[asterisk-bugs] [JIRA] (ASTERISK-29434) Asterisk reveals pjproject version in STUN packets

Jeremy Lainé (JIRA) noreply at issues.asterisk.org
Wed May 19 11:34:17 CDT 2021


    [ https://issues.asterisk.org/jira/browse/ASTERISK-29434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=254935#comment-254935 ] 

Jeremy Lainé commented on ASTERISK-29434:
-----------------------------------------

Thanks for the feedback I'll get working on it. FYI coturn has an config flag for this for similar reasons:

https://github.com/coturn/coturn/blob/d8026372af37f2cdb7a7031d56a83b1066a4bfb6/examples/etc/turnserver.conf#L599

> Asterisk reveals pjproject version in STUN packets
> --------------------------------------------------
>
>                 Key: ASTERISK-29434
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29434
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 16.18.0, 18.4.0
>            Reporter: Jeremy Lainé
>            Assignee: Unassigned
>
> Currently, Asterisk reports the pjproject version in any STUN packets it sends in the form of a SOFTWARE attribute, for example "pjnath-2.10.0". This may not be desirable in a production environment for security reasons.
> In `pj_stun_config_init()`, the software name is initialized to PJNATH_STUN_SOFTWARE_NAME but this can be overriden, or even set to an empty string to not send any SOFTWARE attribute at all.
> I'd be happy to provide a patch, but would appreciate some guidance: do we want to make this configurable, or would removing the SOFTWARE attribute be acceptable?



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list