Re: [asterisk-users] app_rpt

[Steve Totaro]

On Sat, Mar 10, 2012 at 11:23 PM, Tzafrir Cohen wrote:

> On Fri, Mar 09, 2012 at 03:10:50PM -0600, Kevin P. Fleming wrote:
> > On 03/09/2012 02:56 PM, Josh Freeman wrote:
> > >The most current patched Asterisk, along with the most current app_rpt,
> > >can be found at
> > >
> > >http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/
> >
> > I'm really trying to avoid fanning the flames here, but if that code
> > is *really* based on 1.4.23, and hasn't been kept up to date with
> > the Asterisk 1.4 releases, then that means it contains a number of
> > security vulnerabilities that users should be aware of. Some of them
> > are user enumeration vulnerabilities, but others (like AST-2011-010,
> > AST-2011-005, AST-2011-001, and maybe more) are more serious.
>
> http://patch-tracker.debian.org/package/asterisk/1:1.4.21.2~dfsg-3+lenny5
> Or:
>
> http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/lenny-security/debian/patches/
>
> Those are the patches for the Asterisk package in Debian 5.0 (Lenny). It
> is based on 1.4.21.2 (though with some extra patches: part of the
> bristuff patch). At least for a while I tried to check every security
> fix to see if it applies to Lenny.
>
> --
>   Tzafrir Cohen
> icq#16849755  jabber:tzafrir.co...@xorcom.com
> +972-50-7952406   mailto:tzafrir.co...@xorcom.com
> http://www.xorcom.com  iax:gu...@local.xorcom.com/tzafrir
>
>
I don't use Debian, but since this is a fork, the patches may break app_rpt
again like DAHDI did.

I may fire up a Debian Lenny VM and see if the fork with the patches match
up and work, and then if app_rpt and app_radio compile or throw an error.

The latest all in one ISO uses CentOS 5.7.

Thanks,
Steve Totaro
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Tzafrir Cohen]

On Fri, Mar 09, 2012 at 03:10:50PM -0600, Kevin P. Fleming wrote:
> On 03/09/2012 02:56 PM, Josh Freeman wrote:
> >The most current patched Asterisk, along with the most current app_rpt,
> >can be found at
> >
> >http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/
> 
> I'm really trying to avoid fanning the flames here, but if that code
> is *really* based on 1.4.23, and hasn't been kept up to date with
> the Asterisk 1.4 releases, then that means it contains a number of
> security vulnerabilities that users should be aware of. Some of them
> are user enumeration vulnerabilities, but others (like AST-2011-010,
> AST-2011-005, AST-2011-001, and maybe more) are more serious.

http://patch-tracker.debian.org/package/asterisk/1:1.4.21.2~dfsg-3+lenny5
Or:
http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/lenny-security/debian/patches/

Those are the patches for the Asterisk package in Debian 5.0 (Lenny). It
is based on 1.4.21.2 (though with some extra patches: part of the
bristuff patch). At least for a while I tried to check every security
fix to see if it applies to Lenny.

-- 
   Tzafrir Cohen
icq#16849755  jabber:tzafrir.co...@xorcom.com
+972-50-7952406   mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com  iax:gu...@local.xorcom.com/tzafrir

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Steve Totaro]

On Fri, Mar 9, 2012 at 4:10 PM, Kevin P. Fleming wrote:

> On 03/09/2012 02:56 PM, Josh Freeman wrote:
>
>> The most current patched Asterisk, along with the most current app_rpt,
>> can be found at
>>
>> http://svn.ohnosec.org/svn/**projects/allstar/astsrc-1.4.**23-pre/trunk/
>>
>
> I'm really trying to avoid fanning the flames here, but if that code is
> *really* based on 1.4.23, and hasn't been kept up to date with the Asterisk
> 1.4 releases, then that means it contains a number of security
> vulnerabilities that users should be aware of. Some of them are user
> enumeration vulnerabilities, but others (like AST-2011-010, AST-2011-005,
> AST-2011-001, and maybe more) are more serious.
>
> --
> Kevin P. Fleming
> Digium, Inc. | Director of Software Technologies
> Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at www.digium.com & www.asterisk.org
>
>
>
Kevin,

You are not fanning any flames, that is a good point and anyone that
deploys this technology should have to read a disclaimer as
to vulnerabilities.  I am well aware that there have been some serious
security issues in those earlier versions.

