[Buildroot] [git commit] package/freeswitch: security bump version to 1.10.7

Peter Korsgaard peter at korsgaard.com
Thu Jan 27 07:12:30 UTC 2022 

>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > commit: https://git.buildroot.net/buildroot/commit/?id=829777c1c9a0d40c8c5753e6fe86acfc78edfc92
 > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

 > Fixes the following security issues:

 > - CVE-2021-41105: FreeSWITCH susceptible to Denial of Service via invalid
 >   SRTP packets

 >   When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls
 >   can be terminated by remote attackers.  This attack can be done
 >   continuously, thus denying encrypted calls during the attack.

 >   https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36

 > - CVE-2021-41157: FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default

 >   By default, SIP requests of the type SUBSCRIBE are not authenticated in
 >   the affected versions of FreeSWITCH.

 >   https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj

 > - CVE-2021-37624: FreeSWITCH does not authenticate SIP MESSAGE requests,
 >   leading to spam and message spoofing

 >   By default, SIP requests of the type MESSAGE (RFC 3428) are not
 >   authenticated in the affected versions of FreeSWITCH.  MESSAGE requests
 >   are relayed to SIP user agents registered with the FreeSWITCH server
 >   without requiring any authentication.  Although this behaviour can be
 >   changed by setting the auth-messages parameter to true, it is not the
 >   default setting.

 >   https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3

 > - CVE-2021-41145: FreeSWITCH susceptible to Denial of Service via SIP flooding

 >   When flooding FreeSWITCH with SIP messages, it was observed that after a
 >   number of seconds the process was killed by the operating system due to
 >   memory exhaustion

 >   https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m

 > - CVE-2021-41158: FreeSWITCH vulnerable to SIP digest leak for configured gateways

 >   An attacker can perform a SIP digest leak attack against FreeSWITCH and
 >   receive the challenge response of a gateway configured on the FreeSWITCH
 >   server.  This is done by challenging FreeSWITCH's SIP requests with the
 >   realm set to that of the gateway, thus forcing FreeSWITCH to respond with
 >   the challenge response which is based on the password of that targeted
 >   gateway.

 >   https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4

 > Release notes:
 > https://github.com/signalwire/freeswitch/releases/tag/v1.10.7

 > Removed patch, upstream applied a different fix:
 > https://github.com/signalwire/freeswitch/commit/e9fde845de5b8885282bf5e70f4be3645c5c3e9b

 > Added optional dependency to libks, needed due to upstream commit
 > https://github.com/signalwire/freeswitch/commit/ed9851666615d283effb76edc7028cc08b07eff9

 > Added upstream patches to fix build errors.

 > Signed-off-by: Bernd Kuhls <bernd.kuhls at t-online.de>
 > [Peter: mention security fixes]
 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2021.02.x and 2021.11.x, thanks.

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list