets rejected by peer it is no
+    longer in a state where it can properly answer a reINVITE which requests
+    a change of the media setup.
+    
+    1. FS sends INVITE (destination is a fax machine)
+    2. Call connects with "8 101"
+    3. FS sends reINVITE to T38
+    4. T38 rejected (488)
+    5. FS receives INVITE to "8"
+    6. FS replies with 200 OK without SDP
+    7. Call fails
+    
+    The bug is related to TFLAG_SDP. This flag is set when a media session
+    is established. And when there's a reINVITE sofia_glue_do_invite() from
+    sofia_glue.c is called and clears the flag again:
+    
+    sofia_clear_flag_locked(tech_pvt, TFLAG_SDP);
+    
+    So when FS sends a reINVITE to T38 the flag gets cleared. But when the
+    reINVITE is rejected with 488 the flag is not set again. It stays
+    cleared. So the call continues with the previously negotiated media, fax
+    passthrough (8 101 in this case), but TFLAG_SDP is not set.
+    
+    So when FS receives a reINVITE at this point it doesn't see the need to
+    renegotiate anything, even though it realizes that 2833 DTMF is now off:
+    
+    2019-04-30 16:42:12.478025 [DEBUG] switch_core_media.c:5478 Audio Codec Compare [PCMA:8:8000:20:64000:1]/[PCMA:8:8000:20:64000:1]
+    2019-04-30 16:42:12.478025 [DEBUG] switch_core_media.c:5533 Audio Codec Compare [PCMA:8:8000:20:64000:1] ++++ is saved as a match
+    2019-04-30 16:42:12.478025 [DEBUG] switch_core_media.c:5802 No 2833 in SDP. Disable 2833 dtmf and switch to INFO
+    
+    When FS doesn't send a reINVITE (fax_enable_t38_request=false) and the
+    reINVITE to "8" is received, TFLAG_SDP is still set and then FS
+    understands that it needs to renegotiate and replies with a 200 OK that
+    includes SDP:
+    
+    2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:5478 Audio Codec Compare [PCMA:8:8000:20:64000:1]/[PCMA:8:8000:20:64000:1]
+    2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:5533 Audio Codec Compare [PCMA:8:8000:20:64000:1] ++++ is saved as a match
+    2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:5802 No 2833 in SDP. Disable 2833 dtmf and switch to INFO
+    2019-04-30 16:41:19.358028 [DEBUG] sofia.c:8237 skemper was here in line 8232
+    2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:8390 skemper was here in line 8390.
+    2019-04-30 16:41:19.358028 [DEBUG] switch_core_media.c:8496 Audio params are unchanged for sofia/external/+called_number.
+    2019-04-30 16:41:19.358028 [DEBUG] sofia.c:8243 Processing updated SDP
+    
+    This fixes the state problem after a rejected T38 reINVITE by setting
+    TFLAG_SDP.
+    
+    Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
+
+--- a/src/mod/endpoints/mod_sofia/sofia.c
++++ b/src/mod/endpoints/mod_sofia/sofia.c
+@@ -6501,6 +6501,7 @@ static void sofia_handle_sip_r_invite(sw
+ 			switch_channel_clear_app_flag_key("T38", tech_pvt->channel, CF_APP_T38_REQ);
+ 			switch_channel_set_app_flag_key("T38", tech_pvt->channel, CF_APP_T38_FAIL);
+ 			switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session), SWITCH_LOG_DEBUG, "%s T38 invite failed\n", switch_channel_get_name(tech_pvt->channel));
++			sofia_set_flag(tech_pvt, TFLAG_SDP);
+ 		}
+ 
+ 

