Re: [asterisk-users] Change by Deutsche Telekom end of februar. Can someone help me?
Am 18.02.2021 um 18:59 schrieb Michael Maier: > On 17.02.21 at 21:46 Luca Bertoncello wrote: >> Am 16.02.2021 um 22:32 schrieb Michael Maier: >> >> Hi Michael >> Maybe could you send me an abstract of your configuration? >>> >>> Take a look here [1] >> >> So, maybe I got it... >> I tested the configuration with my Fax number and it seems to work (= I >> can call the fax and can call my mobile phone from the fax with >> "originate..."). > > Congrats! So, it seems it does NOT work as expected... I tried to activate the FAX and it works, then I activated my number and it works, too. Finally I activated the number of my wife and it does not work anymore... If I call the number I can only see (verbose 42): [Feb 18 19:57:12] NOTICE[19379] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '' failed for '217.0.21.64:5060' (callid: p65550t1613674632m753568c93349s2) - No matching endpoint found and no phone rings... After that, even if I restore the single number to SIP I only get the error and nothing work, until I restored _ALL_ numbers to SIP. Do someone has an explanation and (better!) a solution to the problem? Thanks Luca Bertoncello (lucab...@lucabert.de) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Change by Deutsche Telekom end of februar. Can someone help me?
On 17.02.21 at 21:46 Luca Bertoncello wrote: > Am 16.02.2021 um 22:32 schrieb Michael Maier: > > Hi Michael > >>> Maybe could you send me an abstract of your configuration? >> >> Take a look here [1] > > So, maybe I got it... > I tested the configuration with my Fax number and it seems to work (= I > can call the fax and can call my mobile phone from the fax with > "originate..."). Congrats! > On the registration I have: > > [pbxfax] > type = registration > retry_interval = 20 > max_retries = 10 > contact_user = 00493514977291 > expiration = 120 > transport = transport-udp > outbound_auth = pbxfax > client_uri = sip:03514977...@tel.t-online.de > server_uri = sip:tel.t-online.de > > First: can I use tel.t-online.de or _MUST_ I change it? No, you mustn't change it. You must use tel.t-online.de. > If I understand > your previous E-Mail, I'd say that I can leave tel.t-online.de... Correctly! > Then I have a question by the Dialplan... Currently I have: > > [fax-out] > exten => _X.,1,NoOp() > exten => _X.,n,Verbose(2,Call from FAX) > exten => _X.,n,Dial(SIP/pbxfax/${EXTEN},,R) > > And I'll replace it with: > > [fax-out] > exten => _X.,1,NoOp() > exten => _X.,n,Verbose(2,Call from FAX) > exten => _X.,n,Dial(PJSIP/pbxfax/sip:${EXTEN}@tel.t-online.de,,R) > > Is it correct? I tried with > "PJSIP/pbxfax/pjsip:${EXTEN}@tel.t-online.de,,R" and it does NOT work... > Is it correct, that I have to leave "sip:..."? Don't know - I don't care about dialplan - I'm using FreePBX :-) Thanks Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2021-005: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2021-005 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On December 4, 2020 Reported By Mauri de Souza Meneguzzo (3CPlus) Posted On February 8, 2021 Last Updated OnFebruary 8, 2021 Advisory ContactJcolp AT sangoma DOT com CVE NameCVE-2021-26906 Description Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur. The code responsible for negotiating SDP in SIP responses incorrectly assumes that SDP negotiation will always be successful. If a SIP response containing an SDP that can not be negotiated is received a subsequent SDP negotiation on the same call can cause a crash. If the âaccept_multiple_sdp_answersâ option in the âsystemâ section of pjsip.conf is set to âyesâ then any subsequent non-forked SIP response with SDP can trigger this crash. If the âfollow_early_media_forkâ option in the âsystemâ section of pjsip.conf is set to âyesâ (the default) then any subsequent SIP responses with SDP from a forked destination can trigger this crash. If a 200 OK with SDP is received from a forked destination it can also trigger this crash, even if the âfollow_early_media_forkâ option is not set to âyesâ. In all cases this relies on a race condition with tight timing where the second SDP negotiation occurs before termination of the call due to the initial SDP negotiation failure. Modules Affected res_pjsip_session.c, PJSIP Resolution The issue has been fixed in PJSIP by changing the behavior of the pjmedia_sdp_neg_modify_local_offer2 function. If SDP was previously negotiated the code no longer assumes that it was successful and instead checks that SDP was negotiated. This issue can only be resolved by upgrading to a fixed version or applying the provided patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision htt
