Version in base suite: 16.28.0~dfsg-0+deb11u3 Base version: asterisk_16.28.0~dfsg-0+deb11u3 Target version: asterisk_16.28.0~dfsg-0+deb11u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/asterisk/asterisk_16.28.0~dfsg-0+deb11u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/a/asterisk/asterisk_16.28.0~dfsg-0+deb11u4.dsc /srv/release.debian.org/tmp/uxWnR_xOVo/asterisk-16.28.0~dfsg/debian/pjproject_2.12.1~dfsg.orig.tar.bz2 |binary /srv/release.debian.org/tmp/uxWnR_xOVo/asterisk-16.28.0~dfsg/debian/pjproject_2.13.1~dfsg.orig.tar.bz2 |binary asterisk-16.28.0~dfsg/debian/changelog | 34 asterisk-16.28.0~dfsg/debian/patches/CVE-2023-37457.patch | 31 asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49294.patch | 83 + asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49786.patch | 76 + asterisk-16.28.0~dfsg/debian/patches/pjproject-2.13.1.patch | 682 ++++++++++ asterisk-16.28.0~dfsg/debian/patches/series | 4 asterisk-16.28.0~dfsg/debian/rules | 2 asterisk-16.28.0~dfsg/debian/source/include-binaries | 2 10 files changed, 912 insertions(+), 2 deletions(-) diff -Nru asterisk-16.28.0~dfsg/debian/changelog asterisk-16.28.0~dfsg/debian/changelog --- asterisk-16.28.0~dfsg/debian/changelog 2023-06-22 12:47:22.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/changelog 2024-01-04 17:58:50.000000000 +0000 @@ -1,3 +1,37 @@ +asterisk (1:16.28.0~dfsg-0+deb11u4) bullseye-security; urgency=high + + * Non-maintainer upload. + * Fix CVE-2023-37457: + The 'update' functionality of the PJSIP_HEADER dialplan function can exceed + the available buffer space for storing the new value of a header. By doing + so this can overwrite memory or cause a crash. This is not externally + exploitable, unless dialplan is explicitly written to update a header based + on data from an outside source. If the 'update' functionality is not used + the vulnerability does not occur. + * Fix CVE-2023-38703: + PJSIP is a free and open source multimedia communication library written in + C with high level API in C, C++, Java, C#, and Python languages. SRTP is a + higher level media transport which is stacked upon a lower level media + transport such as UDP and ICE. Currently a higher level transport is not + synchronized with its lower level transport that may introduce a + use-after-free issue. This vulnerability affects applications that have + SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media + transport other than UDP. This vulnerability’s impact may range from + unexpected application termination to control flow hijack/memory + corruption. + * Fix CVE-2023-49294: + It is possible to read any arbitrary file even when the `live_dangerously` + option is not enabled. + * Fix CVE-2023-49786: + Asterisk is susceptible to a DoS due to a race condition in the hello + handshake phase of the DTLS protocol when handling DTLS-SRTP for media + setup. This attack can be done continuously, thus denying new DTLS-SRTP + encrypted calls during the attack. Abuse of this vulnerability may lead to + a massive Denial of Service on vulnerable Asterisk servers for calls that + rely on DTLS-SRTP. + + -- Markus Koschany Thu, 04 Jan 2024 18:58:50 +0100 + asterisk (1:16.28.0~dfsg-0+deb11u3) bullseye-security; urgency=high * Non-maintainer upload. diff -Nru asterisk-16.28.0~dfsg/debian/patches/CVE-2023-37457.patch asterisk-16.28.0~dfsg/debian/patches/CVE-2023-37457.patch --- asterisk-16.28.0~dfsg/debian/patches/CVE-2023-37457.patch 1970-01-01 00:00:00.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/patches/CVE-2023-37457.patch 2024-01-04 17:58:50.000000000 +0000 @@ -0,0 +1,31 @@ +From: Markus Koschany +Date: Sat, 23 Dec 2023 19:57:57 +0100 +Subject: CVE-2023-37457 + +Bug-Debian: https://bugs.debian.org/1059303 +Origin: https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa +--- + res/res_pjsip_header_funcs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/res/res_pjsip_header_funcs.c b/res/res_pjsip_header_funcs.c +index cca2b78..977f18f 100644 +--- a/res/res_pjsip_header_funcs.c ++++ b/res/res_pjsip_header_funcs.c +@@ -624,6 +624,7 @@ static int add_header(void *obj) + static int update_header(void *obj) + { + struct header_data *data = obj; ++ pj_pool_t *pool = data->channel->session->inv_session->dlg->pool; + pjsip_hdr *hdr = NULL; + RAII_VAR(struct ast_datastore *, datastore, + ast_sip_session_get_datastore(data->channel->session, data->header_datastore->type), +@@ -642,7 +643,7 @@ static int update_header(void *obj) + return -1; + } + +- pj_strcpy2(&((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value); ++ pj_strdup2(pool, &((pjsip_generic_string_hdr *) hdr)->hvalue, data->header_value); + + return 0; + } diff -Nru asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49294.patch asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49294.patch --- asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49294.patch 1970-01-01 00:00:00.