As for an Asterisk Box, or probably better described by what It is used
for, a Repeater or Base Station Controller Boxen, I have them locked down
in IPTables and in Asterisk.  There are usually not more then a dozen or so
RoIP conncted repeaters.

In my case, I only open one port for OpenVPN and I define the other
repeaters by host=IP.  As far as "Soft Radios and Autopatch" that function
is taken care of by a "real" Asterisk server that is more of a PBX and
faces the world, not the "Repeater Controller", again, one entry defined by
IP over OpenVPN.  Bridged or routed, they non-routeable IPs.  The RoIP VPN
is only accessible through that tunnel, which is dedicated for that purpose.

I am very mindful of security, especially dealing with DoD, but pretty much
apply the same kind of security on any implementation.

Obviously, these security issues should be patched, but I feel that in my
implementations, things are very secure.

Thanks,
Steve T
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Kevin P. Fleming]

On 03/09/2012 02:56 PM, Josh Freeman wrote:

The most current patched Asterisk, along with the most current app_rpt,
can be found at

http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/


I'm really trying to avoid fanning the flames here, but if that code is 
*really* based on 1.4.23, and hasn't been kept up to date with the 
Asterisk 1.4 releases, then that means it contains a number of security 
vulnerabilities that users should be aware of. Some of them are user 
enumeration vulnerabilities, but others (like AST-2011-010, 
AST-2011-005, AST-2011-001, and maybe more) are more serious.


--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Josh Freeman]

The most current patched Asterisk, along with the most current app_rpt,
can be found at

http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/

The code in the Digium SVN repository (at the link Steve provided) has
not been updated in three years.

On 3/9/2012 7:52 AM, Steve Totaro wrote:
>
> Here are details on 1.4 I have not done 1.8.
>
>  "Unfortunately, things are in somewhat of a mess.
>
> There are major logistical hurdles with getting app_rpt code back into
> the main Digium source tree. In addition, the latest versions of
> asterisk have broken some of the code which app_rpt.c depends on, The
> best thing to do at this point in time is to download the files.tar.gz
> patched version of Asterisk from http://dl.allstarlink.org/installcd
> and unpack it in /usr/src. Configure and compile zaptel, libpri, and
> asterisk just like you would be downloading the sources
> from asterisk.org .
>
> Once you have this version running, you can download the latest
> app_rpt.c from:
>
> http://svn.digium.com/view/asterisk/team/jdixon/chan_usbradio-1.4/apps
>
> and install it in /usr/src/asterisk/apps and recompile asterisk."

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Márkus Béla]

Steve,

thanks for yout help.

I thought to start with 1.8 as the current long term supported release 
but of course will go back if it is requered to get it up and running.


Regards... Béla


2012.03.09. 15:00 keltezéssel, Steve Totaro írta:



On Fri, Mar 9, 2012 at 8:52 AM, Steve Totaro 
mailto:stot...@asteriskhelpdesk.com>> 
wrote:




2012/3/9 Paul Belanger mailto:pabelan...@digium.com>>

On 12-03-09 03:18 AM, Márkus Béla wrote:

how can I add/enable app_rpt module to Asterisk 1.8?

Make sure DAHDI is installed.  However, there is a patch on
reviewboard[1] that will see this module be removed from asterisk.

The code is out-dated and no longer maintained within asterisk.

[1] https://reviewboard.asterisk.org/r/1764/
-- 
Paul Belanger

Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org


Here are details on 1.4 I have not done 1.8.

"Unfortunately, things are in somewhat of a mess.

