[Home]

Summary:ASTERISK-29980: build: External binary modules don't use https
Reporter:INVADE International Ltd. (invade)Labels:security
Date Opened:2022-03-22 08:51:06Date Closed:2022-03-23 18:05:52
Priority:MinorRegression?
Status:Closed/CompleteComponents:Codecs/codec_opus Core/BuildSystem
Versions:19.2.1 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:If we include the OPUS codec as part of an installation, it is sourced as follows:
codec_opus: Downloading http://downloads.digium.com/pub/telephony/codec_opus/asterisk-19.0/x86-64/codec_opus-19.0_1.3.0-x86_64.tar.gz to /tmp/tmp.MzytcugTdk/codec_opus-19.0_1.3.0-x86_64.tar.gz

As there is a valid SSL certificate for downloads.digium.com, should this not use https instead?

I can see references to other http URLs in the source, so this may apply to other components.

This was only noticed as a problem where this installation was at a site that does not allow access to public http sites. Manually changing the "remote_url" value in build_tools/download_externals resolved the problem.
Comments:By: Asterisk Team (asteriskteam) 2022-03-22 08:51:07.888-0500

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue.
By: Asterisk Team (asteriskteam) 2022-03-22 08:51:07.944-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/].
By: Friendly Automation (friendly-automation) 2022-03-23 18:05:52.672-0500

Change 18249 merged by Kevin Harwell:
download_externals: Use HTTPS for downloads

[https://gerrit.asterisk.org/c/asterisk/+/18249|https://gerrit.asterisk.org/c/asterisk/+/18249]
By: Friendly Automation (friendly-automation) 2022-03-23 18:06:10.059-0500

Change 18236 merged by Kevin Harwell:
download_externals: Use HTTPS for downloads

[https://gerrit.asterisk.org/c/asterisk/+/18236|https://gerrit.asterisk.org/c/asterisk/+/18236]
By: Friendly Automation (friendly-automation) 2022-03-23 18:06:27.700-0500

Change 18237 merged by Kevin Harwell:
download_externals: Use HTTPS for downloads

[https://gerrit.asterisk.org/c/asterisk/+/18237|https://gerrit.asterisk.org/c/asterisk/+/18237]
By: Friendly Automation (friendly-automation) 2022-03-23 18:06:39.520-0500

Change 18238 merged by Kevin Harwell:
download_externals: Use HTTPS for downloads

[https://gerrit.asterisk.org/c/asterisk/+/18238|https://gerrit.asterisk.org/c/asterisk/+/18238]