net/freeswitch-stable/patches/430-CVE-2019-9232_9325_9433.patch

@@ -0,0 +1,156 @@
+
+Backport of
+
+From 46e17f0cb4a80b36755c84b8bf15731d3386c08f Mon Sep 17 00:00:00 2001
+From: kyslov <kyslov@google.com>
+Date: Fri, 4 Jan 2019 17:04:09 -0800
+Subject: [PATCH] Fix OOB memory access on fuzzed data
+
+From 0681cff1ad36b3ef8ec242f59b5a6c4234ccfb88 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Tue, 24 Jul 2018 21:36:50 -0700
+Subject: [PATCH] vp9: fix OOB read in decoder_peek_si_internal
+
+From 52add5896661d186dec284ed646a4b33b607d2c7 Mon Sep 17 00:00:00 2001
+From: Jerome Jiang <jianj@google.com>
+Date: Wed, 23 May 2018 15:43:00 -0700
+Subject: [PATCH] VP8: Fix use-after-free in postproc.
+
+to address CVE-2019-9232 CVE-2019-9325 CVE-2019-9433
+
+--- a/libs/libvpx/test/decode_api_test.cc
++++ b/libs/libvpx/test/decode_api_test.cc
+@@ -138,8 +138,30 @@ TEST(DecodeAPI, Vp9InvalidDecode) {
+   EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec));
+ }
+ 
+-TEST(DecodeAPI, Vp9PeekSI) {
++void TestPeekInfo(const uint8_t *const data, uint32_t data_sz,
++                  uint32_t peek_size) {
+   const vpx_codec_iface_t *const codec = &vpx_codec_vp9_dx_algo;
++  // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get
++  // to decoder_peek_si_internal on frames of size < 8.
++  if (data_sz >= 8) {
++    vpx_codec_ctx_t dec;
++    EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0));
++    EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM
++                                    : VPX_CODEC_CORRUPT_FRAME,
++              vpx_codec_decode(&dec, data, data_sz, NULL, 0));
++    vpx_codec_iter_t iter = NULL;
++    EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter));
++    EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec));
++  }
++
++  // Verify behavior of vpx_codec_peek_stream_info.
++  vpx_codec_stream_info_t si;
++  si.sz = sizeof(si);
++  EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK,
++            vpx_codec_peek_stream_info(codec, data, data_sz, &si));
++}
++
++TEST(DecodeAPI, Vp9PeekStreamInfo) {
+   // The first 9 bytes are valid and the rest of the bytes are made up. Until
+   // size 10, this should return VPX_CODEC_UNSUP_BITSTREAM and after that it
+   // should return VPX_CODEC_CORRUPT_FRAME.
+@@ -150,24 +172,18 @@ TEST(DecodeAPI, Vp9PeekSI) {
+   };
+ 
+   for (uint32_t data_sz = 1; data_sz <= 32; ++data_sz) {
+-    // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get
+-    // to decoder_peek_si_internal on frames of size < 8.
+-    if (data_sz >= 8) {
+-      vpx_codec_ctx_t dec;
+-      EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0));
+-      EXPECT_EQ(
+-          (data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_CORRUPT_FRAME,
+-          vpx_codec_decode(&dec, data, data_sz, NULL, 0));
+-      vpx_codec_iter_t iter = NULL;
+-      EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter));
+-      EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec));
+-    }
+-
+-    // Verify behavior of vpx_codec_peek_stream_info.
+-    vpx_codec_stream_info_t si;
+-    si.sz = sizeof(si);