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49294.patch 2024-01-04 17:58:50.000000000 +0000 @@ -0,0 +1,83 @@ +From: Markus Koschany +Date: Sat, 23 Dec 2023 20:03:54 +0100 +Subject: CVE-2023-49294 + +Bug-Debian: https://bugs.debian.org/1059032 +Origin: https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5 +--- + main/manager.c | 42 +++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 39 insertions(+), 3 deletions(-) + +diff --git a/main/manager.c b/main/manager.c +index 07c034a..44d5b37 100644 +--- a/main/manager.c ++++ b/main/manager.c +@@ -3643,12 +3643,43 @@ void astman_live_dangerously(int new_live_dangerously) + live_dangerously = new_live_dangerously; + } + ++/** ++ * \brief Check if a file is restricted or not ++ * ++ * \return 0 on success ++ * \return 1 on restricted file ++ * \return -1 on failure ++ */ + static int restrictedFile(const char *filename) + { +- if (!live_dangerously && !strncasecmp(filename, "/", 1) && +- strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) { ++ char *stripped_filename; ++ RAII_VAR(char *, path, NULL, ast_free); ++ RAII_VAR(char *, real_path, NULL, ast_free); ++ ++ if (live_dangerously) { ++ return 0; ++ } ++ ++ stripped_filename = ast_strip(ast_strdupa(filename)); ++ ++ /* If the file path starts with '/', don't prepend ast_config_AST_CONFIG_DIR */ ++ if (stripped_filename[0] == '/') { ++ real_path = realpath(stripped_filename, NULL); ++ } else { ++ if (ast_asprintf(&path, "%s/%s", ast_config_AST_CONFIG_DIR, stripped_filename) == -1) { ++ return -1; ++ } ++ real_path = realpath(path, NULL); ++ } ++ ++ if (!real_path) { ++ return -1; ++ } ++ ++ if (!ast_begins_with(real_path, ast_config_AST_CONFIG_DIR)) { + return 1; + } ++ + return 0; + } + +@@ -3661,6 +3692,7 @@ static int action_getconfig(struct mansession *s, const struct message *m) + const char *category_name; + int catcount = 0; + int lineno = 0; ++ int ret = 0; + struct ast_category *cur_category = NULL; + struct ast_variable *v; + struct ast_flags config_flags = { CONFIG_FLAG_WITHCOMMENTS | CONFIG_FLAG_NOCACHE }; +@@ -3670,9 +3702,13 @@ static int action_getconfig(struct mansession *s, const struct message *m) + return 0; + } + +- if (restrictedFile(fn)) { ++ ret = restrictedFile(fn); ++ if (ret == 1) { + astman_send_error(s, m, "File requires escalated priveledges"); + return 0; ++ } else if (ret == -1) { ++ astman_send_error(s, m, "Config file not found"); ++ return 0; + } + + cfg = ast_config_load2(fn, "manager", config_flags); diff -Nru asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49786.patch asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49786.patch --- asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49786.patch 1970-01-01 00:00:00.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/patches/CVE-2023-49786.patch 2024-01-04 17:58:50.000000000 +0000 @@ -0,0 +1,76 @@ +From: Markus Koschany +Date: Sat, 23 Dec 2023 20:05:51 +0100 +Subject: CVE-2023-49786 + +Bug-Debian: https://bugs.debian.org/1059033 +Origin: https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 +--- + res/res_rtp_asterisk.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c +index 94c63f1..af98fbb 100644 +--- a/res/res_rtp_asterisk.c ++++ b/res/res_rtp_asterisk.c +@@ -3138,6 +3138,61 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s + + ast_debug_dtls(3, "(%p) DTLS - __rtp_recvfrom rtp=%p - Got SSL packet '%d'\n", instance, rtp, *in); + ++ /* ++ * If ICE is in use, we can prevent a possible DOS attack ++ * by allowing DTLS protocol messages (client hello, etc) ++ * only from sources that are in the active remote ++ * candidates list. ++ */ ++ ++ if (rtp->ice) { ++ int pass_src_check = 0; ++ struct ao2_iterator i; ++ struct ast_rtp_engine_ice_candidate *candidate; ++ int cand_cnt = 0; ++ ++ /* ++ * You'd think that this check would cause a "deadlock" ++ * because ast_rtp_ice_start_media calls dtls_perform_handshake ++ * before it sets ice_media_started = 1 so how can we do a ++ * handshake if we're dropping packets before we send them ++ * to openssl. Fortunately, dtls_perform_handshake just sets ++ * up openssl to do the handshake and doesn't actually perform it ++ * itself and the locking prevents __rtp_recvfrom from ++ * running before the ice_media_started flag is set. So only ++ * unexpected DTLS packets can get dropped here. ++ */ ++ if (!rtp->ice_media_started) { ++ ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. ICE not completed yet.\n", ++ ast_rtp_instance_get_channel_id(instance), ++ ast_sockaddr_stringify(sa)); ++ return 0; ++ } ++ ++ /* ++ * If we got this far, then ice_active_remote_candidates ++ * can't be NULL. ++ */ ++ i = ao2_iterator_init(rtp->ice_active_remote_candidates, 0); ++ while ((candidate = ao2_iterator_next(&i)) && (cand_cnt < PJ_ICE_MAX_CAND)) { ++ res = ast_sockaddr_cmp_addr(&candidate->address, sa); ++ ao2_ref(candidate, -1); ++ if (res == 0) { ++ pass_src_check = 1; ++ break; ++ } ++ cand_cnt++; ++ } ++ ao2_iterator_destroy(&i); ++ ++ if (!pass_src_check) { ++ ast_log(LOG_WARNING, "%s: DTLS packet from %s dropped. Source not in ICE active candidate list.\n", ++ ast_rtp_instance_get_channel_id(instance), ++ ast_sockaddr_stringify(sa)); ++ return 0; ++ } ++ } ++ + /* + * A race condition is prevented between dtls_perform_handshake() + * and this function because both functions have to get the diff -Nru asterisk-16.28.0~dfsg/debian/patches/pjproject-2.13.1.patch asterisk-16.28.0~dfsg/debian/patches/pjproject-2.13.1.patch --- asterisk-16.28.0~dfsg/debian/patches/pjproject-2.13.