Headline
CVE-2023-40018: Release FreeSWITCH v1.10.10 Release · signalwire/freeswitch
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.
This is a major release containing critical security fixes, adding Debian 12 Bookworm, OpenSSL 3 and FFmpeg5 support. As part of our continuing dedication to code quality, we have resolved static analysis bugs for MacOS in all of FreeSWITCH core and in most modules. We encourage all users to upgrade to v1.10.10 whenever possible.
Release Notes - FreeSWITCH - Version 1.10.10
Enhancement
- [Build-System] Add Debian 12 Bookworm support
- [Build-System] Update libks and signalwire-c requirements to 2.0
- [Build-System] Windows: Update OpenSSL to 1.1.1t, libpq to 10.23, curl to 7.88.0, rabbitmq-c to 0.13.0. Allow using build numbers and bump libks version requirement to 1.8.2_1 and signalwire-c to 1.3.2_1 compiled with openssl 1.1.1t
- [Core, mod_cidlookup, mod_curl, mod_httapi, mod_http_cache, mod_kazoo, mod_shout] Add new switch_curl_mime APIs replacing switch_curl_process_form_post_params() and make code be compatible with libcurl>=7.87.0
- [core, mod_opus] bring more fmtp params to core (offer/answer).
- [core, mod_opus] more elastic jitterbuffer with Opus codec
- [core,mod_av,unit-tests] Make transition to core packetizer
- [Core] Add new cause REJECT_ALL
- [Core] Add new switch_channel_get_variable_strdup() and switch_channel_get_variable_buf() APIs that avoid allocating channel variables in a session’s memory pool.
- [core] Add switch_core_media_get_engine() and switch_core_media_get_codec() functions
- [Core] OpenSSL 3 support
- [core] switch_ivr_originate set originate endpoint used
- [mod_amqp] Event subclass support
- [mod_av] Add FFmpeg 5.1.3 support on Windows.
- [mod_av] Migrate to FFmpeg 5.1
- [mod_conference] Add flag to destroy the conference only when all mandatory members disconnect. And set endconf to end the conference when any member with the flag disconnects
- [mod_rtmp] Add OpenSSL 3 support.
- [mod_shout] Enable module in Dockerfile example.
- [mod_shout] Replace deprecated meta functions with shout_set_meta()
- [mod_sofia] Ignore user agent for display update when channel variable update_ignore_ua is true
- [mod_sofia] Map SWITCH_CAUSE_REJECT_ALL cause to 603
- [mod_verto] Add context into msg event header
- Bump sofia-sip library requirement to version 1.13.15
- Create SECURITY.md
Bug
- [Build-System] Update commit hash of SpanDSP on Windows.
- [Configuration] Update freeswitch.xml
- [core, mod_cidlookup] Free memory allocated via strdup
- [Core, mod_mariadb, mod_ilbc] Fix build on gcc 12.
- [Core, mod_opus] Fixes.
- [core,libyuv,modules] Fix function declarations without a prototype
- [core,miniupnpc,modules] Fix not used variables
- [Core] check_ice: sanitize second field of the candidates. Add new switch_is_uint_in_range() API.
- [core] Coverity fixes
- [Core] Fix greedy_sort for codecs containing different fmtp
- [Core] Fix missing MEDIA_PARAMS in message_names.
- [Core] Fix missing mutex unlock in switch_ivr_dmachine_ping()
- [Core] Fix possible deadlock in switch_core_media_set_codec()
- [Core] Fix race condition of session_table hash in switch_core_session_request_uuid()
- [Core] Fix switch_console.c for Galera Mariadb cluster
- [Core] Fix switch_core_sqldb_destroy() function declaration.
- [Core] ICE: fix wrong buffer size being passed and unitialized buffer
- [core] Opus RTP timestamp: adding an exception on RTP session creation.
- [Core] Remove unused count variable from switch_core_session_execute_exten()
- [Core] Sanitize match count during negotiation
- [Core] switch_curl_process_mime(): fix build on older systems.