+-    EXPECT_EQ((data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK,
+-              vpx_codec_peek_stream_info(codec, data, data_sz, &si));
++    TestPeekInfo(data, data_sz, 10);
++  }
++}
++
++TEST(DecodeAPI, Vp9PeekStreamInfoTruncated) {
++  // This profile 1 header requires 10.25 bytes, ensure
++  // vpx_codec_peek_stream_info doesn't over read.
++  const uint8_t profile1_data[10] = { 0xa4, 0xe9, 0x30, 0x68, 0x53,
++                                      0xe9, 0x30, 0x68, 0x53, 0x04 };
++
++  for (uint32_t data_sz = 1; data_sz <= 10; ++data_sz) {
++    TestPeekInfo(profile1_data, data_sz, 11);
+   }
+ }
+ #endif  // CONFIG_VP9_DECODER
+--- a/libs/libvpx/vp8/common/postproc.c
++++ b/libs/libvpx/vp8/common/postproc.c
+@@ -64,7 +64,7 @@ void vp8_deblock(VP8_COMMON *cm, YV12_BU
+   double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065;
+   int ppl = (int)(level + .5);
+ 
+-  const MODE_INFO *mode_info_context = cm->show_frame_mi;
++  const MODE_INFO *mode_info_context = cm->mi;
+   int mbr, mbc;
+ 
+   /* The pixel thresholds are adjusted according to if or not the macroblock
+--- a/libs/libvpx/vp8/decoder/dboolhuff.h
++++ b/libs/libvpx/vp8/decoder/dboolhuff.h
+@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODE
+   }
+ 
+   {
+-    register int shift = vp8_norm[range];
++    const unsigned char shift = vp8_norm[(unsigned char)range];
+     range <<= shift;
+     value <<= shift;
+     count -= shift;
+--- a/libs/libvpx/vp9/vp9_dx_iface.c
++++ b/libs/libvpx/vp9/vp9_dx_iface.c
+@@ -129,7 +129,7 @@ static vpx_codec_err_t decoder_peek_si_i
+     const uint8_t *data, unsigned int data_sz, vpx_codec_stream_info_t *si,
+     int *is_intra_only, vpx_decrypt_cb decrypt_cb, void *decrypt_state) {
+   int intra_only_flag = 0;
+-  uint8_t clear_buffer[10];
++  uint8_t clear_buffer[11];
+ 
+   if (data + data_sz <= data) return VPX_CODEC_INVALID_PARAM;
+ 
+@@ -190,6 +190,9 @@ static vpx_codec_err_t decoder_peek_si_i
+         if (profile > PROFILE_0) {
+           if (!parse_bitdepth_colorspace_sampling(profile, &rb))
+             return VPX_CODEC_UNSUP_BITSTREAM;
++          // The colorspace info may cause vp9_read_frame_size() to need 11
++          // bytes.
++          if (data_sz < 11) return VPX_CODEC_UNSUP_BITSTREAM;
+         }
+         rb.bit_offset += REF_FRAMES;  // refresh_frame_flags
+         vp9_read_frame_size(&rb, (int *)&si->w, (int *)&si->h);
+--- a/libs/libvpx/vpx_dsp/bitreader.h
++++ b/libs/libvpx/vpx_dsp/bitreader.h
+@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r
+   }
+ 
+   {
+-    register int shift = vpx_norm[range];
++    const unsigned char shift = vpx_norm[(unsigned char)range];
+     range <<= shift;
+     value <<= shift;
+     count -= shift;
+--- a/libs/libvpx/vpx_dsp/bitreader_buffer.c
++++ b/libs/libvpx/vpx_dsp/bitreader_buffer.c
+@@ -23,7 +23,7 @@ int vpx_rb_read_bit(struct vpx_read_bit_
+     rb->bit_offset = off + 1;
+     return bit;
+   } else {
+-    rb->error_handler(rb->error_handler_data);
++    if (rb->error_handler != NULL) rb->error_handler(rb->error_handler_data);
+     return 0;
+   }
+ }

