Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7515] branches/1.0/package/asterisk
|
From: <abe...@us...> - 2016-02-10 23:25:26
|
Revision: 7515
http://sourceforge.net/p/astlinux/code/7515
Author: abelbeck
Date: 2016-02-10 23:25:23 +0000 (Wed, 10 Feb 2016)
Log Message:
-----------
asterisk, version 1.8 security patches
Ref: http://downloads.asterisk.org/pub/security/AST-2016-001.pdf
Ref: http://downloads.asterisk.org/pub/security/AST-2016-002.pdf
Ref: http://downloads.asterisk.org/pub/security/AST-2016-003.pdf
Modified Paths:
--------------
branches/1.0/package/asterisk/asterisk-1.8-extension-changed-verbosity-chan_sip.patch
Added Paths:
-----------
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch
Added: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch (rev 0)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch 2016-02-10 23:25:23 UTC (rev 7515)
@@ -0,0 +1,140 @@
+diff --git a/configs/http.conf.sample b/configs/http.conf.sample
+index 1a7f4fd..9a06fcf 100644
+--- a/configs/http.conf.sample
++++ b/configs/http.conf.sample
+@@ -67,10 +67,31 @@ bindaddr=127.0.0.1
+ ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+ ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
+ ;
++;
+ ; To produce a certificate you can e.g. use openssl. This places both the cert and
+ ; private in same .pem file.
+ ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+ ;
++; tlscipher= ; The list of allowed ciphers
++; ; if none are specified the following cipher
++; ; list will be used instead:
++; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
++; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
++; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
++; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
++; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
++; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
++; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
++; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
++; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
++;
++; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes"
++; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no"
++; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no"
++;
++; tlsservercipherorder=yes ; Use the server preference order instead of the client order
++; ; Defaults to "yes"
++;
+ ; The post_mappings section maps URLs to real paths on the filesystem. If a
+ ; POST is done from within an authenticated manager session to one of the
+ ; configured POST mappings, then any files in the POST will be placed in the
+diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
+index f3f5e1f..eb7166f 100644
+--- a/include/asterisk/tcptls.h
++++ b/include/asterisk/tcptls.h
+@@ -79,7 +79,15 @@ enum ast_ssl_flags {
+ /*! Use SSLv3 for outgoing client connections */
+ AST_SSL_SSLV3_CLIENT = (1 << 4),
+ /*! Use TLSv1 for outgoing client connections */
+- AST_SSL_TLSV1_CLIENT = (1 << 5)
++ AST_SSL_TLSV1_CLIENT = (1 << 5),
++ /*! Use server cipher order instead of the client order */
++ AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
++ /*! Disable TLSv1 support */
++ AST_SSL_DISABLE_TLSV1 = (1 << 7),
++ /*! Disable TLSv1.1 support */
++ AST_SSL_DISABLE_TLSV11 = (1 << 8),
++ /*! Disable TLSv1.2 support */
++ AST_SSL_DISABLE_TLSV12 = (1 << 9),
+ };
+
+ struct ast_tls_config {
+diff --git a/main/http.c b/main/http.c
+index 9bebbe7..4bfa985 100644
+--- a/main/http.c
++++ b/main/http.c
+@@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload)
+ }
+ http_tls_cfg.pvtfile = ast_strdup("");
+
++ /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
++ ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
++
+ if (http_tls_cfg.cipher) {
+ ast_free(http_tls_cfg.cipher);
+ }
+- http_tls_cfg.cipher = ast_strdup("");
++ http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
+
+ AST_RWLIST_WRLOCK(&uri_redirects);
+ while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
+@@ -1146,8 +1149,6 @@ static int __ast_http_load(int reload)
+ && strcasecmp(v->name, "tlsdontverifyserver")
+ && strcasecmp(v->name, "tlsclientmethod")
+ && strcasecmp(v->name, "sslclientmethod")
+- && strcasecmp(v->name, "tlscipher")
+- && strcasecmp(v->name, "sslcipher")
+ && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ continue;
+ }
+diff --git a/main/tcptls.c b/main/tcptls.c
+index 6f918ce..0f27e45 100644
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ return 0;
+ #else
+ int disable_ssl = 0;
++ long ssl_opts = 0;
+
+ if (!cfg->enabled)
+ return 0;
+@@ -793,11 +794,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ * them. SSLv23_*_method supports TLSv1+.
