[h323plus] GNU Gatekeeper 4.7 has been released (security update)

Jan Willamowius jan at willamowius.de
Thu Sep 21 04:54:41 EDT 2017


Hi,

GNU Gatekeeper version 4.7 has just been released.

This version is purely a security update and has no new features. All
users are encouraged to update, especially if you use port detection
(IgnoreSignaledIPs=1) you should update ASAP.

It has been discovered that GnuGk is vulnerable in some configurations
for RTP bleed attacks (https://rtpbleed.com/). By updating to version
4.7 only the first packets in each media stream influence the media
destination.

To further secure your configuration, you can set

[Proxy]
RestrictRTPSources=Net

to only accept RTP from the same class C network that the call
signaling came from. Please beware that this may break a few valid calls
where this condition isn't met.

You can download the new version from
https://www.gnugk.org/h323download.html


Please see the full change log below.

Changes from 4.6 to 4.7
=======================
- fixes for RTP Bleed
- new switch [Proxy] RestrictRTPSources=IP or Net to limit accepting RTP
  from the call signal IPs or the respective class C network
- new switch [Proxy] LegacyPortDetection=1 to keep port detection help
  for some very old and broken endpoints that will make your gatekeeper
  vulnerable to RTP Bleed attacks
- BUGFIX(ProxyChannel.cxx) replace @ip or ip## from aliases when using
  RedirectCallsToGkIP
- BUGFIX(ProxyChannel.cxx) better initialization of sendmsg() structs
- new command line option: now you can use -S instead of --strict (needed
  on BSD systems)

-- 
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail  : jan at willamowius.de
Website: https://www.gnugk.org
Support: https://www.willamowius.com/gnugk-support.html

Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584



More information about the h323plus mailing list