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/patches/pjproject-2.13.1.patch 2024-01-04 17:58:50.000000000 +0000 @@ -0,0 +1,682 @@ +From: Markus Koschany +Date: Mon, 25 Dec 2023 23:13:23 +0100 +Subject: pjproject-2.13.1 + +Update Asterisk specific patches for embedded pjproject library. Apply the fix +for CVE-2023-38703 by updating the tar.bz2 compressed library directly. +--- + third-party/pjproject/Makefile | 19 +- + third-party/pjproject/configure.m4 | 10 +- + .../patches/0000-remove-third-party.patch | 6 +- + ...g-it_new-129fb323a66dd1fd16880fe5ba5e6a57.patch | 46 +++ + .../patches/0020-log-dropped-packet-in-debug.patch | 28 ++ + .../patches/0100-allow_multiple_auth_headers.patch | 413 --------------------- + third-party/pjproject/patches/config_site.h | 8 + + third-party/pjproject/pjproject-2.12.1.tar.bz2.md5 | 1 - + third-party/pjproject/pjproject-2.13.1.tar.bz2.md5 | 1 + + third-party/versions.mak | 2 +- + 10 files changed, 109 insertions(+), 425 deletions(-) + create mode 100644 third-party/pjproject/patches/0010-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new-129fb323a66dd1fd16880fe5ba5e6a57.patch + create mode 100644 third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch + delete mode 100644 third-party/pjproject/patches/0100-allow_multiple_auth_headers.patch + delete mode 100644 third-party/pjproject/pjproject-2.12.1.tar.bz2.md5 + create mode 100644 third-party/pjproject/pjproject-2.13.1.tar.bz2.md5 + +diff --git a/third-party/pjproject/Makefile b/third-party/pjproject/Makefile +index 69f84a9..28cb5db 100644 +--- a/third-party/pjproject/Makefile ++++ b/third-party/pjproject/Makefile +@@ -67,7 +67,17 @@ ifeq ($(SPECIAL_TARGETS),) + CF += -DPJPROJECT_BUNDLED_ASSERTIONS=yes + endif + MALLOC_DEBUG_LIBS = source/pjsip-apps/lib/libasterisk_malloc_debug.a +- MALLOC_DEBUG_LDFLAGS = -L$(PJDIR)/pjsip-apps/lib -Wl,-whole-archive -lasterisk_malloc_debug -Wl,-no-whole-archive ++ ifneq ($(findstring darwin,$(OSARCH)),) ++ MALLOC_DEBUG_LDFLAGS = -L$(PJDIR)/pjsip-apps/lib -Wl,-all_load -lasterisk_malloc_debug -Wl,-noall_load ++ else ++ # These are used for all but Darwin ++ MALLOC_DEBUG_LDFLAGS = -L$(PJDIR)/pjsip-apps/lib -Wl,-whole-archive -lasterisk_malloc_debug -Wl,-no-whole-archive ++ endif ++ ifeq ($(findstring DONT_OPTIMIZE,$(MENUSELECT_CFLAGS)),) ++ CF += -O3 ++ endif ++ export CFLAGS += $(CF) -g3 ++ export LDFLAGS += $(CC_LDFLAGS) + TARGETS += pjproject.symbols + else + all install: +@@ -102,11 +112,6 @@ source/.unpacked: $(DOWNLOAD_DIR)/$(TARBALL_FILE) + mv pjproject-$(PJPROJECT_VERSION) source + $(ECHO_PREFIX) Applying patches "$(realpath patches)" "$(realpath .)/source" + $(CMD_PREFIX) ../apply_patches $(QUIET_CONFIGURE) "$(realpath patches)" "$(realpath .)/source" +- # Debian patch: Update autoconf files to support newer architectures +- cd source && autoconf aconfigure.ac >aconfigure +- cp /usr/share/misc/config.guess source/config.guess +- cp /usr/share/misc/config.sub source/config.sub +- # End Debian patch + -@touch source/.unpacked + + source/user.mak: $(if $(PJPROJECT_BUNDLED_OOT),,source/.unpacked) patches/user.mak +@@ -207,7 +212,7 @@ $(ALL_LIB_FILES): source/build.mak source/pjlib/include/pj/config_site.h + + pjproject.symbols: $(ALL_LIB_FILES) + $(ECHO_PREFIX) Generating symbols +- $(CMD_PREFIX) $(NM) -Pog $(ALL_LIB_FILES) | $(SED) -n -r -e "s/.+: ([pP][jJ][^ ]+) .+/\1/gp" | sort -u > pjproject.symbols ++ $(CMD_PREFIX) $(NM) -Pog $(ALL_LIB_FILES) | $(SED) -n -E -e "s/.+: ([_]?[pP][jJ][^ ]+) .+/\1/gp" | sort -u > pjproject.symbols + + source/pjsip-apps/src/asterisk_malloc_debug.c: patches/asterisk_malloc_debug.c + $(ECHO_PREFIX) Copying $< to $@ +diff --git a/third-party/pjproject/configure.m4 b/third-party/pjproject/configure.m4 +index 2f26625..eb76873 100644 +--- a/third-party/pjproject/configure.m4 ++++ b/third-party/pjproject/configure.m4 +@@ -74,12 +74,16 @@ AC_DEFUN([_PJPROJECT_CONFIGURE], + y|ye|yes) + # Not to mention SSL is the default in PJProject and means "autodetect". + # In Asterisk, "./configure --with-ssl" means "must be present". +- PJPROJECT_CONFIGURE_OPTS="${PJPROJECT_CONFIGURE_OPTS}" ++ PJPROJECT_CONFIGURE_OPTS="${PJPROJECT_CONFIGURE_OPTS} --with-ssl" + ;; + *) + PJPROJECT_CONFIGURE_OPTS="${PJPROJECT_CONFIGURE_OPTS} --with-ssl=${with_ssl}" + ;; + esac ++ else ++ if test $PBX_OPENSSL -eq 1 ; then ++ PJPROJECT_CONFIGURE_OPTS="${PJPROJECT_CONFIGURE_OPTS} --with-ssl" ++ fi + fi + + # Determine if we're doing an out-of-tree build... +@@ -122,6 +126,9 @@ AC_DEFUN([_PJPROJECT_CONFIGURE], + AC_DEFINE([HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2], 1, [Define if your system has pj_ssl_cert_load_from_files2 declared.]) + AC_DEFINE([HAVE_PJSIP_EXTERNAL_RESOLVER], 1, [Define if your system has pjsip_endpt_set_ext_resolver declared.]) + AC_DEFINE([HAVE_PJSIP_TLS_TRANSPORT_PROTO], 1, [Define if your system has PJSIP_TLS_TRANSPORT_PROTO]) ++ AC_DEFINE([HAVE_PJSIP_TLS_1_1], 1, [Define if your system has PJSIP with TLSv1.1 support.]) ++ AC_DEFINE([HAVE_PJSIP_TLS_1_2], 1, [Define if your system has PJSIP with TLSv1.2 support.]) ++ AC_DEFINE([HAVE_PJSIP_TLS_1_3], 1, [Define if your system has PJSIP with TLSv1.3 support.]) + AC_DEFINE([HAVE_PJSIP_EVSUB_GRP_LOCK], 