Importing release summary for 1.8.7.2 release.

git-svn-id: https://origsvn.digium.com/svn/asterisk/tags/1.8.7.2@347579 65c4cc65-6c06-0410-ace0-fbb531ad65f3

.version

@@ -1 +1 @@
-1.8.7.1
+1.8.7.2

CHANGES

@@ -8,6 +8,18 @@
 ===
 ======================================================================
 
+------------------------------------------------------------------------------
+--- Functionality changes since Asterisk 1.8.7.1 -----------------------------
+------------------------------------------------------------------------------
+
+SIP Changes
+-----------
+    * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
+      now defaults to force_rport. It is very important that phones requiring nat=no be
+      specifically set as such instead of relying on the default setting. If at all
+      possible, all devices should have nat settings configured in the general section as
+      opposed to configuring nat per-device.
+
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 1.6.2 to Asterisk 1.8 ----------------
 ------------------------------------------------------------------------------

ChangeLog

@@ -1,3 +1,9 @@
+2011-12-08  Asterisk Development Team <asteriskteam@digium.com>
+
+	* Asterisk 1.8.7.2 Released.
+
+	* AST-2011-013, AST-2011-014
+
 2011-10-17  Asterisk Development Team <asteriskteam@digium.com>
 
 	* Asterisk 1.8.7.1 Released.

asterisk-1.8.7.2-summary.html

@@ -1,10 +1,10 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
-<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Release Summary - asterisk-1.8.7.1</title></head>
+<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Release Summary - asterisk-1.8.7.2</title></head>
 <body>
 <h1 align="center"><a name="top">Release Summary</a></h1>
-<h3 align="center">asterisk-1.8.7.1</h3>
-<h3 align="center">Date: 2011-10-17</h3>
+<h3 align="center">asterisk-1.8.7.2</h3>
+<h3 align="center">Date: 2011-12-08</h3>
 <h3 align="center">&lt;asteriskteam@digium.com&gt;</h3>
 <hr/>
 <h2 align="center">Table of Contents</h2>
@@ -17,8 +17,8 @@
 <hr/>
 <a name="summary"><h2 align="center">Summary</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This release has been made to address one or more security vulnerabilities that have been identified.  A security advisory document has been published for each vulnerability that includes additional information.  Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p>
-<p>Security Advisories: <a href="http://downloads.asterisk.org/pub/security/AST-2011-012.html">AST-2011-012</a></p>
-<p>The data in this summary reflects changes that have been made since the previous release, asterisk-1.8.7.0.</p>
+<p>Security Advisories: <a href="http://downloads.asterisk.org/pub/security/AST-2011-013.html">AST-2011-013</a>, <a href="http://downloads.asterisk.org/pub/security/AST-2011-014.html">AST-2011-014</a></p>
+<p>The data in this summary reflects changes that have been made since the previous release, asterisk-1.8.7.1.</p>
 <hr/>
 <a name="contributors"><h2 align="center">Contributors</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release.  For coders, the number is how many of their patches (of any size) were committed into this release.  For testers, the number is the number of times their name was listed as assisting with testing a patch.  Finally, for reporters, the number is the number of issues that they reported that were closed by commits that went into this release.</p>