[asterisk-users] AST-2021-004: An unsuspecting user could crash Asterisk with multiple hold/unhold requests
Asterisk Project Security Advisory - AST-2021-004 ProductAsterisk SummaryAn unsuspecting user could crash Asterisk with multiple hold/unhold requests Nature of Advisory Denial of Service SusceptibilityRemote authenticated sessions Severity Moderate Exploits KnownNo Reported On December 9, 2020 Reported By Edvin Vidmar Posted On Last Updated OnFebruary 11, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26714 Description Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession. Modules Affected res_rtp_asterisk.c ResolutionThe packet size comparison terms have been corrected. Affected Versions Product Release Series Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/AST-2021-004-16.diff Asterisk 16 https:/downloads.asterisk.org/pub/security/AST-2021-004-17.diff Asterisk 17 https:/downloads.asterisk.org/pub/security/AST-2021-004-18.diff Asterisk 18 https:/downloads.asterisk.org/pub/security/AST-2021-004-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29205 https://downloads.asterisk.org/pub/security/AST-2021-004.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-004.pdf and https://downloads.digium.com/pub/security/AST-2021-004.html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial revision February 9, 2021 George Joseph Added CVE Asterisk Project Security Advisory - AST-2021-004 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2021-003: Remote attacker could prematurely tear down SRTP calls
Asterisk Project Security Advisory - AST-2021-003 ProductAsterisk SummaryRemote attacker could prematurely tear down SRTP calls Nature of Advisory Denial of Service SusceptibilityRemote unauthenticated sessions Severity Moderate Exploits KnownNo Reported On January 22, 2021 Reported By Alexander Traud Posted On Last Updated OnFebruary 11, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26712 Description An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely. Modules Affected res_srtp.c res_rtp_asterisk.c Resolution Asterisk now implements SRTP replay protection via a âsrtpreplayprotectionâ option in rtp.conf. The default is âyesâ Affected Versions Product Release Series Asterisk Open Source 13.x 13.38.1 Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/AST-2021-003-13.diff 13.38.2 https:/downloads.asterisk.org/pub/security/AST-2021-003-16.diff 16.16.1 https:/downloads.asterisk.org/pub/security/AST-2021-003-17.diff 17.9.2 https:/downloads.asterisk.org/pub/security/AST-2021-003-18.diff 18.2.1 https:/downloads.asterisk.org/pub/security/AST-2021-003-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29260 https://downloads.asterisk.org/pub/security/AST-2021-003.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-003.pdf and https://downloads.digium.com/pub/security/AST-2021-003.html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial February 5, 2021 George Joseph Added CVE ID Asterisk Project Security Advisory - AST-2021-003 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2021-002: Remote crash possible when negotiating T.38
Asterisk Project Security Advisory - AST-2021-002 Product Asterisk Summary Remote crash possible when negotiating T.38 Nature of Advisory Denial of service Susceptibility Remote authenticated sessions SeverityMinor Exploits Known No Reported On December 8, 2020 Reported By Gregory Massel Posted On Last Updated On February 5, 2021 Advisory Contactkharwell AT sangoma DOT com CVE NameCVE-2021-26717 Description When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash. Modules Affected res_pjsip_session.c, res_pjsip_t38.c Resolution When re-negotiating for T.38, and a delay occurs Asterisk now sends SDP only for the expected T.38 stream. A check was also put in place to ensure an active T.38 media stream is active within Asterisk when attempting to change state for fax. Affected Versions Product Release Series Introduced Asterisk Open Source 16.x 16.15.0 Asterisk Open Source 17.x 17.9.0 Asterisk Open Source 18.x 18.1.0 Certified Asterisk 16.8 16.8-cert4 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https://downloads.asterisk.org/pub/security/AST-2021-002-16.diff Asterisk 16 https://downloads.asterisk.org/pub/security/AST-2021-002-17.diff Asterisk 17 https://downloads.asterisk.org/pub/security/AST-2021-002-18.diff Asterisk 18 https://downloads.asterisk.org/pub/security/AST-2021-002-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29203 https://downloads.asterisk.org/pub/security/AST-2021-002.