net/kamailio-5.x/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=kamailio5
 PKG_VERSION:=5.1.3
-PKG_RELEASE:=1
+PKG_RELEASE:=4
 
 PKG_SOURCE_URL:=https://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src
 PKG_SOURCE:=kamailio-$(PKG_VERSION)$(PKG_VARIANT)_src.tar.gz

net/kamailio-5.x/patches/140-CVE-2018-14767.patch

@@ -0,0 +1,28 @@
+commit 281a6c6b6eaaf30058b603325e8ded20b99e1456
+Author: Henning Westerholt <hw@kamailio.org>
+Date:   Mon May 7 09:36:53 2018 +0200
+
+    core: improve to header check guards, str consists of length and pointer
+
+diff --git a/src/core/msg_translator.c b/src/core/msg_translator.c
+index 22122768a..4dd648e87 100644
+--- a/src/core/msg_translator.c
++++ b/src/core/msg_translator.c
+@@ -2369,7 +2369,7 @@ char * build_res_buf_from_sip_req( unsigned int code, str *text ,str *new_tag,
+ 			case HDR_TO_T:
+ 				if (new_tag && new_tag->len) {
+ 					to_tag=get_to(msg)->tag_value;
+-					if ( to_tag.len || to_tag.s )
++					if ( to_tag.len && to_tag.s )
+ 						len+=new_tag->len-to_tag.len;
+ 					else
+ 						len+=new_tag->len+TOTAG_TOKEN_LEN/*";tag="*/;
+@@ -2497,7 +2497,7 @@ char * build_res_buf_from_sip_req( unsigned int code, str *text ,str *new_tag,
+ 				break;
+ 			case HDR_TO_T:
+ 				if (new_tag && new_tag->len){
+-					if (to_tag.s ) { /* replacement */
++					if (to_tag.len && to_tag.s) { /* replacement */
+ 						/* before to-tag */
+ 						append_str( p, hdr->name.s, to_tag.s-hdr->name.s);
+ 						/* to tag replacement */

net/kamailio-5.x/patches/141-CVE-2018-16657.patch

@@ -0,0 +1,46 @@
+commit d67b2f9874ca23bd69f18df71b8f53b1b6151f6d
+Author: Henning Westerholt <hw@kamailio.org>
+Date:   Sun Jun 3 20:59:32 2018 +0200
+
+    core: improve header safe guards for Via handling
+    
+    (cherry picked from commit ad68e402ece8089f133c10de6ce319f9e28c0692)
+
+diff --git a/src/core/crc.c b/src/core/crc.c
+index 462846324..23b2876ec 100644
+--- a/src/core/crc.c
++++ b/src/core/crc.c
+@@ -231,6 +231,8 @@ void crcitt_string_array( char *dst, str src[], int size )
+ 	ccitt = 0xFFFF;
+ 	str_len=CRC16_LEN;
+ 	for (i=0; i<size; i++ ) {
++		/* invalid str with positive length and null char pointer */
++		if( unlikely(src[i].s==NULL)) break;
+ 		c=src[i].s;
+ 		len=src[i].len;
+ 		while(len) {
+diff --git a/src/core/msg_translator.c b/src/core/msg_translator.c
+index 201e3a5e1..58978f958 100644
+--- a/src/core/msg_translator.c
++++ b/src/core/msg_translator.c
+@@ -168,12 +168,17 @@ static int check_via_address(struct ip_addr* ip, str *name,
+ 						(name->s[name->len-1]==']')&&
+ 						(strncasecmp(name->s+1, s, len)==0))
+ 				)
+-		   )
++		   ) {
+ 			return 0;
+-		else
+-
++		}
++		else {
++			if (unlikely(name->s==NULL)) {
++				LM_CRIT("invalid Via host name\n");
++				return -1;
++			}
+ 			if (strncmp(name->s, s, name->len)==0)
+ 				return 0;
++		}
+ 	}else{
+ 		LM_CRIT("could not convert ip address\n");
+ 		return -1;

