diff --git a/.version b/.version index 794b170ce2..ff1c240384 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -21.7.0-rc2 +21.7.0 diff --git a/CHANGES.md b/CHANGES.md index 0f9422fa94..2125910f7c 120000 --- a/CHANGES.md +++ b/CHANGES.md @@ -1 +1 @@ -ChangeLogs/ChangeLog-21.7.0-rc2.md \ No newline at end of file +ChangeLogs/ChangeLog-21.7.0.md \ No newline at end of file diff --git a/ChangeLogs/ChangeLog-21.7.0-rc2.md b/ChangeLogs/ChangeLog-21.7.0-rc2.md deleted file mode 100644 index c845c89598..0000000000 --- a/ChangeLogs/ChangeLog-21.7.0-rc2.md +++ /dev/null @@ -1,123 +0,0 @@ - -## Change Log for Release asterisk-21.7.0-rc2 - -### Links: - - - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.7.0-rc2.md) - - [GitHub Diff](https://github.com/asterisk/asterisk/compare/21.7.0-rc1...21.7.0-rc2) - - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.7.0-rc2.tar.gz) - - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) - -### Summary: - -- Commits: 3 -- Commit Authors: 1 -- Issues Resolved: 2 -- Security Advisories Resolved: 0 - -### User Notes: - - -### Upgrade Notes: - -- #### alembic: Database updates required. - Two commits in this release... - 'Add SHA-256 and SHA-512-256 as authentication digest algorithms' - 'res_pjsip: Add new AOR option "qualify_2xx_only"' - ...have modified alembic scripts for the following database tables: ps_aors, - ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update - your database, reads from those tables will succeeed but inserts into the - ps_contacts table by res_pjsip_registrar will fail. - - -### Commit Authors: - -- George Joseph: (3) - -## Issue and Commit Detail: - -### Closed Issues: - - - 1095: [bug]: res_pjsip missing "Failed to authenticate" log entry for unknown endpoint - - 1097: [bug]: res_pjsip/pjsip_options. ODBC: Unknown column 'qualify_2xx_only' - -### Commits By Author: - -- #### George Joseph (3): - - res_pjsip: Fix startup/reload memory leak in config_auth. - - alembic: Database updates required. - - res_pjsip_authenticator_digest: Make correct error messages appear again. - - -### Commit List: - -- res_pjsip_authenticator_digest: Make correct error messages appear again. -- alembic: Database updates required. -- res_pjsip: Fix startup/reload memory leak in config_auth. - -### Commit Details: - -#### res_pjsip_authenticator_digest: Make correct error messages appear again. - Author: George Joseph - Date: 2025-01-28 - - When an incoming request can't be matched to an endpoint, the "artificial" - auth object is used to create a challenge to return in a 401 response and we - emit a "No matching endpoint found" log message. If the client then responds - with an Authorization header but the request still can't be matched to an - endpoint, the verification will fail and, as before, we'll create a challenge - to return in a 401 response and we emit a "No matching endpoint found" log - message. HOWEVER, because there WAS an Authorization header and it failed - verification, we should have also been emitting a "Failed to authenticate" - log message but weren't because there was a check that short-circuited that - it if the artificial auth was used. Since many admins use the "Failed to - authenticate" message with log parsers like fail2ban, those attempts were not - being recognized as suspicious. - - Changes: - - * digest_check_auth() now always emits the "Failed to authenticate" log - message if verification of an Authorization header failed even if the - artificial auth was used. - - * The verification logic was refactored to be clearer about the handling - of the return codes from verify(). - - * Comments were added clarify what return codes digest_check_auth() should - return to the distributor and the implications of changing them. - - Resolves: #1095 - -#### alembic: Database updates required. - Author: George Joseph - Date: 2025-01-28 - - This commit doesn't actually change anything. It just adds the following - upgrade notes that were omitted from the original commits. - - Resolves: #1097 - - UpgradeNote: Two commits in this release... - 'Add SHA-256 and SHA-512-256 as authentication digest algorithms' - 'res_pjsip: Add new AOR option "qualify_2xx_only"' - ...have modified alembic scripts for the following database tables: ps_aors, - ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update - your database, reads from those tables will succeeed but inserts into the - ps_contacts table by res_pjsip_registrar will fail. - -#### res_pjsip: Fix startup/reload memory leak in config_auth. - Author: George Joseph - Date: 2025-01-23 - - An issue in config_auth.c:ast_sip_auth_digest_algorithms_vector_init() was - causing double allocations for the two supported_algorithms vectors to the - tune of 915 bytes. The leak only happens on startup and when a reload is done - and doesn't get bigger with the number of auth objects defined. - - * Pre-initialized the two vectors in config_auth:auth_alloc(). - * Removed the allocations in ast_sip_auth_digest_algorithms_vector_init(). - * Added a note to the doc for ast_sip_auth_digest_algorithms_vector_init() - noting that the vector passed in should be initialized and empty. - * Simplified the create_artificial_auth() function in pjsip_distributor. - * Set the vector initialization count to 0 in config_global:global_apply(). - diff --git a/ChangeLogs/ChangeLog-21.7.0-rc1.md b/ChangeLogs/ChangeLog-21.7.0.md similarity index 90% rename from ChangeLogs/ChangeLog-21.7.0-rc1.md rename to ChangeLogs/ChangeLog-21.7.0.md index 63ce8bfaba..c0019f1668 100644 --- a/ChangeLogs/ChangeLog-21.7.0-rc1.md +++ b/ChangeLogs/ChangeLog-21.7.0.md @@ -1,18 +1,18 @@ -## Change Log for Release asterisk-21.7.0-rc1 +## Change Log for Release asterisk-21.7.0 ### Links: - - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.7.0-rc1.md) - - [GitHub Diff](https://github.com/asterisk/asterisk/compare/21.6.1...21.7.0-rc1) - - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.7.0-rc1.tar.gz) + - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.7.0.md) + - [GitHub Diff](https://github.com/asterisk/asterisk/compare/21.6.1...21.7.0) + - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.7.0.