@@ -30,8 +30,8 @@
 </tr>
 <tr valign="top">
 <td>
-4 qwell<br/>
-1 bebuild<br/>
+3 bebuild<br/>
+3 lmadsen<br/>
 </td>
 <td>
 </td>
@@ -43,22 +43,25 @@
 <a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This is a list of all changes that went into this release that did not directly close an issue from the issue tracker.  The commits may have been marked as being related to an issue.  If that is the case, the issue numbers are listed here, as well.</p>
 <table width="100%" border="1">
-<tr><td><b>Revision</b></td><td><b>Author</b></td><td><b>Summary</b></td><td><b>Issues Referenced</b></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.1?view=revision&revision=341192">341192</a></td><td>qwell</td><td>Create tag for Asterisk 1.8.7.1.</td>
-<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.1?view=revision&revision=341193">341193</a></td><td>qwell</td><td>Update .version and ChangeLog. Remove old summary files.</td>
-<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.1?view=revision&revision=341194">341194</a></td><td>qwell</td><td>Changes for AST-2011-012.</td>
-<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.1?view=revision&revision=341195">341195</a></td><td>bebuild</td><td>Importing release summary for 1.8.7.1 release.</td>
-<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.1?view=revision&revision=341196">341196</a></td><td>qwell</td><td>Remove summary files.  Needs to be recreated.</td>
+<tr><td><b>Revision</b></td><td><b>Author</b></td><td><b>Summary</b></td><td><b>Issues Referenced</b></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.2?view=revision&revision=347529">347529</a></td><td>bebuild</td><td>Create Asterisk 1.8.7.2 from 1.8.7.1</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.2?view=revision&revision=347536">347536</a></td><td>bebuild</td><td>Update .version file.</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.2?view=revision&revision=347537">347537</a></td><td>lmadsen</td><td>Remove existing summary release files.</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.2?view=revision&revision=347538">347538</a></td><td>lmadsen</td><td>Merge changes from revisions #345828, #345829</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.2?view=revision&revision=347548">347548</a></td><td>lmadsen</td><td>Merge revision #347531</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.8.7.2?view=revision&revision=347572">347572</a></td><td>bebuild</td><td>Update ChangeLog</td>
 <td></td></tr></table>
 <hr/>
 <a name="diffstat"><h2 align="center">Diffstat Results</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p>
 <pre>
 .version                      |    2
-ChangeLog                     |    6
-asterisk-1.8.7.0-summary.html |  229 ------------------------
-asterisk-1.8.7.0-summary.txt  |  385 ------------------------------------------
-channels/chan_sip.c           |    4
-5 files changed, 9 insertions(+), 617 deletions(-)
+CHANGES                       |   12 ++++
+ChangeLog                     |    6 ++
+asterisk-1.8.7.1-summary.html |   65 ---------------------------
+asterisk-1.8.7.1-summary.txt  |  101 ------------------------------------------
+channels/chan_sip.c           |   32 ++++++++++---
+configs/sip.conf.sample       |   15 +++---
+7 files changed, 53 insertions(+), 180 deletions(-)
 </pre><br/>
 <hr/>
 </body>