1, [Define if your system has PJSIP_EVSUB_GRP_LOCK]) + AC_DEFINE([HAVE_PJSIP_INV_SESSION_REF], 1, [Define if your system has PJSIP_INV_SESSION_REF]) + AC_DEFINE([HAVE_PJSIP_AUTH_CLT_DEINIT], 1, [Define if your system has pjsip_auth_clt_deinit declared.]) +@@ -131,6 +138,7 @@ AC_DEFUN([_PJPROJECT_CONFIGURE], + AC_DEFINE([HAVE_PJSIP_TRANSPORT_DISABLE_CONNECTION_REUSE], 1, [Define if your system has HAVE_PJSIP_TRANSPORT_DISABLE_CONNECTION_REUSE declared]) + AC_DEFINE([HAVE_PJSIP_OAUTH_AUTHENTICATION], 1, [Define if your system has HAVE_PJSIP_OAUTH_AUTHENTICATION declared]) + AC_DEFINE([HAVE_PJPROJECT_ON_VALID_ICE_PAIR_CALLBACK], 1, [Define if your system has the on_valid_pair pjnath callback.]) ++ AC_DEFINE([HAVE_PJSIP_TLS_TRANSPORT_RESTART], 1, [Define if your system has pjsip_tls_transport_restart support.]) + + AC_SUBST([PJPROJECT_BUNDLED]) + AC_SUBST([PJPROJECT_BUNDLED_OOT]) +diff --git a/third-party/pjproject/patches/0000-remove-third-party.patch b/third-party/pjproject/patches/0000-remove-third-party.patch +index 1de154d..ab6c6d1 100644 +--- a/third-party/pjproject/patches/0000-remove-third-party.patch ++++ b/third-party/pjproject/patches/0000-remove-third-party.patch +@@ -7,10 +7,11 @@ index 4bc464f8c..80681d961 100644 + include $(PJDIR)/version.mak + export PJ_DIR := $(PJDIR) + +-@@ -41,19 +40,6 @@ export APP_THIRD_PARTY_EXT := ++@@ -42,21 +41,6 @@ export APP_THIRD_PARTY_EXT := + export APP_THIRD_PARTY_LIBS := + export APP_THIRD_PARTY_LIB_FILES := + ++-ifneq (@ac_no_srtp@,1) + -ifneq (@ac_external_srtp@,0) + -# External SRTP library + -APP_THIRD_PARTY_EXT += -l@ac_external_srtp_lib@ +@@ -23,11 +24,12 @@ index 4bc464f8c..80681d961 100644 + -APP_THIRD_PARTY_LIB_FILES += $(PJ_DIR)/third_party/lib/libsrtp.$(SHLIB_SUFFIX).$(PJ_VERSION_MAJOR) $(PJ_DIR)/third_party/lib/libsrtp.$(SHLIB_SUFFIX) + -endif + -endif ++-endif + - + ifeq (@ac_pjmedia_resample@,libresample) + APP_THIRD_PARTY_LIB_FILES += $(PJ_DIR)/third_party/lib/libresample-$(LIB_SUFFIX) + ifeq ($(PJ_SHARED_LIBRARIES),) +-@@ -70,102 +56,6 @@ APP_THIRD_PARTY_LIB_FILES += $(PJ_DIR)/third_party/lib/libresample.$(SHLIB_SUFFI ++@@ -73,102 +57,6 @@ APP_THIRD_PARTY_LIB_FILES += $(PJ_DIR)/third_party/lib/libresample.$(SHLIB_SUFFI + endif + endif + +diff --git a/third-party/pjproject/patches/0010-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new-129fb323a66dd1fd16880fe5ba5e6a57.patch b/third-party/pjproject/patches/0010-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new-129fb323a66dd1fd16880fe5ba5e6a57.patch +new file mode 100644 +index 0000000..009060a +--- /dev/null ++++ b/third-party/pjproject/patches/0010-Make-sure-that-NOTIFY-tdata-is-set-before-sending-it_new-129fb323a66dd1fd16880fe5ba5e6a57.patch +@@ -0,0 +1,46 @@ ++From ac685b30c17be461b2bf5b46a772ed9742b8e985 Mon Sep 17 00:00:00 2001 ++From: Riza Sulistyo ++Date: Thu, 9 Feb 2023 13:19:23 +0700 ++Subject: [PATCH] Make sure that NOTIFY tdata is set before sending it. ++ ++--- ++ pjsip/src/pjsip-simple/evsub.c | 9 ++++++--- ++ 1 file changed, 6 insertions(+), 3 deletions(-) ++ ++diff --git a/pjsip/src/pjsip-simple/evsub.c b/pjsip/src/pjsip-simple/evsub.c ++index da0a9b416..68c1d3951 100644 ++--- a/pjsip/src/pjsip-simple/evsub.c +++++ b/pjsip/src/pjsip-simple/evsub.c ++@@ -2216,23 +2216,26 @@ static void on_tsx_state_uas( pjsip_evsub *sub, pjsip_transaction *tsx, ++ } ++ ++ } else { ++ sub->state = old_state; ++ sub->state_str = old_state_str; ++ } ++ ++ /* Send the pending NOTIFY sent by app from inside ++ * on_rx_refresh() callback. ++ */ ++- pj_assert(sub->pending_notify); ++- status = pjsip_evsub_send_request(sub, sub->pending_notify); ++- sub->pending_notify = NULL; +++ //pj_assert(sub->pending_notify); +++ /* Make sure that pending_notify is set. */ +++ if (sub->pending_notify) { +++ status = pjsip_evsub_send_request(sub, sub->pending_notify); +++ sub->pending_notify = NULL; +++ } ++ ++ } else if (pjsip_method_cmp(&tsx->method, &pjsip_notify_method)==0) { ++ ++ /* Handle authentication */ ++ if (tsx->state == PJSIP_TSX_STATE_COMPLETED && ++ (tsx->status_code==401 || tsx->status_code==407)) ++ { ++ pjsip_tx_data *tdata; ++ pj_status_t status; ++ pjsip_rx_data *rdata = event->body.tsx_state.src.rdata; ++-- ++2.39.1 ++ +diff --git a/third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch b/third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch +new file mode 100644 +index 0000000..240e5c3 +--- /dev/null ++++ b/third-party/pjproject/patches/0020-log-dropped-packet-in-debug.patch +@@ -0,0 +1,28 @@ ++diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c ++index 4f483faa1..12439e3ee 100644 ++--- a/pjsip/src/pjsip/sip_transport.c +++++ b/pjsip/src/pjsip/sip_transport.c ++@@ -2088,15 +2088,17 @@ PJ_DEF(pj_ssize_t) pjsip_tpmgr_receive_packet( pjsip_tpmgr *mgr, ++ * which were sent to keep NAT bindings. ++ */ ++ if (tmp.slen) { ++- PJ_LOG(1, (THIS_FILE, ++- "Error processing %d bytes packet from %s %s:%d %.*s:\n" ++- "%.*s\n" ++- "-- end of packet.", +++ PJ_LOG(2, (THIS_FILE, +++ "Dropping %d bytes packet from %s %s:%d %.*s\n", ++ msg_fragment_size, ++ rdata->tp_info.transport->type_name, ++- rdata->pkt_info.src_name, +++ rdata->pkt_info.src_name, ++ rdata->pkt_info.src_port, ++- (int)tmp.slen, tmp.ptr, +++ (int)tmp.slen, tmp.ptr)); +++ PJ_LOG(4, (THIS_FILE, +++ "Dropped packet:" +++ "%.