kumquat-buildroot/package/freeswitch/freeswitch.hash

13 lines
1.1 KiB
Plaintext
Raw Normal View History

package/freeswitch: security bump version to 1.10.7 Fixes the following security issues: - CVE-2021-41105: FreeSWITCH susceptible to Denial of Service via invalid SRTP packets When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36 - CVE-2021-41157: FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default By default, SIP requests of the type SUBSCRIBE are not authenticated in the affected versions of FreeSWITCH. https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj - CVE-2021-37624: FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the auth-messages parameter to true, it is not the default setting. https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3 - CVE-2021-41145: FreeSWITCH susceptible to Denial of Service via SIP flooding When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m - CVE-2021-41158: FreeSWITCH vulnerable to SIP digest leak for configured gateways An attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4 Release notes: https://github.com/signalwire/freeswitch/releases/tag/v1.10.7 Removed patch, upstream applied a different fix: https://github.com/signalwire/freeswitch/commit/e9fde845de5b8885282bf5e70f4be3645c5c3e9b Added optional dependency to libks, needed due to upstream commit https://github.com/signalwire/freeswitch/commit/ed9851666615d283effb76edc7028cc08b07eff9 Added upstream patches to fix build errors. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> [Peter: mention security fixes] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-11-06 12:11:45 +01:00
# From https://files.freeswitch.org/freeswitch-releases/freeswitch-1.10.7.-release.tar.xz.sha256
sha256 0919bddc2ea9cab2e4944314e71637bea9dd4f40d510722a74ea032104594c41 freeswitch-1.10.7.-release.tar.xz
# Locally computed
sha256 75c933202f40939cdc3827fce20a1efdaa38291e2b5a65d234eb16e2cffda66a COPYING
sha256 c3e3388768dae8bf4edcc4108f95be815b8a05c0b0aef6e4c3d8df81affdfa34 docs/OPENH264_BINARY_LICENSE.txt
sha256 e8e26b16da14aa3e6ed5c22c705fdc1f45d6225fca461ea9f7314bcdfdc414c4 libs/apr/LICENSE
sha256 1eefb2ea1db0af7729a9d8a27d7c65d8a37ab185393f935b029aac6828ce315a libs/apr-util/LICENSE
sha256 8267348d5af1262c11d1a08de2f5afc77457755f1ac658627dd9acf71011d615 libs/libvpx/LICENSE
sha256 2b2cc1180c7e6988328ad2033b04b80117419db9c4c584918bbb3cfec7e9364f libs/libyuv/LICENSE
sha256 7d72a8aee2c4b1a084200487992a5d86f5df6b535727a14c1874918e99d24600 libs/libzrtp/src/zrtp_legal.c
sha256 8e19d42a1eec9561f3f347253ddf2e385c55f392f025bb0fd41b88dbf38db5ae libs/srtp/LICENSE
sha256 ab00a482b6a3902e40211b43c5d0441962ea99b6cc7c25c0f243fa270b78d482 src/mod/codecs/mod_isac/LICENSE