[OpenSIPS-Users] [OpenSIPS Security Alerts] [FIX] [Severity High] Dropping TCP connections to nated UACs

Bogdan-Andrei Iancu bogdan at opensips.org
Wed Aug 15 12:59:44 CEST 2012


This message was generated by the Security Alerts service ( Free Trial 14th of August - 14th of September )
http://www.opensips.org/Resources/AlertsMain
*
SVN commit*:
http://opensips.svn.sourceforge.net/opensips/?rev=9166

*Severity*: High

*Version*  : all

*Affected modules*  : Core (TCP layer)

*Effect*  : TCP connection behind NAT are dropped

*Affected scenarios*: Having registrations via TCP (or TLS) from behind NAT. Due a broken update of the TCP connection
lifetime, TCP connections from NATed user are dropped by opensips before the registration expire.

*Description:*  Connections originated from behind NAT, during a REGISTER event, will not be kept up by OpenSIPS
for the entire duration of the registration. Like if the REGISTER will have a 60 minutes lifetime, the TCP connection
(to reach back the UAC) will be terminated by OpenSIPS before those 60 minutes, so the UAC will become unreachable
(it will not be able to receive new calls, as it is impossible to open a new TCP connection behind the a NAT)

*Risks*  : UAC behind NAT and using TCP will not be reachable during the entire duration of the registration.

*Update*  :
- if you have an SVN checkout, 1.7, 1.8 and trunk were fixed; so
update to a revision later than 9166 (trunk), 9168 (1.8 branch) or
9167 (1.7 branch)
- if you have OpenSIPS from sources see the attached patch;
- if using tarballs, they were already regenerated (and include the fix). Available only for 1.8.
- If using the official Debian package (apt.opensips.org), they are also
re-generated including the fix (available for 1.8 and trunk).



-- 
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120815/e07579f6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcp_timeout-9166.patch
Type: text/x-patch
Size: 1657 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20120815/e07579f6/attachment.bin>
-------------- next part --------------
_______________________________________________
Alerts mailing list
Alerts at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/alerts


More information about the Users mailing list