*s\n" +++ "-- end of packet.", ++ (int)msg_fragment_size, ++ rdata->msg_info.msg_buf)); ++ } +diff --git a/third-party/pjproject/patches/0100-allow_multiple_auth_headers.patch b/third-party/pjproject/patches/0100-allow_multiple_auth_headers.patch +deleted file mode 100644 +index e291eeb..0000000 +--- a/third-party/pjproject/patches/0100-allow_multiple_auth_headers.patch ++++ /dev/null +@@ -1,413 +0,0 @@ +-commit 8e95490e37938f45d9d812905246036c3185b94f +-Author: Riza Sulistyo +-Date: Thu Mar 24 12:53:03 2022 +0700 +- +- Add compile time option to allow multiple Authorization header (#3010) +- +-diff --git a/pjsip/include/pjsip/sip_config.h b/pjsip/include/pjsip/sip_config.h +-index dfd9ce977..ccce6ed01 100644 +---- a/pjsip/include/pjsip/sip_config.h +-+++ b/pjsip/include/pjsip/sip_config.h +-@@ -1280,6 +1280,18 @@ PJ_INLINE(pjsip_cfg_t*) pjsip_cfg(void) +- # define PJSIP_AUTH_CNONCE_USE_DIGITS_ONLY 1 +- #endif +- +-+/** +-+ * Allow client to send multiple Authorization header when receiving multiple +-+ * WWW-Authenticate header fields. If this is disabled, the stack will send +-+ * Authorization header field containing credentials that match the +-+ * topmost header field. +-+ * +-+ * Default is 0 +-+ */ +-+#ifndef PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER +-+# define PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER 0 +-+#endif +-+ +- /***************************************************************************** +- * SIP Event framework and presence settings. +- */ +-@@ -1458,6 +1470,11 @@ PJ_INLINE(pjsip_cfg_t*) pjsip_cfg(void) +- # define PJSIP_INV_ACCEPT_UNKNOWN_BODY PJ_FALSE +- #endif +- +-+/** +-+ * Dump configuration to log with verbosity equal to info(3). +-+ */ +-+PJ_DECL(void) pjsip_dump_config(void); +-+ +- PJ_END_DECL +- +- /** +-diff --git a/pjsip/src/pjsip/sip_auth_client.c b/pjsip/src/pjsip/sip_auth_client.c +-index 35460d01e..ab1a0cd87 100644 +---- a/pjsip/src/pjsip/sip_auth_client.c +-+++ b/pjsip/src/pjsip/sip_auth_client.c +-@@ -1367,7 +1367,7 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess, +- chal_cnt = 0; +- auth_cnt = 0; +- last_auth_err = PJSIP_EAUTHNOAUTH; +-- while (hdr != &rdata->msg_info.msg->hdr && auth_cnt == 0) { +-+ while (hdr != &rdata->msg_info.msg->hdr) { +- pjsip_cached_auth *cached_auth; +- const pjsip_www_authenticate_hdr *hchal; +- pjsip_authorization_hdr *hauth; +-@@ -1431,6 +1431,11 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess, +- /* Process next header. */ +- hdr = hdr->next; +- auth_cnt++; +-+ +-+#if defined(PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER) && \ +-+ PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER==0 +-+ break; +-+#endif +- } +- +- /* Check if challenge is present */ +-diff --git a/pjsip/src/pjsip/sip_config.c b/pjsip/src/pjsip/sip_config.c +-index 957f9fad4..6920b3dfe 100644 +---- a/pjsip/src/pjsip/sip_config.c +-+++ b/pjsip/src/pjsip/sip_config.c +-@@ -19,6 +19,9 @@ +- */ +- +- #include +-+#include +-+ +-+static const char *id = "sip_config.c"; +- +- /* pjsip configuration instance, initialized with default values */ +- pjsip_cfg_t pjsip_sip_cfg_var = +-@@ -65,6 +68,195 @@ pjsip_cfg_t pjsip_sip_cfg_var = +- } +- }; +- +-+PJ_DEF(void) pjsip_dump_config(void) +-+{ +-+ PJ_LOG(3, (id, "Dumping PJSIP configurations:")); +-+ PJ_LOG(3, (id, " PJSIP_MAX_DIALOG_COUNT : %d", +-+ PJSIP_MAX_DIALOG_COUNT)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_TRANSPORTS : %d", +-+ PJSIP_MAX_TRANSPORTS)); +-+ PJ_LOG(3, (id, " PJSIP_TPMGR_HTABLE_SIZE : %d", +-+ PJSIP_TPMGR_HTABLE_SIZE)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_URL_SIZE : %d", +-+ PJSIP_MAX_URL_SIZE)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_MODULE : %d", +-+ PJSIP_MAX_MODULE)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_PKT_LEN : %d", +-+ PJSIP_MAX_PKT_LEN)); +-+ PJ_LOG(3, (id, " PJSIP_HANDLE_EVENTS_HAS_SLEEP_ON_ERR : %d", +-+ PJSIP_HANDLE_EVENTS_HAS_SLEEP_ON_ERR)); +-+ PJ_LOG(3, (id, " PJSIP_ACCEPT_MULTIPLE_SDP_ANSWERS : %d", +-+ PJSIP_ACCEPT_MULTIPLE_SDP_ANSWERS)); +-+ PJ_LOG(3, (id, " PJSIP_UDP_SIZE_THRESHOLD : %d", +-+ PJSIP_UDP_SIZE_THRESHOLD)); +-+ PJ_LOG(3, (id, " PJSIP_INCLUDE_ALLOW_HDR_IN_DLG : %d", +-+ PJSIP_INCLUDE_ALLOW_HDR_IN_DLG)); +-+ PJ_LOG(3, (id, " PJSIP_SAFE_MODULE : %d", +-+ PJSIP_SAFE_MODULE)); +-+ PJ_LOG(3, (id, " PJSIP_CHECK_VIA_SENT_BY : %d", +-+ PJSIP_CHECK_VIA_SENT_BY)); +-+ PJ_LOG(3, (id, " PJSIP_UNESCAPE_IN_PLACE : %d", +-+ PJSIP_UNESCAPE_IN_PLACE)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_NET_EVENTS : %d", +-+ PJSIP_MAX_NET_EVENTS)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_TIMED_OUT_ENTRIES : %d", +-+ PJSIP_MAX_TIMED_OUT_ENTRIES)); +-+ PJ_LOG(3, (id, " PJSIP_TRANSPORT_IDLE_TIME : %d", +-+ PJSIP_TRANSPORT_IDLE_TIME)); +-+ PJ_LOG(3, (id, " PJSIP_TRANSPORT_SERVER_IDLE_TIME : %d", +-+ PJSIP_TRANSPORT_SERVER_IDLE_TIME)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_TRANSPORT_USAGE : %d", +-+ PJSIP_MAX_TRANSPORT_USAGE)); +-+ PJ_LOG(3, (id, " PJSIP_TCP_TRANSPORT_BACKLOG : %d", +-+ PJSIP_TCP_TRANSPORT_BACKLOG)); +-+ PJ_LOG(3, (id, " PJSIP_TCP_TRANSPORT_REUSEADDR : %d", +-+ PJSIP_TCP_TRANSPORT_REUSEADDR)); +-+ PJ_LOG(3, (id, " PJSIP_TCP_TRANSPORT_DONT_CREATE_LISTENER : %d", +-+ PJSIP_TCP_TRANSPORT_DONT_CREATE_LISTENER)); +-+ PJ_LOG(3, (id, " PJSIP_TLS_TRANSPORT_DONT_CREATE_LISTENER : %d", +-+ PJSIP_TLS_TRANSPORT_DONT_CREATE_LISTENER)); +-+ PJ_LOG(3, (id, " PJSIP_TCP_KEEP_ALIVE_INTERVAL : %d", +-+ PJSIP_TCP_KEEP_ALIVE_INTERVAL)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_INC_TRANSPORT : %d", +-+ PJSIP_POOL_INC_TRANSPORT)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_LEN_TDATA : %d", +-+ PJSIP_POOL_LEN_TDATA)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_INC_TDATA : %d", +-+ PJSIP_POOL_INC_TDATA)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_LEN_UA : %d", +-+ PJSIP_POOL_LEN_UA)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_INC_UA : %d", +-+ PJSIP_POOL_INC_UA)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_EVSUB_LEN : %d", +-+ PJSIP_POOL_EVSUB_LEN)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_EVSUB_INC : %d", +-+ PJSIP_POOL_EVSUB_INC)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_FORWARDS_VALUE : %d", +-+ PJSIP_MAX_FORWARDS_VALUE)); +-+ PJ_LOG(3, (id, " PJSIP_RFC3261_BRANCH_ID : %s", +-+ PJSIP_RFC3261_BRANCH_ID)); +-+ PJ_LOG(3, (id, " PJSIP_RFC3261_BRANCH_LEN : %d", +-+ PJSIP_RFC3261_BRANCH_LEN)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_TSX_LAYER_LEN : %d", +-+ PJSIP_POOL_TSX_LAYER_LEN)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_TSX_LAYER_INC : %d", +-+ PJSIP_POOL_TSX_LAYER_INC)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_TSX_LEN : %d", +-+ PJSIP_POOL_TSX_LEN)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_TSX_INC : %d", +-+ PJSIP_POOL_TSX_INC)); +-+ PJ_LOG(3, (id, " PJSIP_TSX_1XX_RETRANS_DELAY : %d", +-+ PJSIP_TSX_1XX_RETRANS_DELAY)); +-+ PJ_LOG(3, (id, " PJSIP_TSX_UAS_CONTINUE_ON_TP_ERROR : %d", +-+ PJSIP_TSX_UAS_CONTINUE_ON_TP_ERROR)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_TSX_KEY_LEN : %d", +-+ PJSIP_MAX_TSX_KEY_LEN)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_LEN_USER_AGENT : %d", +-+ PJSIP_POOL_LEN_USER_AGENT)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_INC_USER_AGENT : %d", +-+ PJSIP_POOL_INC_USER_AGENT)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_BRANCH_LEN : %d", +-+ PJSIP_MAX_HNAME_LEN)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_LEN_DIALOG : %d", +-+ PJSIP_POOL_LEN_DIALOG)); +-+ PJ_LOG(3, (id, " PJSIP_POOL_INC_DIALOG : %d", +-+ PJSIP_POOL_INC_DIALOG)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_HEADER_TYPES : %d", +-+ PJSIP_MAX_HEADER_TYPES)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_URI_TYPES : %d", +-+ PJSIP_MAX_URI_TYPES)); +-+ PJ_LOG(3, (id, " PJSIP_AUTH_HEADER_CACHING : %d", +-+ PJSIP_AUTH_HEADER_CACHING)); +-+ PJ_LOG(3, (id, " PJSIP_AUTH_AUTO_SEND_NEXT : %d", +-+ PJSIP_AUTH_AUTO_SEND_NEXT)); +-+ PJ_LOG(3, (id, " PJSIP_AUTH_QOP_SUPPORT : %d", +-+ PJSIP_AUTH_QOP_SUPPORT)); +-+ PJ_LOG(3, (id, " PJSIP_MAX_STALE_COUNT : %d", +-+ PJSIP_MAX_STALE_COUNT)); +-+ PJ_LOG(3, (id, " PJSIP_HAS_DIGEST_AKA_AUTH : %d", +-+ PJSIP_HAS_DIGEST_AKA_AUTH)); +-+ PJ_LOG(3, (id, " PJSIP_REGISTER_CLIENT_DELAY_BEFORE_REFRESH : %d", +-+ PJSIP_REGISTER_CLIENT_DELAY_BEFORE_REFRESH)); +-+ PJ_LOG(3, (id, " PJSIP_REGISTER_ALLOW_EXP_REFRESH : %d", +-+ PJSIP_REGISTER_ALLOW_EXP_REFRESH)); +-+ PJ_LOG(3, (id, " PJSIP_AUTH_CACHED_POOL_MAX_SIZE : %d", +-+ PJSIP_AUTH_CACHED_POOL_MAX_SIZE)); +-+ PJ_LOG(3, (id, " PJSIP_AUTH_CNONCE_USE_DIGITS_ONLY : %d", +-+ PJSIP_AUTH_CNONCE_USE_DIGITS_ONLY)); +-+ PJ_LOG(3, (id, " PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER : %d", +-+ PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER)); +-+ PJ_LOG(3, (id, " PJSIP_EVSUB_TIME_UAC_REFRESH : %d", +-+ PJSIP_EVSUB_TIME_UAC_REFRESH)); +-+ PJ_LOG(3, (id, " PJSIP_PUBLISHC_DELAY_BEFORE_REFRESH : %d", +-+ PJSIP_PUBLISHC_DELAY_BEFORE_REFRESH)); +-+ PJ_LOG(3, (id, " PJSIP_EVSUB_TIME_UAC_TERMINATE : %d", +-+ PJSIP_EVSUB_TIME_UAC_TERMINATE)); +-+ PJ_LOG(3, (id, " PJSIP_EVSUB_TIME_UAC_WAIT_NOTIFY : %d", +-+ PJSIP_EVSUB_TIME_UAC_WAIT_NOTIFY)); +-+ PJ_LOG(3, (id, " PJSIP_PRES_DEFAULT_EXPIRES : %d", +-+ PJSIP_PRES_DEFAULT_EXPIRES)); +-+ PJ_LOG(3, (id, " PJSIP_PRES_BAD_CONTENT_RESPONSE : %d", +-+ PJSIP_PRES_BAD_CONTENT_RESPONSE)); +-+ PJ_LOG(3, (id, " PJSIP_PRES_PIDF_ADD_TIMESTAMP : %d", +-+ PJSIP_PRES_PIDF_ADD_TIMESTAMP)); +-+ PJ_LOG(3, (id, " PJSIP_SESS_TIMER_DEF_SE : %d", +-+ PJSIP_SESS_TIMER_DEF_SE)); +-+ PJ_LOG(3, (id, " PJSIP_SESS_TIMER_RETRY_DELAY : %d", +-+ PJSIP_SESS_TIMER_RETRY_DELAY)); +-+ PJ_LOG(3, (id, " PJSIP_PUBLISHC_QUEUE_REQUEST : %d", +-+ PJSIP_PUBLISHC_QUEUE_REQUEST)); +-+ PJ_LOG(3, (id, " PJSIP_MWI_DEFAULT_EXPIRES : %d", +-+ PJSIP_MWI_DEFAULT_EXPIRES)); +-+ PJ_LOG(3, (id, " PJSIP_HAS_TX_DATA_LIST : %d", +-+ PJSIP_HAS_TX_DATA_LIST)); +-+ PJ_LOG(3, (id, " PJSIP_INV_ACCEPT_UNKNOWN_BODY : %d", +-+ PJSIP_INV_ACCEPT_UNKNOWN_BODY)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.allow_port_in_fromto_hdr : %d", +-+ pjsip_cfg()->endpt.allow_port_in_fromto_hdr)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.accept_replace_in_early_state : %d", +-+ pjsip_cfg()->endpt.accept_replace_in_early_state)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.allow_tx_hash_in_uri : %d", +-+ pjsip_cfg()->endpt.allow_tx_hash_in_uri)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.disable_rport : %d", +-+ pjsip_cfg()->endpt.disable_rport)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.disable_tcp_switch : %d", +-+ pjsip_cfg()->endpt.disable_tcp_switch)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.disable_tls_switch : %d", +-+ pjsip_cfg()->endpt.disable_tls_switch)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.follow_early_media_fork : %d", +-+ pjsip_cfg()->endpt.follow_early_media_fork)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.req_has_via_alias : %d", +-+ pjsip_cfg()->endpt.req_has_via_alias)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.resolve_hostname_to_get_interface:%d", +-+ pjsip_cfg()->endpt.resolve_hostname_to_get_interface)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.disable_secure_dlg_check : %d", +-+ pjsip_cfg()->endpt.disable_secure_dlg_check)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.use_compact_form : %d", +-+ pjsip_cfg()->endpt.use_compact_form)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.accept_multiple_sdp_answers : %d", +-+ pjsip_cfg()->endpt.accept_multiple_sdp_answers)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->endpt.keep_inv_after_tsx_timeout : %d", +-+ pjsip_cfg()->endpt.keep_inv_after_tsx_timeout)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->tsx.max_count : %d", +-+ pjsip_cfg()->tsx.max_count)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->tsx.t1 : %d", +-+ pjsip_cfg()->tsx.t1)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->tsx.t2 : %d", +-+ pjsip_cfg()->tsx.t2)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->tsx.t4 : %d", +-+ pjsip_cfg()->tsx.t4)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->td : %d", +-+ pjsip_cfg()->tsx.td)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->regc.check_contact : %d", +-+ pjsip_cfg()->regc.check_contact)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->regc.add_xuid_param : %d", +-+ pjsip_cfg()->regc.add_xuid_param)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->tcp.keep_alive_interval : %d", +-+ pjsip_cfg()->tcp.keep_alive_interval)); +-+ PJ_LOG(3, (id, " pjsip_cfg()->tls.keep_alive_interval : %d", +-+ pjsip_cfg()->tls.keep_alive_interval)); +-+} +-+ +- +- #ifdef PJ_DLL +- PJ_DEF(pjsip_cfg_t*) pjsip_cfg(void) +-diff --git a/pjsip/src/pjsua-lib/pjsua_core.c b/pjsip/src/pjsua-lib/pjsua_core.c +-index c437011b5..343316b56 100644 +---- a/pjsip/src/pjsua-lib/pjsua_core.c +-+++ b/pjsip/src/pjsua-lib/pjsua_core.c +-@@ -3443,8 +3443,10 @@ PJ_DEF(void) pjsua_dump(pj_bool_t detail) +- old_decor = pj_log_get_decor(); +- pj_log_set_decor(old_decor & (PJ_LOG_HAS_NEWLINE | PJ_LOG_HAS_CR)); +- +-- if (detail) +-+ if (detail) { +- pj_dump_config(); +-+ pjsip_dump_config(); +-+ } +- +- pjsip_endpt_dump(pjsua_get_pjsip_endpt(), detail); +- +-diff --git a/tests/pjsua/inc_sip.py b/tests/pjsua/inc_sip.py +-index f7e64816e..2cc1a17a8 100644 +---- a/tests/pjsua/inc_sip.py +-+++ b/tests/pjsua/inc_sip.py +-@@ -306,9 +306,11 @@ class RecvfromTransaction: +- body = None +- # Pattern to be expected on pjsua when receiving the response +- expect = "" +-+ # Required config +-+ pj_config = "" +- +- def __init__(self, title, resp_code, check_cseq=True, +-- include=[], exclude=[], cmds=[], resp_hdr=[], resp_body=None, expect=""): +-+ include=[], exclude=[], cmds=[], resp_hdr=[], resp_body=None, expect="", pj_config=""): +- self.title = title +- self.cmds = cmds +- self.include = include +-@@ -317,6 +319,7 @@ class RecvfromTransaction: +- self.resp_hdr = resp_hdr +- self.body = resp_body +- self.expect = expect +-+ self.pj_config=pj_config +- +- +- class RecvfromCfg: +-@@ -328,15 +331,18 @@ class RecvfromCfg: +- transaction = None +- # Use TCP? +- tcp = False +-+ # Required config +-+ pj_config = "" +- +- # Note: +- # Any "$PORT" string in the pjsua_args will be replaced +- # by server port +-- def __init__(self, name, pjsua_args, transaction, tcp=False): +-+ def __init__(self, name, pjsua_args, transaction, tcp=False, pj_config=""): +- self.name = name +- self.inst_param = cfg.InstanceParam("pjsua", pjsua_args) +- self.transaction = transaction +- self.tcp=tcp +-+ self.pj_config=pj_config +- +- +- +-diff --git a/tests/pjsua/mod_recvfrom.py b/tests/pjsua/mod_recvfrom.py +-index 918006aff..4305bfb42 100644 +---- a/tests/pjsua/mod_recvfrom.py +-+++ b/tests/pjsua/mod_recvfrom.py +-@@ -18,10 +18,20 @@ def test_func(test): +- local_port=srv_port, +- tcp=cfg_file.recvfrom_cfg.tcp) +- +-+ config = pjsua.get_config(cfg_file.recvfrom_cfg.pj_config) +-+ print "Config : " + config +-+ +- last_cseq = 0 +- last_method = "" +- last_call_id = "" +- for t in cfg_file.recvfrom_cfg.transaction: +-+ # Check if transaction requires configuration +-+ if t.pj_config != "": +-+ r = re.compile(t.pj_config, re.I) +-+ if r.search(config) == None: +-+ print "Configuration : " + t.pj_config + " not found, skipping" +-+ continue +-+ +- # Print transaction title +- if t.title != "": +- dlg.trace(t.title) +-diff --git a/tests/pjsua/run.py b/tests/pjsua/run.py +-index 35b00dec5..cffc38470 100644 +---- a/tests/pjsua/run.py +-+++ b/tests/pjsua/run.py +-@@ -249,6 +249,10 @@ class