net/kamailio-5.x/patches/150-posix-awk-filter.patch

@@ -0,0 +1,32 @@
+commit 59d287586f502a8df71c2e91899fde49594e072e
+Author: Sebastian Kemper <sebastian_ml@gmx.net>
+Date:   Sun Oct 7 18:54:39 2018 +0200
+
+    kamctl: make jsonrpc filter portable
+    
+    The filter has a regex looking for a literal '{' in the beginning of a
+    line. Some awk implementations interpret this as a meta character, so
+    the regex is deemed broken. Example with busybox awk (POSIX):
+    
+    root@hank2:~# kamctl ps
+    awk: bad regex '^{.+"id"[       ]*:[    ]*[0-9]+[       ]*}$': Invalid contents of {}
+    root@hank2:~#
+    
+    To fix this enclose the character in square brackets. This always
+    matches for a literal '{' and is portable.
+    
+    Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
+
+diff --git a/utils/kamctl/kamctl.base b/utils/kamctl/kamctl.base
+index adeceb77f..a776e10d8 100644
+--- a/utils/kamctl/kamctl.base
++++ b/utils/kamctl/kamctl.base
+@@ -715,7 +715,7 @@ filter_json()
+ 	$AWK 'function ltrim(s) { sub(/^[ \t\r\n]+/, "", s); return s }
+ 		BEGIN { line=0; IGNORECASE=1; }
+ 		{ line++; }
+-		NR == 1 && /^{.+"id"[ \t]*:[ \t]*[0-9]+[ \t]*}$/ { print; next; }
++		NR == 1 && /^[{].+"id"[ \t]*:[ \t]*[0-9]+[ \t]*}$/ { print; next; }
+ 		NR == 1 && /^200 OK/ { next; }
+ 		/^[ \t]*"jsonrpc":[ \t]*"2.0"/ { print; next; }
+ 		/^[ \t]*"result":[ \t]*\[.+/ {

net/siproxd/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=siproxd
 PKG_VERSION:=0.8.2
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/siproxd

net/siproxd/files/siproxd.init

@@ -4,14 +4,19 @@
 
 START=50
 
-SERVICE_USE_PID=1
+USE_PROCD=1
 
-siproxd_bin="/usr/sbin/siproxd"
-siproxd_conf_dir="/var/etc/siproxd"
-siproxd_conf_prefix="$siproxd_conf_dir/siproxd-"
-siproxd_registration_dir="/var/lib/siproxd"
-siproxd_registration_prefix="$siproxd_registration_dir/siproxd-"
-siproxd_pid_dir="/var/run/siproxd"
+PROG="/usr/sbin/siproxd"
+CONF_DIR="/var/etc/siproxd"
+REG_DIR="/var/lib/siproxd"
+PID_DIR="/var/run/siproxd"
+PLUGIN_DIR="/usr/lib/siproxd/"
+UID="nobody"
+GID="nogroup"
+
+# Some options need special handling or conflict with procd/jail setup.
+append CONF_SKIP "interface_inbound interface_outbound chrootjail"
+append CONF_SKIP "daemonize user plugindir registration_file pid_file"
 
 
 # Check if a UCI option is set, or else apply a provided default.
@@ -26,7 +31,12 @@ default_conf() {
 
 	[ -z "$val" ] || return 0
 	[ -n "$default" ] || return 0
-	echo "$opt" = "$default" >> "$siproxd_conf_prefix$sec.conf"
+	config_set "$sec" "$opt" "$default"
+	append_conf "$opt" = "$default"
+}
+
+append_conf() {
+	echo $* >> "$CONF_DIR/siproxd-$sec.conf"
 }
 
 # Use user-friendly network names (e.g. "wan", "lan") from options
@@ -35,14 +45,13 @@ default_conf() {
 
 setup_networks() {
 	local sec="$1"
-	local _int_inbound
-	local _int_outbound
-	local _dev_inbound
-	local _dev_outbound
+	local _int_inbound _int_outbound
+	local _dev_inbound _dev_outbound
 
 	config_get _int_inbound "$sec" interface_inbound
 	config_get _int_outbound "$sec" interface_outbound
 
+	. /lib/functions/network.sh
 	network_get_physdev _dev_inbound $_int_inbound
 	network_get_physdev _dev_outbound $_int_outbound
 
