[asterisk-bugs] [JIRA] (ASTERISK-24666) Security Vulnerability: RTP not closed after sip call using unsupported codec

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Jan 28 17:20:38 CST 2015


     [ https://issues.asterisk.org/jira/browse/ASTERISK-24666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-24666:
-----------------------------------

           Affects Version/s: 12.8.0
    Target Release Version/s: 12.8.1
                              13.1.1

> Security Vulnerability: RTP not closed after sip call using unsupported codec
> -----------------------------------------------------------------------------
>
>                 Key: ASTERISK-24666
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24666
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_pjsip
>    Affects Versions: 12.8.0, 13.1.0
>         Environment: ubuntu 12.04; pjproject build from asterisk git repo.
>            Reporter: Y Ateya
>            Assignee: Mark Michelson
>            Severity: Critical
>              Labels: Security
>      Target Release: 12.8.1, 13.1.1
>
>         Attachments: pjsip.conf, pjsip_rtp.log.bz2, rtp_cleanup_3.diff, rtp_ports.txt.bz2
>
>
> This is similar to ASTERISK-23721; but on asterisk 13.1.0.
> Attached pjsip.conf
> To reproduce the bug:
>    - Run watch -n1 "netstat -lp | grep aster"
>    - Make a call using sip client (which don't support g729)
>    - You will get messasge "No joint capabilities for 'audio' media stream between our configuration((g729)) and incoming SDP((ulaw|gsm|alaw))"
>    - Check netstat result; you will find 2 RTP ports opened and not closed.
>    - Allow ulaw; make same call from same sip client
>   - ports will be opened for the call duration and then removed after hangup.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list