+ */
+ if (disable_ssl) {
+- long ssl_opts;
++ ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++ }
++
++ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
++ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
++ }
+
+- ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+- SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
++ ssl_opts |= SSL_OP_NO_TLSv1;
+ }
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
++ ssl_opts |= SSL_OP_NO_TLSv1_1;
++ }
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
++ ssl_opts |= SSL_OP_NO_TLSv1_2;
++ }
++
++ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+
+ SSL_CTX_set_verify(cfg->ssl_ctx,
+ ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+@@ -1109,6 +1123,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
+ ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
+ ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
+ }
++ } else if (!strcasecmp(varname, "tlsservercipherorder")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
++ } else if (!strcasecmp(varname, "tlsdisablev1")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
++ } else if (!strcasecmp(varname, "tlsdisablev11")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
++ } else if (!strcasecmp(varname, "tlsdisablev12")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
+ } else {
+ return -1;
+ }
Added: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch (rev 0)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch 2016-02-10 23:25:23 UTC (rev 7515)
@@ -0,0 +1,18 @@
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 16e3e53..86c52e9 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -3771,6 +3771,13 @@ static int retrans_pkt(const void *data)
+ }
+
+ /* For non-invites, a maximum of 4 secs */
++ if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
++ /*
++ * Uh Oh, we will have an integer overflow.
++ * Recalculate previous timeout time instead.
++ */
++ pkt->timer_a = pkt->timer_a / 2;
++ }
+ siptimer_a = pkt->timer_t1 * pkt->timer_a; /* Double each time */
+ if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
+ siptimer_a = 4000;
Added: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch (rev 0)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch 2016-02-10 23:25:23 UTC (rev 7515)
@@ -0,0 +1,28 @@
+diff --git a/main/udptl.c b/main/udptl.c
+index 8885d7a..136dcb6 100644
+--- a/main/udptl.c
++++ b/main/udptl.c
+@@ -231,16 +231,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
+ if (decode_length(buf, limit, len, &octet_cnt) != 0)
+ return -1;
+
+- if (octet_cnt > 0) {
+- /* Make sure the buffer contains at least the number of bits requested */
+- if ((*len + octet_cnt) > limit)
+- return -1;
+-
+- *p_num_octets = octet_cnt;
+- *p_object = &buf[*len];
+- *len += octet_cnt;
++ /* Make sure the buffer contains at least the number of bits requested */
++ if ((*len + octet_cnt) > limit) {
++ return -1;
+ }
+
++ *p_num_octets = octet_cnt;
++ *p_object = &buf[*len];
++ *len += octet_cnt;
++
+ return 0;
+ }
+ /*- End of function --------------------------------------------------------*/
Modified: branches/1.0/package/asterisk/asterisk-1.8-extension-changed-verbosity-chan_sip.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-extension-changed-verbosity-chan_sip.patch 2016-02-10 17:31:49 UTC (rev 7514)
+++ branches/1.0/package/asterisk/asterisk-1.8-extension-changed-verbosity-chan_sip.patch 2016-02-10 23:25:23 UTC (rev 7515)
@@ -1,6 +1,6 @@
--- asterisk-1.8.32.3/channels/chan_sip.c.orig 2015-04-23 10:15:19.000000000 -0500
+++ asterisk-1.8.32.3/channels/chan_sip.c 2015-04-23 10:15:40.000000000 -0500
-@@ -15121,7 +15121,7 @@
+@@ -15128,7 +15128,7 @@
ast_set_flag(&p->flags[1], SIP_PAGE2_STATECHANGEQUEUE);
}
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
