[asterisk-bugs] [JIRA] (ASTERISK-29434) Asterisk reveals pjproject version in STUN packets
Jeremy Lainé (JIRA)
noreply at issues.asterisk.org
Wed May 19 11:20:16 CDT 2021
[ https://issues.asterisk.org/jira/browse/ASTERISK-29434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=254933#comment-254933 ]
Jeremy Lainé edited comment on ASTERISK-29434 at 5/19/21 11:19 AM:
-------------------------------------------------------------------
OK, in that case would an option (in rtp.conf / [general] I assume) called "stun_software_attribute" ("yes" by default, "no" allowed) be sufficient or do we expect to to be able to customise the string?
was (Author: sharky):
OK, in that case would an option (in rtp.conf / [general] I assume) called "stunsoftwareattribute" ("yes" by default, "no" allowed) be sufficient or do we expect to to be able to customise the string?
> Asterisk reveals pjproject version in STUN packets
> --------------------------------------------------
>
> Key: ASTERISK-29434
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29434
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Resources/res_rtp_asterisk
> Affects Versions: 16.18.0, 18.4.0
> Reporter: Jeremy Lainé
> Assignee: Unassigned
>
> Currently, Asterisk reports the pjproject version in any STUN packets it sends in the form of a SOFTWARE attribute, for example "pjnath-2.10.0". This may not be desirable in a production environment for security reasons.
> In `pj_stun_config_init()`, the software name is initialized to PJNATH_STUN_SOFTWARE_NAME but this can be overriden, or even set to an empty string to not send any SOFTWARE attribute at all.
> I'd be happy to provide a patch, but would appreciate some guidance: do we want to make this configurable, or would removing the SOFTWARE attribute be acceptable?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list