Hi,
GNU Gatekeeper version 4.7 has just been released.
This version is purely a security update and has no new features. All
users are encouraged to update, especially if you use port detection
(IgnoreSignaledIPs=1) you should update ASAP.
It has been discovered that GnuGk is vulnerable in some configurations
for RTP bleed attacks (https://rtpbleed.com/). By updating to version
4.7 only the first packets in each media stream influence the media
destination.
To further secure your configuration, you can set
[Proxy]
RestrictRTPSources=Net
to only accept RTP from the same class C network that the call
signaling came from. Please beware that this may break a few valid calls
where this condition isn't met.
You can download the new version from
https://www.gnugk.org/h323download.html
Please see the full change log below.
Changes from 4.6 to 4.7
=======================
- fixes for RTP Bleed
- new switch [Proxy] RestrictRTPSources=IP or Net to limit accepting RTP
from the call signal IPs or the respective class C network
- new switch [Proxy] LegacyPortDetection=1 to keep port detection help
for some very old and broken endpoints that will make your gatekeeper
vulnerable to RTP Bleed attacks
- BUGFIX(ProxyChannel.cxx) replace @ip or ip## from aliases when using
RedirectCallsToGkIP
- BUGFIX(ProxyChannel.cxx) better initialization of sendmsg() structs
- new command line option: now you can use -S instead of --strict (needed
on BSD systems)
--
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail : jan(a)willamowius.de
Website: https://www.gnugk.org
Support: https://www.willamowius.com/gnugk-support.html
Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584
Hi,
I'm happy to announce that GNU Gatekeeper version 4.6 has just been
released.
This version has a few new features as well as bug fixes.
New features:
- least used routing: distribute calls evenly between gateways or MCUs
(new switch [RasSrv::ARQFeatures] LeastUsedRouting=1)
- ability to log to the Unix syslog instead of the trace file
(new switch [LogFile] TraceToSyslog=1)
- new authentication module TwoAliasAuth
this is not very safe, but you can use it with endpoints that do not
support any password transmission
- new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth
for the calls generated by the GnuGk status port API
- status port command: UnregisterEP <ep-id>
- a number of switches to fine tune TCP keepalives
- new switch to remove load balancers from the call path
([RoutedMode] RedirectCallsToGkIP=1)
Bug fixes:
- fixed TCP keepalive for H.460 calls
- fixes to port detection for unregistered calls
- audio fix when GnuGk adds encryption to calls
- many smaller fixes
You can download the new version from
https://www.gnugk.org/h323download.html
Please see the full change log below.
Changes from 4.5 to 4.6
=======================
- new switch: [RoutedMode] RedirectCallsToGkIP=1
- new switches: [RoutedMode] H460KeepAliveMethodH225=, H460KeepAliveMethodH245=,
GnuGkTcpKeepAliveMethodH225=, GnuGkTcpKeepAliveMethodH245=
- BUGFIX(ProxyChannel.cxx) TCP keep-alives for H.460.18 calls weren't always
enabled correctly
- don't open a status port listener if [Gatekeeper::Main] StatusPort=0
- BUGFIX(Toolkit.cxx) remove trailing chars before checking for DefaultDomain
- add callID to H.245 trace messages for easier debugging
- BUGFIX(ProxyChannel.cxx) forward ReleaseComplete from remaining party while
doing call reroute
- BUGFIX(ProxyChannel.cxx) drop un-en/decryptable RTP packets at end of call
when adding encryption
- new status port command: UnregisterEP <ep-id>
- BUGFIX(RasSrv.cxx) remove IPv6 addresses before processing RRQs when IPv6 is not enabled
- send Facility message as as non-H.460.18 keep-alive for H.225
- send non-standard H.245 userIndication as non-H.460.18 keep-alive for H.245
- new switch [RoutedMode] DisableGnuGkH245TcpKeepAlive=1
- new switch [LogFile] TraceToSyslog=1 to send trace output to syslog (Unix only)
- BUGFIX(ProxyChannel.cxx) fix port detection for re-opened channels with IgnoreSignaledIPs=1
- new switch [CTI::MakeCall] Bandwidth= to set the maximum bandwidth for the call
- new switch [RasSrv::ARQFeatures] LeastUsedRouting=1 to select the least used gateway
- new authentication module TwoAliasAuth
--
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail : jan(a)willamowius.de
Website: https://www.gnugk.org
Support: https://www.willamowius.com/gnugk-support.html
Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584
Hi,
I have just released H323Plus 1.26.8. This version contains a number of
bug fixes that were only available through the CVS until now.
https://www.h323plus.org/source/
I'm also taking over the maintenance of the h323plus.org website.
If you run into any issues, please email me.
Regards,
Jan
--
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail : jan(a)willamowius.de
Website: https://www.gnugk.org
Support: https://www.willamowius.com/gnugk-support.html
Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584
