[asterisk-bugs] [JIRA] (ASTERISK-29434) Asterisk reveals pjproject version in STUN packets
Jeremy Lainé (JIRA)
noreply at issues.asterisk.org
Wed May 19 11:34:17 CDT 2021
[ https://issues.asterisk.org/jira/browse/ASTERISK-29434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=254935#comment-254935 ]
Jeremy Lainé commented on ASTERISK-29434:
-----------------------------------------
Thanks for the feedback I'll get working on it. FYI coturn has an config flag for this for similar reasons:
https://github.com/coturn/coturn/blob/d8026372af37f2cdb7a7031d56a83b1066a4bfb6/examples/etc/turnserver.conf#L599
> Asterisk reveals pjproject version in STUN packets
> --------------------------------------------------
>
> Key: ASTERISK-29434
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29434
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Resources/res_rtp_asterisk
> Affects Versions: 16.18.0, 18.4.0
> Reporter: Jeremy Lainé
> Assignee: Unassigned
>
> Currently, Asterisk reports the pjproject version in any STUN packets it sends in the form of a SOFTWARE attribute, for example "pjnath-2.10.0". This may not be desirable in a production environment for security reasons.
> In `pj_stun_config_init()`, the software name is initialized to PJNATH_STUN_SOFTWARE_NAME but this can be overriden, or even set to an empty string to not send any SOFTWARE attribute at all.
> I'd be happy to provide a patch, but would appreciate some guidance: do we want to make this configurable, or would removing the SOFTWARE attribute be acceptable?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list