- [core] Use auto DH params with openssl3
- [Documentation] Fix typo in README.md
- [mod_amqp] Coverity CID 1468426 (Resource leak)
- [mod_amr] coverity CID 1395603 (Unsigned compared against 0)
- [mod_av] Coverity CID 1500320 (Resource leak)
- [mod_avmd] coverity CID 1395555 (Dereference before null check)
- [mod_avmd] Coverity fixes
- [mod_callcenter] Fix stale agents and UUID broadcasts
- [mod_commands] add completions for fsctl api_expansion and sync_clock_when_idle
- [mod_commands] Fix and improve coalesce function
- [mod_commands] Fix leaking session readlock in uuid_capture_text
- [mod_conference] handle personal canvas with vmuted member
- [mod_dialplan_asterisk] Coverity CID 1214207 (Resource leak)
- [mod_dptools] coverity CID 1468646 (Unsigned compared against 0)
- [mod_enum] Fix use-after-free if creating resolver from file failed
- [mod_erlang_event] coverity CID 1500239 (Uninitialized scalar variable)
- [mod_event_multicast] Coverity CID 1468504 (Resource leak)
- [mod_event_multicast] Few fixes
- [mod_imagick] Coverity CID 1500258 (Resource leak)
- [mod_java] Coverity CID 1320752 (Resource leak)
- [mod_java] Coverity CID 1320753 (Resource leak)
- [mod_kazoo] Coverity fixes
- [mod_ladspa] Added activate/deactivate support.
- [mod_logfile] add logfile open error log and fixes a missing \n
- [mod_mariadb] Fix “DeadLock. The retries are over.” message.
- [mod_opus] coverity CID 1320733 (Result is not floating-point)
- [mod_opus] Fix buf scope in switch_opus_decode().
- [mod_opus] fix configuration glitches (switch_true() instead of atoi()).
- [mod_opus] fix samples_per_packet for 8khz, 16khz, 24khz.
- [mod_opus] show uuid in ERROR/DEBUG logs.
- [mod_opusfile] coverity CID 1468424 (Missing break in switch)
- [mod_opusfile] Fix missing rdlock unlock in switch_opusfile_open()
- [mod_pgsql] Coverity CID 1468401 (Resource leak)
- [mod_png] Fix unexpected png video blocked read
- [mod_portaudio] coverity CID 1024263 (Dereference before null check)
- [mod_python3] Fix build on Python 3.10+
- [mod_radius_cdr] Coverity CID 1395529 (Resource leak)
- [mod_rayo] Coverity CID 1395579 (Resource leak)
- [mod_say_en] change epoch to 64 bit int
- [mod_signalwire] Make this module working with libks and signalwire-c in versions 2.0
- [mod_skinny] Fix build on Debian 12: error: array subscript 'skinny_message_t {aka struct skinny_message}[0]' is partly outside array bounds
- [mod_sofia] coverity CID 1468496 (Unchecked return value)
- [mod_sofia] Coverity fixes
- [mod_sofia] fix sofia_glue_get_extra_headers memory leak
- [mod_sofia] Randomize OPTIONS Ping interval
- [mod_sofia] Remove non-implemented verbose feature
- [mod_spandsp] Coverity CID 1024263 (Dereference before null check)
- [mod_translate] Coverity CID 1301006 (Resource leak)
- [mod_v8] Coverity CID 1468570 (Resource leak)
- [mod_verto] Coverity CID 1320754 (Resource leak)
- [mod_verto] Coverity fixes
- [mod_verto] Fix function declarations without a prototype
- [mod_verto] Include libks/ks.h instead of ks.h
- [mod_xml_curl] Coverity CID 1468413 (Resource leak)
- [mod_xml_rpc] Coverity CID 1294469 (Resource leak)
- [mod_xml_scgi] Coverity CID 1468595 (Resource leak)
- [Unit-tests] Fix possible overflows and an undefined variable in the test framework.
- [xmlrpc-c] Fix MacOS build
Installation guides
https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Release-Notes/FreeSWITCH-1.10.x-Release-notes_25460878/