@@ -56,29 +65,60 @@ apply_defaults() {
 	local sec="$1"
 
 	default_conf sip_listen_port 5060
-	default_conf daemonize 1
-	default_conf silence_log 1
-	default_conf user nobody
-	default_conf registration_file "$siproxd_registration_prefix$sec.reg"
 	default_conf autosave_registrations 300
-	default_conf pid_file "$siproxd_pid_dir/siproxd-$sec.pid"
-	default_conf rtp_proxy_enable 1
 	default_conf rtp_port_low 7070
 	default_conf rtp_port_high 7089
 	default_conf rtp_timeout 300
 	default_conf rtp_dscp 46
-	default_conf sip_dscp 0
-	default_conf rtp_input_dejitter 0
-	default_conf rtp_output_dejitter 0
 	default_conf tcp_timeout 600
-	default_conf tcp_connect_timeout 500
 	default_conf tcp_keepalive 20
 	default_conf default_expires 600
-	default_conf debug_level 0x00000000
-	default_conf debug_port 0
-	default_conf ua_string Siproxd-UA
-	default_conf use_rport 0
-	default_conf plugindir "/usr/lib/siproxd/"
+	default_conf daemonize 0
+	default_conf user "$UID"
+	default_conf registration_file "$REG_DIR/siproxd-$sec.reg"
+	default_conf plugindir "$PLUGIN_DIR"
+}
+
+# Handle activities at start of a new 'siproxd' section.
+# Initialize section processing and save section name.
+
+section_start() {
+	local sec="$1"
+
+	rm -f "$CONF_DIR/siproxd-$sec.conf"
+	append_conf "# config auto-generated from /etc/config/siproxd"
+}
+
+# Handle activities at close of a 'siproxd' section.
+# Parse OpenWRT interface names (e.g. "wan"), apply defaults and
+# set up procd jail.
+
+section_end() {
+	local sec="$1"
+
+	local conf_file="$CONF_DIR/siproxd-$sec.conf"
+	local pid_file="$PID_DIR/siproxd-$sec.pid"
+	local reg_file plugin_dir
+
+	setup_networks "$sec"
+	apply_defaults "$sec"
+
+	config_get plugin_dir "$sec" plugindir
+	config_get reg_file "$sec" registration_file
+
+	procd_open_instance "$sec"
+	procd_set_param command "$PROG" --config "$conf_file"
+	procd_set_param pidfile "$pid_file"
+	procd_set_param respawn
+	procd_add_jail siproxd log
+	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /dev/null
+	procd_add_jail_mount "$conf_file"
+	[ -d "$plugin_dir" ] && procd_add_jail_mount "$plugin_dir"
+	# Ensure registration file exists for jail
+	[ -f "$reg_file" ] || touch "$reg_file"
+	chown "$UID:$GID" "$reg_file"
+	procd_add_jail_mount_rw "$reg_file"
+	procd_close_instance
 }
 
 # Setup callbacks for parsing siproxd sections, options, and lists.
@@ -86,90 +126,45 @@ apply_defaults() {
 
 siproxd_cb() {
 	config_cb() {
-		local _int_inbound
-		local _int_outbound
-		local _dev_inbound
-		local _dev_outbound
+		# Section change: close any previous section.
+		[ -n "$cur_sec" ] && section_end "$cur_sec"
 
 		case "$1" in
-			# Initialize section processing and save section name.
+			# New 'siproxd' section: begin processing.
 			"siproxd")
-				sec="$2"
-				if [ -f "$siproxd_conf_prefix$sec.conf" ]; then
-					rm "$siproxd_conf_prefix$sec.conf"
-				fi
-				echo "# auto-generated config file from /etc/config/siproxd" > \
-					"$siproxd_conf_prefix$sec.conf"
+				cur_sec="$2"
+				section_start "$cur_sec"
 			;;
-			# Parse OpenWRT interface names (e.g. "wan") and apply defaults,
-			# using saved section name.
-			"")
-				local chrootjail
-				local pid_file
-
-				setup_networks "$sec"
-				apply_defaults "$sec"
-
-				config_get chrootjail "$sec" chrootjail
-				if [ -n "$chrootjail" ]; then
-					if [ ! -d "$chrootjail" ]; then
-						mkdir -p "$chrootjail"
-						chmod 0755 "$chrootjail"
-					fi
-				fi
-
-				config_get pid_file "$sec" pid_file
-				SERVICE_PID_FILE="$pid_file" service_start \
-				$siproxd_bin --config "$siproxd_conf_prefix$sec.conf"
+			# Config end or unknown section: ignore.
+			*)
+				cur_sec=""
 			;;
 		esac
-		return 0
 	}
 
