CVE-2026-31431 is relevant for services that permit the AF_ALG socket
type. Let's restic access to expected sockets only.
FTR, current state was:
# systemd-analyze security ngcp-mediator | grep -v '✓' | grep RestrictAddressFamilies
✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
Change-Id: I61377e74cdbbc394e95281b153cdf82c65a7f6e9
* new config option site-id (default: 0). with multi site enabled
it contans the current site id value.
* include site-id into the "Up and running log line".
* extend "insert into stats.call_info to populate the site_id column".
Change-Id: Ieed766356cff8cf8ce26c3e928a71952944c26d0
* new function medmysql_set_session_binlog_format(medmysql_handler *mysql)
that checks current binlog_format and sets it to 'statement' only
if the current formed is mixed, as well as writes to the logs
the current format and if the format is changed.
* medmysql_handler_init() use medmysql_set_session_binlog_format().
* always stop mediator with L_CRITICAL if binlog_format cannot be changed,
because with the "binlog admin" privilege there are no errors, nor
warnings regardless of the current global binlog_format.
* that is to address a scenario when mediator
always changes binlog_format to 'statement' (because
with the 'binlog admin' privilege it does not throw an error),
and if the global format is 'row', it causes 'unsafe warnings' spam
in mysql-error.log.
Change-Id: Iaee992cf6e2bdf14095387256483b3a9f8b6f2da
- Update copyright years.
- Update Standards-Version to 4.7.2.
- Remove «Rules-Requires-Root: no» field, which is now the default.
- Remove «Priority: optional» field, which is now the default.
- Remove ancient conffile removal handling.
- Wrap and sort fields.
- Add spaces around operators in make variables.
Change-Id: Ibdcbb41520e5c5fdf4a2f88e5fc062445b90f91a
in case more instances are running, db replication can stop
easily when using ON DUPLICATE KEY statements. this change will try
to set the session binlog_format to make it work reliably.
it requires mariadb server to run "mixed" replication format, plus
the mediator db user to have the "super" privilege.
Change-Id: Id427179fb0e80c972d97251c664308a163eff44a
We ship /lib/systemd/system/mediator.service as symlink pointing
to ngcp-mediator.service, ignore in lintian as reported by
lintian v2.118.1 as present in current Debian/testing AKA trixie.
Fixes:
| E: ngcp-mediator: service-file-is-not-a-file [lib/systemd/system/mediator.service]
Change-Id: Ib27cfddefaeb95f52703f695e938736e91fc9939
New field "header_ppi" is now managed and inserted into
cdr_tag_data mysql table.
This field will store into the aggregated cdr data the
P-Preferred-Identity header of the INVITE.
Change-Id: Ib875976fd7332e80ae100f257c7af701ffe9f661
New added acc data are usually added without strick check of
their presence to avoid that ACC generated before the upgrade
fails and get dropped.
In the code there are some very old cases for upgrades from
mr8.x to mr9.x versions that now are removed.
Change-Id: I295547cd11656adf015a4fe5b6038a792f8cf532
This fixes a bug which incorrectly used strlen(callid) instead of
strlen(esc_callid) to determine the size of the VLA to hold the complete
query string.
Take this opportunity to eliminate the VLA and switch to an allocated
printf string instead.
Change-Id: I4a64d05180832f3471249acf354bec6b5a3ba15e
Using redisCommand directly has the problem that it accepts a format
string as its first argument, which means that if we do not escape that
string, it will try parse potentially-looking format arguments, which
can end up accessing garbage on the stack and causing either parse
errors, triggering stack protector checks or injecting parsed garbage
from the stack into the resulting formatted string.
Instead we switch to use redisvCommand() and pass explicitly any
values to be formatted as additional variable arguments. We still
duplicate the formatting to be able to report errors and to have a
minimal fix that can be backported, but that part of the code should
be improved to reduce the useless reformatting.
Analyzed-by: Alessio Garzi <agarzi@sipwise.com>
Change-Id: I7ce3d4450cc93df02778120b9c43ff5984624742
If acc is generated with flag acc_dont_clean_suffix dont strip suffix
since the originally generated call was generated with _pbx-1 suffix and
removing it would result in leftovers on redis db.
Change-Id: I0ac2cba7fa625470e6801180e63118b2c3a6daa0
New field "r_ua" is now managed and inserted into
cdr_tag_data mysql table.
This field will store into the aggregated cdr data the user agent
relative to the first 2xx response of an INVITE.
Change-Id: Icf8e80d0d2b63f4b9db006c8a224335989057e86
New field "r_user" is now managed and inserted into
cdr_tag_data mysql table.
This field will store into the aggregated cdr data table the user part
of the RURI relative to the first 2xx response of an INVITE.
Change-Id: Ie61809e9245adfa09c6babb4b3fa328da8c56cbb
To allow mediator to continue to run after an SQL insert failure, retry
the inserts one by one after the bulk insert failed. This makes it
possible to 1) narrow down which row caused the error and make this
clearly visible in the log, and 2) allow for a small number of failed
inserts that can be ignored. The latter is needed to allow for broken
acc records that need to be discarded anyway.
Change-Id: Idf233cac3c05be108abbba061f4661255525c468
Use a queue to keep track of the position of each CDR entry as it is
added into the SQL string. This allows us to inspect each entry
individually if the insert goes wrong.
Change-Id: I2f95e35030c3f55f8ccd3efb3ef20684f301af2e
All `medmysql_str` except CDRs have an associated queue, kept separately
in `medmysql_cdr_batch`. Move it directly into `medmysql_str` to make
things easier.
Change-Id: Idd6d31596e5e121a44c9b7922be66c24e7a43518
New field "hg_ext_response" is now managed and inserted into
cdr_tag_data mysql table.
This field will store into the aggregated cdr data the number
of the extention picking up the call after an HG.
Change-Id: I816eba4a6a227e1a809c2db1ab5ae0665d4c1aa1
Sipwise Jenkins Builder
Michael Prokop
Kirill Solomko
Guillem Jover
Rene Krenn
Richard Fuchs
Marco Capetta
Alessio Garzi