asterisk-1.8.7.2-summary.txt

@@ -1,8 +1,8 @@
                                 Release Summary
 
-                                asterisk-1.8.7.1
+                                asterisk-1.8.7.2
 
-                                Date: 2011-10-17
+                                Date: 2011-12-08
 
                            <asteriskteam@digium.com>
 
@@ -28,10 +28,10 @@
    the advisories and determine what action they should take to protect their
    systems from these issues.
 
-   Security Advisories: AST-2011-012
+   Security Advisories: AST-2011-013, AST-2011-014
 
    The data in this summary reflects changes that have been made since the
-   previous release, asterisk-1.8.7.0.
+   previous release, asterisk-1.8.7.1.
 
      ----------------------------------------------------------------------
 
@@ -49,8 +49,8 @@
    release.
 
      Coders                   Testers                  Reporters              
-   4 qwell                  
-   1 bebuild                
+   3 bebuild                
+   3 lmadsen                
 
      ----------------------------------------------------------------------
 
@@ -66,20 +66,20 @@
    +------------------------------------------------------------------------+
    | Revision | Author  | Summary                       | Issues Referenced |
    |----------+---------+-------------------------------+-------------------|
-   | 341192   | qwell   | Create tag for Asterisk       |                   |
-   |          |         | 1.8.7.1.                      |                   |
+   | 347529   | bebuild | Create Asterisk 1.8.7.2 from  |                   |
+   |          |         | 1.8.7.1                       |                   |
    |----------+---------+-------------------------------+-------------------|
-   |          |         | Update .version and           |                   |
-   | 341193   | qwell   | ChangeLog. Remove old summary |                   |
-   |          |         | files.                        |                   |
+   | 347536   | bebuild | Update .version file.         |                   |
    |----------+---------+-------------------------------+-------------------|
-   | 341194   | qwell   | Changes for AST-2011-012.     |                   |
+   | 347537   | lmadsen | Remove existing summary       |                   |
+   |          |         | release files.                |                   |
    |----------+---------+-------------------------------+-------------------|
-   | 341195   | bebuild | Importing release summary for |                   |
-   |          |         | 1.8.7.1 release.              |                   |
+   | 347538   | lmadsen | Merge changes from revisions  |                   |
+   |          |         | #345828, #345829              |                   |
    |----------+---------+-------------------------------+-------------------|
-   | 341196   | qwell   | Remove summary files. Needs   |                   |
-   |          |         | to be recreated.              |                   |
+   | 347548   | lmadsen | Merge revision #347531        |                   |
+   |----------+---------+-------------------------------+-------------------|
+   | 347572   | bebuild | Update ChangeLog              |                   |
    +------------------------------------------------------------------------+
 
      ----------------------------------------------------------------------
@@ -92,10 +92,12 @@
    release that was generated using the diffstat utility.
 
  .version                      |    2
- ChangeLog                     |    6
- asterisk-1.8.7.0-summary.html |  229 ------------------------
- asterisk-1.8.7.0-summary.txt  |  385 ------------------------------------------
- channels/chan_sip.c           |    4
- 5 files changed, 9 insertions(+), 617 deletions(-)
+ CHANGES                       |   12 ++++
+ ChangeLog                     |    6 ++
+ asterisk-1.8.7.1-summary.html |   65 ---------------------------
+ asterisk-1.8.7.1-summary.txt  |  101 ------------------------------------------
+ channels/chan_sip.c           |   32 ++++++++++---
+ configs/sip.conf.sample       |   15 +++---
+ 7 files changed, 53 insertions(+), 180 deletions(-)
 
      ----------------------------------------------------------------------

channels/chan_sip.c

@@ -18286,11 +18286,18 @@ static void handle_request_info(struct sip_pvt *p, struct sip_request *req)
 			per device. I don't want incoming callers to record calls in my
 			pbx.
 		*/
-		/* first, get the feature string, if it exists */
+		
 		struct ast_call_feature *feat;
 		int j;
 		struct ast_frame f = { AST_FRAME_DTMF, };
 
+		if (!p->owner) {        /* not a PBX call */
+			transmit_response(p, "481 Call leg/transaction does not exist", req);
+			sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+			return;
+		}
+
+		/* first, get the feature string, if it exists */
 		ast_rdlock_call_features();
 		feat = ast_find_call_feature("automon");
 		if (!feat || ast_strlen_zero(feat->exten)) {
@@ -26075,12 +26082,11 @@ static int handle_common_options(struct ast_flags *flags, struct ast_flags *mask
 		}
 	} else if (!strcasecmp(v->name, "nat")) {
 		ast_set_flag(&mask[0], SIP_NAT_FORCE_RPORT);
+		ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT); /* Default to "force_rport" */
 		if (!strcasecmp(v->value, "no")) {
 			ast_clear_flag(&flags[0], SIP_NAT_FORCE_RPORT);
-		} else if (!strcasecmp(v->value, "force_rport")) {
-			ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
 		} else if (!strcasecmp(v->value, "yes")) {
-			ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
+			/* We've already defaulted to force_rport */
 			ast_set_flag(&mask[1], SIP_PAGE2_SYMMETRICRTP);
 			ast_set_flag(&flags[1], SIP_PAGE2_SYMMETRICRTP);
 		} else if (!strcasecmp(v->value, "comedia")) {
@@ -27182,6 +27188,18 @@ static int peer_markall_func(void *device, void *arg, int flags)
 	return 0;
 }
 