There are major logistical hurdles with getting app_rpt code back into
the main Digium source tree. In addition, the latest versions of
asterisk have broken some of the code which app_rpt.c depends on, The
best thing to do at this point in time is to download the files.tar.gz
patched version of Asterisk from http://dl.allstarlink.org/installcd
and unpack it in /usr/src. Configure and compile zaptel, libpri, and
asterisk just like you would be downloading the sources from
asterisk.org .

Once you have this version running, you can download the latest
app_rpt.c from:

http://svn.digium.com/view/asterisk/team/jdixon/chan_usbradio-1.4/apps

and install it in /usr/src/asterisk/apps and recompile asterisk."


There may be a working version of app_rpt.c for 1.8 in Jim Dixon's 
repo but I doubt it.  Worth a look, I guess.


Not sure why you need 1.8 for a radio/repeater controller.

Thanks,
Steve T


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Steve Totaro]

On Fri, Mar 9, 2012 at 8:52 AM, Steve Totaro
wrote:

>
>
> 2012/3/9 Paul Belanger 
>
>> On 12-03-09 03:18 AM, Márkus Béla wrote:
>>
>>> how can I add/enable app_rpt module to Asterisk 1.8?
>>>
>>>  Make sure DAHDI is installed.  However, there is a patch on
>> reviewboard[1] that will see this module be removed from asterisk.
>>
>> The code is out-dated and no longer maintained within asterisk.
>>
>> [1] 
>> https://reviewboard.asterisk.**org/r/1764/
>> --
>> Paul Belanger
>> Digium, Inc. | Software Developer
>> twitter: pabelanger | IRC: pabelanger (Freenode)
>> Check us out at: http://digium.com & http://asterisk.org
>>
>>
> Here are details on 1.4 I have not done 1.8.
>
>  "Unfortunately, things are in somewhat of a mess.
>
> There are major logistical hurdles with getting app_rpt code back into
> the main Digium source tree. In addition, the latest versions of
> asterisk have broken some of the code which app_rpt.c depends on, The
> best thing to do at this point in time is to download the files.tar.gz
> patched version of Asterisk from http://dl.allstarlink.org/installcd
> and unpack it in /usr/src. Configure and compile zaptel, libpri, and
> asterisk just like you would be downloading the sources from asterisk.org.
>
> Once you have this version running, you can download the latest
> app_rpt.c from:
>
> http://svn.digium.com/view/asterisk/team/jdixon/chan_usbradio-1.4/apps
>
> and install it in /usr/src/asterisk/apps and recompile asterisk."
>

There may be a working version of app_rpt.c for 1.8 in Jim Dixon's repo but
I doubt it.  Worth a look, I guess.

Not sure why you need 1.8 for a radio/repeater controller.

Thanks,
Steve T
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Steve Totaro]

2012/3/9 Paul Belanger 

> On 12-03-09 03:18 AM, Márkus Béla wrote:
>
>> how can I add/enable app_rpt module to Asterisk 1.8?
>>
>>  Make sure DAHDI is installed.  However, there is a patch on
> reviewboard[1] that will see this module be removed from asterisk.
>
> The code is out-dated and no longer maintained within asterisk.
>
> [1] 
> https://reviewboard.asterisk.**org/r/1764/
> --
> Paul Belanger
> Digium, Inc. | Software Developer
> twitter: pabelanger | IRC: pabelanger (Freenode)
> Check us out at: http://digium.com & http://asterisk.org
>
>
Here are details on 1.4 I have not done 1.8.

 "Unfortunately, things are in somewhat of a mess.

There are major logistical hurdles with getting app_rpt code back into
the main Digium source tree. In addition, the latest versions of
asterisk have broken some of the code which app_rpt.c depends on, The
best thing to do at this point in time is to download the files.tar.gz
patched version of Asterisk from http://dl.allstarlink.org/installcd
and unpack it in /usr/src. Configure and compile zaptel, libpri, and
asterisk just like you would be downloading the sources from asterisk.org.

