An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP
before 2.7.1. Parsing the numeric header fields in a SIP message (like
cseq, ttl, port, etc.) all had the potential to overflow, either causing
unintended values to be captured or, if the values were subsequently
converted back to strings, a buffer overrun. This will lead to a potential
exploit using carefully crafted invalid values.

An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP
before 2.7.1. The ioqueue component may issue a double key unregistration
after an attacker initiates a socket connection with specific settings and
sequences. Such double key unregistration will trigger an integer overflow,
which may cause ioqueue backends to reject future key registrations.

Cherry-Pick https://github.com/pjsip/pjproject/commit/4ab1838 from 2.6 into 2.5.5

Thanks: Joachim Förster
Closes: #881362

Upstream strongly recommends disabling assertions in production builds, see
 * https://trac.pjsip.org/repos/wiki/FAQ#assert
 * https://trac.pjsip.org/repos/wiki/FAQ#cpu

Unfortunately this drops one symbol from libpj2, but since the
only rdep asterisk isn't using it we can get away with it

These have to wait for a SOVERSION bump

The pjproject library does not really try to avoid ABI breakage
in new versions of the library. For Buster this needs to be
properly addressed by doing SONAME bumps if necessary, but
some issues have already crept into the Debian package. We'll
bump the minimum version to force a tighter dependency.

This will mostly affect the dependencies for python-pjproject
from the same source package

Closes: #847014

Richard Mudgett authored Nov 01, 2016 and Bernhard Schmidt committed Nov 10, 2016

Re #1974: Fix DNS write on freed memory.
Thanks to Richard Mudgett for the patch.
Patch-Category: asterisk

Richard Mudgett authored Oct 28, 2016 and Bernhard Schmidt committed Nov 10, 2016

Re #1974: Remove DNS cache entry from resolver's hash table when app callback has a reference.

Thanks to Richard Mudgett for the patch.
Patch-Category: asterisk

Richard Mudgett authored Oct 28, 2016 and Bernhard Schmidt committed Nov 10, 2016

Re #1974:
If there is a pending query, set the return value to that query (instead of NULL)

Thanks to Richard Mudgett for the patch.
Patch-Category: asterisk

Richard Mudgett authored Oct 28, 2016 and Bernhard Schmidt committed Nov 10, 2016

Fixed #1974: Various fixes for DNS IPv6
Patch-Category: asterisk

riza authored Oct 13, 2016 and Bernhard Schmidt committed Nov 10, 2016

 socket.

Patch-Category: asterisk

George Joseph authored Sep 07, 2016 and Bernhard Schmidt committed Nov 10, 2016

A name server that returns "Server Failure" is indicating only that
the server couldn't process that particular request.  We should NOT
assume that the name server is incapable of serving other requests.

Here's the scenario we've been encountering...

* 2 local name servers configured in resolv.conf.
* An OPTIONS request causes a request for A and AAAA records to go out
  to both nameservers.
* The A responses both come back successfully resolved.
* Because of an issue at some upstream nameserver, the AAAA responses
  for that particular query come back as "SERVFAIL" from both local
  name servers.
* Both local servers are marked as bad and no further queries can be
  sent until the 60 second ttl expires.  Only previously cached results
  can be used.
* In this case, 60 seconds is just enough time for another OPTIONS
  request to go out to the same host so the cycle repeats.

We could set the bad ttl really low but that also affects REFUSED and
NOTAUTH which probably DO signal a real server issue.  Besides, even
a really low bad ttl would be an issue on a pbx.
Patch-Category: asterisk

Patch-Category: asterisk

When a transport error occured on an INVITE session
the stack calls on_tsx_state_changed with new state
PJSIP_INV_STATE_DISCONNECTED and immediately destroys
the INVITE session.
At the same time this INVITE session could being processed
on another thread. This thread could use the session's
memory pools which were already freed, so we get segfault.

This patch adds a reference counter and new functions:
pjsip_inv_add_ref and pjsip_inv_dec_ref.
The INVITE session is destroyed only when the reference
counter has reached zero.

To avoid race condition an application should call
pjsip_inv_add_ref/pjsip_inv_dec_ref.

Patch-Category: asterisk

nanang authored Jul 28, 2016 and Bernhard Schmidt committed Nov 10, 2016

 auth session.

Patch-Category: asterisk

This patch fixes the issue in pjsip_tx_data_dec_ref()
when tx_data_destroy can be called more than once,
and checks if invalid value (e.g. NULL) is passed to.

Patch-Category: asterisk

This patch updates array limit checks and docs
in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability().

Patch-Category: asterisk

It is wrong (we're building against libssl1.0-dev), but fixing it would
result in a build-conflict for Asterisk. Temporarily drop it until the
OpenSSL mess is sorted out