+static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
+	int global_nat, specific_nat;
+
+	if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT_FORCE_RPORT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT_FORCE_RPORT))) {
+		ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the  global setting can make\n");
+		ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n");
+		ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n");
+		ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n");
+		ast_log(LOG_WARNING, "!!! (config category='%s' global force_rport='%s' peer/user force_rport='%s')\n", cat, AST_CLI_YESNO(global_nat), AST_CLI_YESNO(specific_nat));
+	}
+}
+
 /*! \brief Re-read SIP.conf config file
 \note	This function reloads all config data, except for
 	active peers (with registrations). They will only
@@ -27404,8 +27422,9 @@ static int reload_config(enum channelreloadreason reason)
 	ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret));
 	ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest));
 	ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
-	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833);			/*!< Default DTMF setting: RFC2833 */
-	ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA);			/*!< Allow re-invites */
+	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833);    /*!< Default DTMF setting: RFC2833 */
+	ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA);    /*!< Allow re-invites */
+	ast_set_flag(&global_flags[0], SIP_NAT_FORCE_RPORT); /*!< Default to nat=force_rport */
 	ast_copy_string(default_engine, DEFAULT_ENGINE, sizeof(default_engine));
 	ast_copy_string(default_parkinglot, DEFAULT_PARKINGLOT, sizeof(default_parkinglot));
 
@@ -28174,6 +28193,7 @@ static int reload_config(enum channelreloadreason reason)
 			}
 			peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0);
 			if (peer) {
+				display_nat_warning(cat, reason, &peer->flags[0]);
 				ao2_t_link(peers, peer, "link peer into peers table");
 				if ((peer->type & SIP_TYPE_PEER) && !ast_sockaddr_isnull(&peer->addr)) {
 					ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table");

configs/sip.conf.sample

@@ -803,6 +803,14 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ; for their media streams is not actual port number that will be used on the nearer
 ; side of the NAT.
 ;
+; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
+; the nat setting in a peer definition, then the peer username will be discoverable
+; by outside parties as Asterisk will respond to different ports for defined and
+; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
+; GENERAL SECTION. Specifically, if nat=force_rport in one section and nat=no in the
+; other, then valid users with settings differing from those in the general section will
+; be discoverable.
+;
 ; In addition to these settings, Asterisk *always* uses 'symmetric RTP' mode as defined by
 ; RFC 4961; Asterisk will always send RTP packets from the same port number it expects
 ; to receive them on.
@@ -1189,12 +1197,10 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
         type=friend
 
 [natted-phone](!,basic-options)   ; another template inheriting basic-options
-        nat=yes
         directmedia=no
         host=dynamic
 
 [public-phone](!,basic-options)   ; another template inheriting basic-options
-        nat=no
         directmedia=yes
 
 [my-codecs](!)                    ; a template for my preferred codecs
@@ -1229,7 +1235,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
                                  ; on incoming calls to Asterisk
 ;host=192.168.0.23               ; we have a static but private IP address
                                  ; No registration allowed
-;nat=no                          ; there is not NAT between phone and Asterisk
 ;directmedia=yes                 ; allow RTP voice traffic to bypass Asterisk
 ;dtmfmode=info                   ; either RFC2833 or INFO for the BudgeTone
 ;call-limit=1                    ; permit only 1 outgoing call and 1 incoming call at a time
@@ -1259,7 +1264,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;regexten=1234                   ; When they register, create extension 1234
 ;callerid="Jane Smith" <5678>
 ;host=dynamic                    ; This device needs to register
-;nat=yes                         ; X-Lite is behind a NAT router
 ;directmedia=no                  ; Typically set to NO if behind NAT
 ;disallow=all
 ;allow=gsm                       ; GSM consumes far less bandwidth than ulaw
@@ -1333,9 +1337,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;type=friend
 ;secret=blah
 ;qualify=200                     ; Qualify peer is no more than 200ms away
-;nat=yes                         ; This phone may be natted
-                                 ; Send SIP and RTP to the IP address that packet is
-                                 ; received from instead of trusting SIP headers
 ;host=dynamic                    ; This device registers with us
 ;directmedia=no                  ; Asterisk by default tries to redirect the
                                  ; RTP media stream (audio) to go directly from