 	option_cb() {
-		# These 2 OpenWRT-specific options are handled in post-processing.
-		case "$1" in
-			"interface_inbound"|"interface_outbound") return 0 ;;
-		esac
-		# Other options match siproxd docs, so write directly to config.
-		[ -n "$2" ] && echo "$1" = "$2" >> "$siproxd_conf_prefix$sec.conf"
-		return 0
+		local sec="$cur_sec"
+
+		[ -z "$sec" ] && return
+		list_contains CONF_SKIP "$1" && return
+		[ -n "$2" ] && append_conf "$1" = "$2"
 	}
 
 	list_cb() {
-		# All list items match siproxd docs, so write directly to config.
-		[ -n "$2" ] && echo "$1" = "$2" >> "$siproxd_conf_prefix$sec.conf"
-		return 0
+		option_cb "$@"
 	}
 }
 
-stop_instance() {
-	local sec="$1"
-
-	config_get pid_file "$sec" pid_file "$siproxd_pid_dir/siproxd-$sec.pid"
-
-	SERVICE_PID_FILE="$pid_file" \
-	service_stop $siproxd_bin
+service_triggers()
+{
+	procd_add_reload_trigger "siproxd"
 }
 
-start() {
-	mkdir -p "$siproxd_conf_dir"
-	chmod 755 "$siproxd_conf_dir"
+start_service() {
+	mkdir -p "$CONF_DIR" "$REG_DIR" "$PID_DIR"
+	chmod 755 "$CONF_DIR" "$REG_DIR" "$PID_DIR"
+	chown "$UID:$GID" "$REG_DIR"
 
-	mkdir -p "$siproxd_registration_dir"
-	chmod 700 "$siproxd_registration_dir"
-	chown nobody:nogroup "$siproxd_registration_dir"
-
-	mkdir -p "$siproxd_pid_dir"
-	chmod 700 "$siproxd_pid_dir"
-	chown nobody:nogroup "$siproxd_pid_dir"
-
-	. /lib/functions/network.sh
 	siproxd_cb
 	config_load 'siproxd'
 }
-
-stop() {
-	config_load 'siproxd'
-	config_foreach stop_instance 'siproxd'
-}

net/sngrep/Makefile

@@ -1,6 +1,5 @@
 #
-# Copyright (C) 2016 - 2018 Daniel Engberg <daniel.engberg.lists@pyret.net>
-# Copyright (C) 2018 OpenWrt.org
+# Copyright (C) 2016 Daniel Engberg <daniel.engberg.lists@pyret.net>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -9,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sngrep
-PKG_VERSION=1.4.5
+PKG_VERSION=1.4.6
 PKG_RELEASE:=1
 PKG_MAINTAINER:=Sebastian Kemper <sebastian_ml@gmx.net>
 PKG_LICENSE:=GPL-3.0+
@@ -17,7 +16,7 @@ PKG_LICENSE_FILES:=COPYING
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/irontec/$(PKG_NAME)/releases/download/v$(PKG_VERSION)
-PKG_HASH:=16f1566f4507ba560c7461cc7ff1c1653beb14b8baf7846269bbb4880564e57f
+PKG_HASH:=638d6557dc68db401b07d73b2e7f8276800281f021fe0c942992566d6b59a48a
 