Expect(threading.Thread): +- time.sleep(0.01) +- return None +- +-+ def get_config(self, key_config): +-+ self.send("dd") +-+ line = self.expect(key_config); +-+ return line +- +- def sync_stdout(self): +- if not self.use_telnet: +-diff --git a/tests/pjsua/scripts-recvfrom/215_reg_good_multi_ok.py b/tests/pjsua/scripts-recvfrom/215_reg_good_multi_ok.py +-index a98b8b1d8..909ba229b 100644 +---- a/tests/pjsua/scripts-recvfrom/215_reg_good_multi_ok.py +-+++ b/tests/pjsua/scripts-recvfrom/215_reg_good_multi_ok.py +-@@ -14,16 +14,27 @@ req1 = sip.RecvfromTransaction("Initial registration", 401, +- expect="SIP/2.0 401" +- ) +- +--req2 = sip.RecvfromTransaction("Registration retry with auth", 200, +-+req2 = sip.RecvfromTransaction("Registration retry with auth (not allowed multiple auth)", 200, +- include=["REGISTER sip", +-- # Must only have 1 Auth hdr since #2887 +- "Authorization:", # [\\s\\S]+Authorization:" +- "realm=\"python1\"", # "realm=\"python2\"", +- "username=\"theuser1\"", # "username=\"theuser2\"", +- "nonce=\"1234\"", # "nonce=\"6789\"", +- "response="], +-- expect="registration success" +-+ expect="registration success", +-+ pj_config="PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER.*: 0" +- ) +- +-+req3 = sip.RecvfromTransaction("Registration retry with auth (allowed multiple auth)", 200, +-+ include=["REGISTER sip", +-+ "Authorization:[\\s\\S]+Authorization:", # Must have 2 Auth hdrs +-+ "realm=\"python1\"", "realm=\"python2\"", +-+ "username=\"theuser1\"", "username=\"theuser2\"", +-+ "nonce=\"1234\"", "nonce=\"6789\"", +-+ "response="], +-+ expect="registration success", +-+ pj_config="PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER.*: 1" +-+ ) +-+ +- recvfrom_cfg = sip.RecvfromCfg("Multiple authentication challenges", +-- pjsua, [req1, req2]) +-+ pjsua, [req1, req2, req3], pj_config="PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER") +diff --git a/third-party/pjproject/patches/config_site.h b/third-party/pjproject/patches/config_site.h +index 9f4d678..bb40c7b 100644 +--- a/third-party/pjproject/patches/config_site.h ++++ b/third-party/pjproject/patches/config_site.h +@@ -91,3 +91,11 @@ + #define PJSIP_TSX_UAS_CONTINUE_ON_TP_ERROR 0 + #define PJ_SSL_SOCK_OSSL_USE_THREAD_CB 0 + #define PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER 1 ++ ++/* ++ * The default is 32 with 8 being used by pjproject itself. ++ * Since this value is used in invites, dialogs, transports ++ * and subscriptions as well as the global pjproject endpoint, ++ * we don't want to increase it too much. ++ */ ++#define PJSIP_MAX_MODULE 38 +diff --git a/third-party/pjproject/pjproject-2.12.1.tar.bz2.md5 b/third-party/pjproject/pjproject-2.12.1.tar.bz2.md5 +deleted file mode 100644 +index f43067a..0000000 +--- a/third-party/pjproject/pjproject-2.12.1.tar.bz2.md5 ++++ /dev/null +@@ -1 +0,0 @@ +-7f80ba8e1540853f959be6be7912a150 pjproject-2.12.1.tar.bz2 +diff --git a/third-party/pjproject/pjproject-2.13.1.tar.bz2.md5 b/third-party/pjproject/pjproject-2.13.1.tar.bz2.md5 +new file mode 100644 +index 0000000..0abdea9 +--- /dev/null ++++ b/third-party/pjproject/pjproject-2.13.1.tar.bz2.md5 +@@ -0,0 +1 @@ ++3522e36cdf67d32fd47eb9b5c6d10642 pjproject-2.13.1.tar.bz2 +diff --git a/third-party/versions.mak b/third-party/versions.mak +index a1eb9a5..e5bc5fe 100644 +--- a/third-party/versions.mak ++++ b/third-party/versions.mak +@@ -1,2 +1,2 @@ + JANSSON_VERSION = 2.14 +-PJPROJECT_VERSION = 2.12.1 ++PJPROJECT_VERSION = 2.13.1 diff -Nru asterisk-16.28.0~dfsg/debian/patches/series asterisk-16.28.0~dfsg/debian/patches/series --- asterisk-16.28.0~dfsg/debian/patches/series 2023-06-22 12:47:22.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/patches/series 2024-01-04 17:58:50.000000000 +0000 @@ -19,3 +19,7 @@ CVE-2022-37325.patch CVE-2022-42705.patch CVE-2022-42706.patch +CVE-2023-37457.patch +CVE-2023-49294.patch +CVE-2023-49786.patch +pjproject-2.13.1.patch Binary files /srv/release.debian.org/tmp/rWazhU01vg/asterisk-16.28.0~dfsg/debian/pjproject_2.12.1~dfsg.orig.tar.bz2 and /srv/release.debian.org/tmp/uxWnR_xOVo/asterisk-16.28.0~dfsg/debian/pjproject_2.12.1~dfsg.orig.tar.bz2 differ Binary files /srv/release.debian.org/tmp/rWazhU01vg/asterisk-16.28.0~dfsg/debian/pjproject_2.13.1~dfsg.orig.tar.bz2 and /srv/release.debian.org/tmp/uxWnR_xOVo/asterisk-16.28.0~dfsg/debian/pjproject_2.13.1~dfsg.orig.tar.bz2 differ diff -Nru asterisk-16.28.0~dfsg/debian/rules asterisk-16.28.0~dfsg/debian/rules --- asterisk-16.28.0~dfsg/debian/rules 2023-06-22 12:47:22.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/rules 2024-01-04 17:58:50.000000000 +0000 @@ -22,7 +22,7 @@ # PJPROJECT version, used to copy the repacked pjproject # tarball, see debian/README.source -PJVER = 2.12.1 +PJVER = 2.13.1 export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) diff -Nru asterisk-16.28.0~dfsg/debian/source/include-binaries asterisk-16.28.0~dfsg/debian/source/include-binaries --- asterisk-16.28.0~dfsg/debian/source/include-binaries 2023-06-22 12:47:22.000000000 +0000 +++ asterisk-16.28.0~dfsg/debian/source/include-binaries 2024-01-04 17:58:50.000000000 +0000 @@ -1 +1 @@ -debian/pjproject_2.12.1~dfsg.orig.tar.bz2 +debian/pjproject_2.13.1~dfsg.orig.tar.bz2