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2021-002.pdf and http://downloads.digium.com/pub/security/AST-2021-002.html Revision History Date EditorRevisions Made February 1, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-002 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://w
[asterisk-users] AST-2021-001: Remote crash in res_pjsip_diversion
Asterisk Project Security Advisory - AST-2021-001 Product Asterisk Summary Remote crash in res_pjsip_diversion Nature of Advisory Denial of service Susceptibility Remote authenticated sessions SeverityModerate Exploits Known No Reported On December 28 2020 Reported By Ivan Poddubny Posted OnJanuary 04 2021 Last Updated On January 04 2021 Advisory Contactgjoseph AT sangoma DOT com CVE NameCVE-2020-35776 Description If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the âSupportedâ header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash. Modules Affected res_pjsip_diversion.c Resolution Before updating the âSupportedâ header with a new entry, Asterisk now checks that the entry doesnât already exist and that adding an entry wonât exceed the size of the entry array. Affected Versions Product Release Series Asterisk Open Source 13.X 13.38.1 Asterisk Open Source 16.X 16.15.1 Asterisk Open Source 17.X 17.9.1 Asterisk Open Source 18.X 18.1.1 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-001-13.diff 13.38.2 https://downloads.digium.com/pub/security/AST-2021-001-16.diff 16.16.1 https://downloads.digium.com/pub/security/AST-2021-001-17.diff 17.9.2 https://downloads.digium.com/pub/security/AST-2021-001-18.diff 18.2.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-29227 https://downloads.asterisk.org/pub/security/AST-2021-001.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-001.pdf and https://downloads.digium.com/pub/security/AST-2021-001.html Revision History Date Editor Revisions Made December 29, 2020 George JosephInitial revision Asterisk Project Security Advisory - AST-2021-001 Copyright © 2020 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk 13.38.2, 16.16.1, 17.9.2, 18.2.1 and 16.8-cert6 Now Available (Security)
The Asterisk Development Team would like to announce security releases for Asterisk 13, 16, 17 and 18, and Certified Asterisk 16.8. The available releases are released as versions 13.38.2, 16.16.1, 17.9.2, 18.2.1 and 16.8-cert6. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2021-001: Remote crash in res_pjsip_diversion If a registered user is tricked into dialing a * AST-2021-002: Remote crash possible when negotiating T.38 When * AST-2021-003: Remote attacker could prematurely tear down SRTP calls An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely. * AST-2021-004: An unsuspecting user could crash Asterisk with multiple hold/unhold requests Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession. * AST-2021-005: Remote Crash Vulnerability in PJSIP channel driver Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.38.2 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.16.1 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-17.9.2 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.2.1 https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-16.8-cert6 The security advisories are available at: https://downloads.asterisk.org/pub/security/AST-2021-001.pdf https://downloads.asterisk.org/pub/security/AST-2021-002.pdf https://downloads.asterisk.org/pub/security/AST-2021-003.pdf https://downloads.asterisk.org/pub/security/AST-2021-004.pdf https://downloads.asterisk.org/pub/security/AST-2021-005.pdf Thank you for your continued support of Asterisk!-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users