 PKG_FIXUP:=autoreconf
 

net/sngrep/patches/010-capture_-fix-typo-in-FILE-object.patch

@@ -0,0 +1,35 @@
+commit 604f6d0ce2ec42ac494d76c95e68850ea6e7da8f
+Author: Sebastian Kemper <sebastian_ml@gmx.net>
+Date:   Sun Nov 4 16:58:00 2018 +0100
+
+    capture: fix typo in FILE object
+    
+    FILE *fstdin is defined, but when calling freopen() stdin is used instead
+    of fstdin.
+    
+    This causes the compile to fail:
+    
+      CC       sngrep-capture.o
+    capture.c: In function 'capture_offline':
+    capture.c:194:21: error: assignment of read-only variable 'stdin'
+             if (!(stdin = freopen("/dev/tty", "r", stdin))) {
+                         ^
+    make[5]: *** [Makefile:519: sngrep-capture.o] Error 1
+    
+    This commit fixes the typo.
+    
+    Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
+
+diff --git a/src/capture.c b/src/capture.c
+index 911c35f..a799413 100644
+--- a/src/capture.c
++++ b/src/capture.c
+@@ -191,7 +191,7 @@ capture_offline(const char *infile, const char *outfile)
+ 
+     // Reopen tty for ncurses after pcap have used stdin
+     if (!strncmp(infile, "/dev/stdin", 10)) {
+-        if (!(stdin = freopen("/dev/tty", "r", stdin))) {
++        if (!(fstdin = freopen("/dev/tty", "r", stdin))) {
+             fprintf(stderr, "Failed to reopen tty while using stdin for capture.");
+             return 1;
+         }

net/sngrep/patches/020-sip_-Do-not-crash-on-invalid-CSeq-values.patch

@@ -0,0 +1,24 @@
+commit c474a2dd04df56ae8a28e3bf22a12c9b57155ce4
+Author: Liviu Chircu <liviu@opensips.org>
+Date:   Sat Dec 8 20:00:36 2018 +0200
+
+    sip: Do not crash on invalid CSeq values
+    
+    Bad CSeq headers such as:
+        CSeq: 115211521152 INVITE\r\n
+    
+    ... would immediately cause a crash.
+
+diff --git a/src/sip.c b/src/sip.c
+index a916558..1a7f1b9 100644
+--- a/src/sip.c
++++ b/src/sip.c
+@@ -192,7 +192,7 @@ sip_init(int limit, int only_calls, int no_incomplete)
+             "^(X-Call-ID|X-CID):[ ]*([^ ]+)[ ]*\r$", match_flags);
+     }
+     regcomp(&calls.reg_response, "^SIP/2.0[ ]*(([0-9]{3}) [^\r]*)[ ]*\r", match_flags & ~REG_NEWLINE);
+-    regcomp(&calls.reg_cseq, "^CSeq:[ ]*([0-9]+) .+\r$", match_flags);
++    regcomp(&calls.reg_cseq, "^CSeq:[ ]*([0-9]{1,10}) .+\r$", match_flags);
+     regcomp(&calls.reg_from, "^(From|f):[ ]*[^:]*:(([^@>]+)@?[^\r>;]+)", match_flags);
+     regcomp(&calls.reg_to, "^(To|t):[ ]*[^:]*:(([^@>]+)@?[^\r>;]+)", match_flags);
+     regcomp(&calls.reg_valid, "^([A-Z]+ [a-zA-Z]+:|SIP/2.0 [0-9]{3})", match_flags & ~REG_NEWLINE);

net/yate/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=yate
 PKG_VERSION:=6.0.0-1
-PKG_RELEASE:=9
+PKG_RELEASE:=10
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://yate.null.ro/tarballs/yate6/
@@ -123,6 +123,10 @@ CONFIGURE_ARGS+= \
 	--without-doxygen \
 	--without-kdoc
 
+# The regexp implementation of musl 1.1.19 is not fully compatible with yate
+CONFIGURE_ARGS+= \
+	--enable-internalregex
+
 ifneq ($(CONFIG_PACKAGE_$(PKG_NAME)-mod-isaccodec),)
 CONFIGURE_ARGS+=$(if $(CONFIG_SOFT_FLOAT),--disable-isac-float --enable-isac-fixed,--disable-isac-fixed --enable-isac-float)
 else