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) ### Summary: -- Commits: 50 +- Commits: 53 - Commit Authors: 20 -- Issues Resolved: 17 +- Issues Resolved: 19 - Security Advisories Resolved: 0 ### User Notes: @@ -61,6 +61,15 @@ ### Upgrade Notes: +- #### alembic: Database updates required. + Two commits in this release... + 'Add SHA-256 and SHA-512-256 as authentication digest algorithms' + 'res_pjsip: Add new AOR option "qualify_2xx_only"' + ...have modified alembic scripts for the following database tables: ps_aors, + ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update + your database, reads from those tables will succeeed but inserts into the + ps_contacts table by res_pjsip_registrar will fail. + ### Commit Authors: @@ -69,7 +78,7 @@ - Alexey Vasilyev: (1) - Allan Nathanson: (2) - Artem Umerov: (1) -- George Joseph: (14) +- George Joseph: (17) - Jaco Kroon: (1) - James Terhune: (1) - Joshua C. Colp: (1) @@ -106,6 +115,8 @@ - 1058: [bug]: Asterisk fails to compile following commit 71a2e8c on Ubuntu 20.04 - 1064: [improvement]: ast_tls_script: Add option to skip passphrase for CA private key - 1075: [bug]: res_prometheus does not set Content-Type header in HTTP response + - 1095: [bug]: res_pjsip missing "Failed to authenticate" log entry for unknown endpoint + - 1097: [bug]: res_pjsip/pjsip_options. ODBC: Unknown column 'qualify_2xx_only' ### Commits By Author: @@ -127,7 +138,7 @@ - #### Artem Umerov (1): - logger.h: Fix build when AST_DEVMODE is not defined. -- #### George Joseph (14): +- #### George Joseph (17): - res_stir_shaken: Allow sending Identity headers for unknown TNs - Allow C++ source files (as extension .cc) in the main directory - Add ability to pass arguments to unit tests from the CLI @@ -142,6 +153,9 @@ - README.md, asterisk.c: Update Copyright Dates - docs: Add version information to manager event instance XML elements - docs: Add version information to application and function XML elements + - res_pjsip: Fix startup/reload memory leak in config_auth. + - alembic: Database updates required. + - res_pjsip_authenticator_digest: Make correct error messages appear again. - #### Jaco Kroon (1): - res_odbc: release threads from potential starvation. @@ -202,6 +216,9 @@ ### Commit List: +- res_pjsip_authenticator_digest: Make correct error messages appear again. +- alembic: Database updates required. +- res_pjsip: Fix startup/reload memory leak in config_auth. - docs: Add version information to application and function XML elements - docs: Add version information to manager event instance XML elements - LICENSE: Update company name, email, and address. @@ -251,6 +268,70 @@ ### Commit Details: +#### res_pjsip_authenticator_digest: Make correct error messages appear again. + Author: George Joseph + Date: 2025-01-28 + + When an incoming request can't be matched to an endpoint, the "artificial" + auth object is used to create a challenge to return in a 401 response and we + emit a "No matching endpoint found" log message. If the client then responds + with an Authorization header but the request still can't be matched to an + endpoint, the verification will fail and, as before, we'll create a challenge + to return in a 401 response and we emit a "No matching endpoint found" log + message. HOWEVER, because there WAS an Authorization header and it failed + verification, we should have also been emitting a "Failed to authenticate" + log message but weren't because there was a check that short-circuited that + it if the artificial auth was used. Since many admins use the "Failed to + authenticate" message with log parsers like fail2ban, those attempts were not + being recognized as suspicious. + + Changes: + + * digest_check_auth() now always emits the "Failed to authenticate" log + message if verification of an Authorization header failed even if the + artificial auth was used. + + * The verification logic was refactored to be clearer about the handling + of the return codes from verify(). + + * Comments were added clarify what return codes digest_check_auth() should + return to the distributor and the implications of changing them. + + Resolves: #1095 + +#### alembic: Database updates required. + Author: George Joseph + Date: 2025-01-28 + + This commit doesn't actually change anything. It just adds the following + upgrade notes that were omitted from the original commits. + + Resolves: #1097 + + UpgradeNote: Two commits in this release... + 'Add SHA-256 and SHA-512-256 as authentication digest algorithms' + 'res_pjsip: Add new AOR option "qualify_2xx_only"' + ...have modified alembic scripts for the following database tables: ps_aors, + ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update + your database, reads from those tables will succeeed but inserts into the + ps_contacts table by res_pjsip_registrar will fail. + +#### res_pjsip: Fix startup/reload memory leak in config_auth. + Author: George Joseph + Date: 2025-01-23 + + An issue in config_auth.c:ast_sip_auth_digest_algorithms_vector_init() was + causing double allocations for the two supported_algorithms vectors to the + tune of 915 bytes. The leak only happens on startup and when a reload is done + and doesn't get bigger with the number of auth objects defined. + + * Pre-initialized the two vectors in config_auth:auth_alloc(). + * Removed the allocations in ast_sip_auth_digest_algorithms_vector_init(). + * Added a note to the doc for ast_sip_auth_digest_algorithms_vector_init() + noting that the vector passed in should be initialized and empty. + * Simplified the create_artificial_auth() function in pjsip_distributor. + * Set the vector initialization count to 0 in config_global:global_apply(). + #### docs: Add version information to application and function XML elements Author: George Joseph Date: 2025-01-23