mirror of https://github.com/asterisk/asterisk
Asterisk Development Team
3 months ago
parent
fed101c707
commit
6d37b56fee
@ -1 +1 @@
|
||||
ChangeLogs/ChangeLog-21.7.0-rc2.md
|
||||
ChangeLogs/ChangeLog-21.7.0.md
|
||||
@ -1,123 +0,0 @@
|
||||
|
||||
## Change Log for Release asterisk-21.7.0-rc2
|
||||
|
||||
### Links:
|
||||
|
||||
- [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.7.0-rc2.md)
|
||||
- [GitHub Diff](https://github.com/asterisk/asterisk/compare/21.7.0-rc1...21.7.0-rc2)
|
||||
- [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.7.0-rc2.tar.gz)
|
||||
- [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)
|
||||
|
||||
### Summary:
|
||||
|
||||
- Commits: 3
|
||||
- Commit Authors: 1
|
||||
- Issues Resolved: 2
|
||||
- Security Advisories Resolved: 0
|
||||
|
||||
### User Notes:
|
||||
|
||||
|
||||
### Upgrade Notes:
|
||||
|
||||
- #### alembic: Database updates required.
|
||||
Two commits in this release...
|
||||
'Add SHA-256 and SHA-512-256 as authentication digest algorithms'
|
||||
'res_pjsip: Add new AOR option "qualify_2xx_only"'
|
||||
...have modified alembic scripts for the following database tables: ps_aors,
|
||||
ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update
|
||||
your database, reads from those tables will succeeed but inserts into the
|
||||
ps_contacts table by res_pjsip_registrar will fail.
|
||||
|
||||
|
||||
### Commit Authors:
|
||||
|
||||
- George Joseph: (3)
|
||||
|
||||
## Issue and Commit Detail:
|
||||
|
||||
### Closed Issues:
|
||||
|
||||
- 1095: [bug]: res_pjsip missing "Failed to authenticate" log entry for unknown endpoint
|
||||
- 1097: [bug]: res_pjsip/pjsip_options. ODBC: Unknown column 'qualify_2xx_only'
|
||||
|
||||
### Commits By Author:
|
||||
|
||||
- #### George Joseph (3):
|
||||
- res_pjsip: Fix startup/reload memory leak in config_auth.
|
||||
- alembic: Database updates required.
|
||||
- res_pjsip_authenticator_digest: Make correct error messages appear again.
|
||||
|
||||
|
||||
### Commit List:
|
||||
|
||||
- res_pjsip_authenticator_digest: Make correct error messages appear again.
|
||||
- alembic: Database updates required.
|
||||
- res_pjsip: Fix startup/reload memory leak in config_auth.
|
||||
|
||||
### Commit Details:
|
||||
|
||||
#### res_pjsip_authenticator_digest: Make correct error messages appear again.
|
||||
Author: George Joseph
|
||||
Date: 2025-01-28
|
||||
|
||||
When an incoming request can't be matched to an endpoint, the "artificial"
|
||||
auth object is used to create a challenge to return in a 401 response and we
|
||||
emit a "No matching endpoint found" log message. If the client then responds
|
||||
with an Authorization header but the request still can't be matched to an
|
||||
endpoint, the verification will fail and, as before, we'll create a challenge
|
||||
to return in a 401 response and we emit a "No matching endpoint found" log
|
||||
message. HOWEVER, because there WAS an Authorization header and it failed
|
||||
verification, we should have also been emitting a "Failed to authenticate"
|
||||
log message but weren't because there was a check that short-circuited that
|
||||
it if the artificial auth was used. Since many admins use the "Failed to
|
||||
authenticate" message with log parsers like fail2ban, those attempts were not
|
||||
being recognized as suspicious.
|
||||
|
||||
Changes:
|
||||
|
||||
* digest_check_auth() now always emits the "Failed to authenticate" log
|
||||
message if verification of an Authorization header failed even if the
|
||||
artificial auth was used.
|
||||
|
||||
* The verification logic was refactored to be clearer about the handling
|
||||
of the return codes from verify().
|
||||
|
||||
* Comments were added clarify what return codes digest_check_auth() should
|
||||
return to the distributor and the implications of changing them.
|
||||
|
||||
Resolves: #1095
|
||||
|
||||
#### alembic: Database updates required.
|
||||
Author: George Joseph
|
||||
Date: 2025-01-28
|
||||
|
||||
This commit doesn't actually change anything. It just adds the following
|
||||
upgrade notes that were omitted from the original commits.
|
||||
|
||||
Resolves: #1097
|
||||
|
||||
UpgradeNote: Two commits in this release...
|
||||
'Add SHA-256 and SHA-512-256 as authentication digest algorithms'
|
||||
'res_pjsip: Add new AOR option "qualify_2xx_only"'
|
||||
...have modified alembic scripts for the following database tables: ps_aors,
|
||||
ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update
|
||||
your database, reads from those tables will succeeed but inserts into the
|
||||
ps_contacts table by res_pjsip_registrar will fail.
|
||||
|
||||
#### res_pjsip: Fix startup/reload memory leak in config_auth.
|
||||
Author: George Joseph
|
||||
Date: 2025-01-23
|
||||
|
||||
An issue in config_auth.c:ast_sip_auth_digest_algorithms_vector_init() was
|
||||
causing double allocations for the two supported_algorithms vectors to the
|
||||
tune of 915 bytes. The leak only happens on startup and when a reload is done
|
||||
and doesn't get bigger with the number of auth objects defined.
|
||||
|
||||
* Pre-initialized the two vectors in config_auth:auth_alloc().
|
||||
* Removed the allocations in ast_sip_auth_digest_algorithms_vector_init().
|
||||
* Added a note to the doc for ast_sip_auth_digest_algorithms_vector_init()
|
||||
noting that the vector passed in should be initialized and empty.
|
||||
* Simplified the create_artificial_auth() function in pjsip_distributor.
|
||||
* Set the vector initialization count to 0 in config_global:global_apply().
|
||||
|
||||
Loading…
Reference in new issue