Once you have this version running, you can download the latest
app_rpt.c from:

http://svn.digium.com/view/asterisk/team/jdixon/chan_usbradio-1.4/apps

and install it in /usr/src/asterisk/apps and recompile asterisk."
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Márkus Béla]

Paul,

thanks for the info. I'm the maintainer od the Asterisk extension in 
Tiny Core Linux and received a request to have Asterisk with app_rpt 
module in the repository. I haven't seen it before and didn't find it 
listed in confure's help as a configuration option. I will try to 
rebuild actual 1.8 with DAHDI and see the result.


Regards... Bela


2012.03.09. 13:06 keltezéssel, Paul Belanger írta:

On 12-03-09 03:18 AM, Márkus Béla wrote:

how can I add/enable app_rpt module to Asterisk 1.8?

Make sure DAHDI is installed.  However, there is a patch on 
reviewboard[1] that will see this module be removed from asterisk.


The code is out-dated and no longer maintained within asterisk.

[1] https://reviewboard.asterisk.org/r/1764/



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt

[Paul Belanger]

On 12-03-09 03:18 AM, Márkus Béla wrote:

how can I add/enable app_rpt module to Asterisk 1.8?

Make sure DAHDI is installed.  However, there is a patch on 
reviewboard[1] that will see this module be removed from asterisk.


The code is out-dated and no longer maintained within asterisk.

[1] https://reviewboard.asterisk.org/r/1764/
--
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt and chan_usbradio removal from trunk

[Tzafrir Cohen]

On Thu, Feb 23, 2012 at 11:56:12AM -0600, Josh Freeman wrote:
> Just to inform the list -
> 
> App_rpt and chan_usbradio are still regularly used and maintained, but
> now live in a repository at ohnosec.org along with the forked-off builds
> of Asterisk 1.4 and Zaptel that are required to have them work properly.
> 
> I'm told there is some fundamental incompatibility between canonical
> Zaptel/DAHDI and the radio application that can't be effectively worked
> around, or would take more effort than it would be worth to fix and keep
> up with DAHDI changes. This was the motivation for forking Asterisk and
> maintaining a separate codebase.

I'd appreciate some more details. Is it related to dahdi_cfg? pciradio
(is it still used?) ?

Bug reports would be welcomed.

-- 
   Tzafrir Cohen
icq#16849755  jabber:tzafrir.co...@xorcom.com
+972-50-7952406   mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com  iax:gu...@local.xorcom.com/tzafrir

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] app_rpt and chan_usbradio removal from trunk

[Josh Freeman]

Just to inform the list -

App_rpt and chan_usbradio are still regularly used and maintained, but
now live in a repository at ohnosec.org along with the forked-off builds
of Asterisk 1.4 and Zaptel that are required to have them work properly.

I'm told there is some fundamental incompatibility between canonical
Zaptel/DAHDI and the radio application that can't be effectively worked
around, or would take more effort than it would be worth to fix and keep
up with DAHDI changes. This was the motivation for forking Asterisk and
maintaining a separate codebase.

Although I can't speak authoritatively for the app_rpt community, I'll
say that I haven't seen too much concern over being stuck with 1.4.
Those of us who really like the idea of integrating our app_rpt radio
systems with more conventional Asterisk use cases find it much easier
(and often more desirable anyway, from a system viewpoint) to just set
up a second box with canonical 1.8 or 10 and trunk the two together.

Josh Freeman

On 02/23/2012 08:57 AM, Paul Belanger wrote:
> Good morning,
>
> There is a new patch up on reviewboard[1] right now for the removal of
> app_rpt and chan_usbradio from Asterisk trunk.  As it stands right now
> these two modules do not appear to be maintained in this repository
> and have out-of-date code.
>
> Russellb's patch will see these to modules removed from asterisk trunk
> (asterisk 11).  If a large part of the community wishes to help
> maintain this code, please speak up.
>
> As it stands right now, we'll likely wait a week or two remove
> committing the patch.
>
> [1] - https://reviewboard.asterisk.org/r/1764/


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users