[Spce-user] Security Announcement related to kamailio

Hohl Matthias matthias.hohl at telematica.at
Mon Mar 19 12:21:01 EDT 2018



one short question, cause i can’t find the latest information about this in the handbook:


an Hotfix patch update within a version number (5.5.2.x to 5.5.2.y) is done with that:


# apt-get update && apt-get upgrade && ngcp-update-db-schema && ngcp-update-cfg-schema && ngcpcfg apply 'Hotfix Update'


For major (5.5.2 to 5.6.1) and minor release updating (5.5.2 to 5.5.3) it is done like descripted in the handbook, right?



or is this for the minor release upgrade not needed?





Von: Spce-user <spce-user-bounces at lists.sipwise.com> Im Auftrag von Daniel Grotti
Gesendet: Montag, 19. März 2018 13:17
An: Spce-user <spce-user at lists.sipwise.com>
Cc: spce-dev at lists.sipwise.com
Betreff: [Spce-user] Security Announcement related to kamailio


Dear SPCE users,
we would like to highlight that the last stable versions of kamailio (for the latest 3 release series: 4.4, 5.0 and 5.1) include fixes for two issues that can crash a running instance of Kamailio, therefore it is strongly
recommended to upgrade the kamailio packages on your C5 systems.

A detailed description of the security issue is reported here: CVE link not yet assigned.
The fix does not include any functional changes, so the call functionality and features will remain intact.

1. SPCE releases affected
The following list shows you which SPCE supported releases are affected:

mr3.8.x  -> fixed in mr3.8.12 with package version mr3.8.12.2
mr4.5.1  -> fixed with package version mr4.5.1.2
mr4.5.2  -> fixed with package version mr4.5.2.4
mr4.5.3  -> fixed with package version mr4.5.3.3
mr4.5.4  -> fixed with package version mr4.5.4.6
mr4.5.5  -> fixed with package version mr4.5.5.2
mr4.5.6  -> fixed with package version mr4.5.6.2
mr4.5.7  -> fixed with package version mr4.5.7.2
mr5.5.1  -> fixed with package version mr5.5.1.2
mr5.5.2  -> fixed with package version mr5.5.2.2
mr5.5.3  -> fixed with package version mr5.5.3.2
mr6.0.1  -> fixed with package version mr6.0.1.2
mr6.0.2  -> fixed with package version mr6.0.2.2
mr6.1.1  -> fixed with package version mr6.1.1.2

Releases older than mr3.8 are *NOT* supported anymore and will not be hotfixed.

2. How to apply the security fix
Here you find the steps how install the security fix, depending on your current release.

2.1 SPCE release older than mr3.8.12
If you are running a release mr3.8.x, with x less than 12, then you should upgrade to mr3.8.12 in order to get the security fix.
You can follow the usual upgrade procedure described in the handbook:

  [1] SPCE: https://www.sipwise.com/doc/mr3.8.12/spce/ar01s03.html#_upgrade_from_previous_release

Even though the issue affecting mr3.8.x is not so critical, we recommend to upgrade in any case to mr3.8.12.

2.2 SPCE release greater or equal to mr4.5.1
In this case the fix is provided as a hotfix, within your current release.
In order to install the fix you should upgrade your packages to the latest hotfixes.

Best Regards,

Daniel Grotti
Head of Customer Support
Sipwise GmbH, Campus 21/Europaring F15
AT-2345 Brunn am Gebirge
Office: +43(0)130120332
Email: dgrotti at sipwise.com <mailto:dgrotti at sipwise.com> 
Website: https://www.sipwise.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20180319/58a8e35f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5532 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20180319/58a8e35f/attachment-0001.p7s>

More information about the Spce-user mailing list