buildroot/package/freeswitch
Bernd Kuhls 829777c1c9 package/freeswitch: security bump version to 1.10.7
Fixes the following security issues:

- CVE-2021-41105: FreeSWITCH susceptible to Denial of Service via invalid
  SRTP packets

  When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls
  can be terminated by remote attackers.  This attack can be done
  continuously, thus denying encrypted calls during the attack.

  https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36

- CVE-2021-41157: FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default

  By default, SIP requests of the type SUBSCRIBE are not authenticated in
  the affected versions of FreeSWITCH.

  https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj

- CVE-2021-37624: FreeSWITCH does not authenticate SIP MESSAGE requests,
  leading to spam and message spoofing

  By default, SIP requests of the type MESSAGE (RFC 3428) are not
  authenticated in the affected versions of FreeSWITCH.  MESSAGE requests
  are relayed to SIP user agents registered with the FreeSWITCH server
  without requiring any authentication.  Although this behaviour can be
  changed by setting the auth-messages parameter to true, it is not the
  default setting.

  https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3

- CVE-2021-41145: FreeSWITCH susceptible to Denial of Service via SIP flooding

  When flooding FreeSWITCH with SIP messages, it was observed that after a
  number of seconds the process was killed by the operating system due to
  memory exhaustion

  https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m

- CVE-2021-41158: FreeSWITCH vulnerable to SIP digest leak for configured gateways

  An attacker can perform a SIP digest leak attack against FreeSWITCH and
  receive the challenge response of a gateway configured on the FreeSWITCH
  server.  This is done by challenging FreeSWITCH's SIP requests with the
  realm set to that of the gateway, thus forcing FreeSWITCH to respond with
  the challenge response which is based on the password of that targeted
  gateway.

  https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4

Release notes:
https://github.com/signalwire/freeswitch/releases/tag/v1.10.7

Removed patch, upstream applied a different fix:
e9fde845de

Added optional dependency to libks, needed due to upstream commit
ed98516666

Added upstream patches to fix build errors.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-01-08 00:26:21 +01:00
..
0001-fix-build-SWITCH_BYTE_ORDER-__BIG_ENDIAN.patch package/freeswitch: security bump version to 1.10.7 2022-01-08 00:26:21 +01:00
0002-core-fix--disable-libyuv.patch package/freeswitch: security bump version to 1.10.7 2022-01-08 00:26:21 +01:00
Config.in
freeswitch.hash package/freeswitch: security bump version to 1.10.7 2022-01-08 00:26:21 +01:00
freeswitch.mk package/freeswitch: security bump version to 1.10.7 2022-01-08 00:26:21 +01:00