Here we go again to patch another denial of service problem and some SIP vulnerabilities with Asterisk®. All versions are apparently affected. We obviously can't provide step-by-step instructions for each and every version of Asterisk@Home and TrixBox. But we have thousands of loyal readers that depend upon TrixBox 1.2.3 systems in a production environment. So today's column is for these folks. Our special thanks to Bubba for lending a technical hand as well. We've tested this pretty carefully on Nerd Vittles editions of TrixBox 1.2.3. That includes PBX-in-a-Flash implementations on Linux systems as well as Nerd Vittles VMware builds of TrixBox 1.2.3 which run on Windows and Mac desktop systems. If you're running a different system, you'll have to read between the lines and do the best you can. It reportedly works fine to upgrade Trixbox 2.x sysems as well. If you really get stumped, post your questions on the TrixBox forums and someone will come to your rescue. Make a backup of your system before you begin. For an excellent free backup solution, visit Thomas King's site for Backup 2 and follow the instructions.
The Asterisk Security Problem. Today's issues are well documented on the asterisk-announce mailing list. You can read the archive here. Incidentally, for those that didn't know it, we've provided a convenient link to all of the Asterisk mailing list archives in the right column. Just click on Asterisk ListServ. New versions of both Asterisk and Zaptel are now available, and today we'll show you how to apply the upgrade to Nerd Vittles TrixBox 1.2.3 systems.
Getting the Latest Kernel Source for TrixBox. TrixBox systems don't ship with kernel source code so we have to begin there before we have the necessary pieces in place to compile the new version of Asterisk and Zaptel. Log into your Asterisk server as root and issue the following command:
Addressing the RedHat Bug. Every time there is an update using the Asterisk kernel, module support needs to be rebuilt using the new kernel. Unfortunately, a RedHat bug (inherited by CentOS) causes the rebuilding process to fail. Here's the fix. Log into your new server as root and issue the following commands to determine which new kernel source was loaded on your system:
You should see an entry that looks something like this: 2.6.9-34.0.2.EL-something. Depending upon the processor in your system, the something may be different than our machine. Write down the name of the new kernel directory and substitute it below for 2.6.9-34.0.2.EL-i686. Now issue these commands:
mv spinlock.h spinlock.h.old
shutdown -r now
Fixing Some Source Code Wrinkles. At least one of the existing (older) source modules in the TrixBox 1.2.3 build will cause Asterisk to fail to restart after updating Asterisk. The simple fix below solved it for us. Your mileage may vary. If you have problems, look at the tail of the Asterisk error log (tail /var/log/asterisk/full) and then find the offending source module in the directory shown below. Rename the module and try the compiles again. Here's the error we received (app_speech_utils.so: Asterisk died with code 1.) and what solved it for us without breaking anything (actually it apparently does break Lumenvox; review Comment #7 in our previous security column for how to fix it):
mv app_speech_utils.so app_speech_utils.so.old
It also has been reported that some versions of TrixBox may no longer function without adding the openssl-devel module. Thanks to David Josephson for the heads up.
yum install openssl-devel
Installing Asterisk 1.2.18 and Zaptel 1.2.17 and AddOns 1.2.6. Now we're ready to install the updates. While still logged in as root, execute the following commands in order:
tar -zxvf zaptel-220.127.116.11.tar.gz
tar -zxvf libpri-1.2.4.tar.gz
tar -zxvf asterisk-1.2.18.tar.gz
tar -zxvf asterisk-addons-1.2.6.tar.gz
shutdown -r now
Now rebuild support for your ZAP devices or ztdummy if you have no ZAP devices. Log in as root again and type the following command: rebuild_zaptel. Then reboot your system: shutdown -r now. Now log in as root again. If you have zaptel devices, type modprobe wcfxo. Whether you have zaptel devices or not, type amportal stop and then genzaptelconf. Reboot your system again, and you should be back in business.
freePBX Cleanup. For some reason, these security updates cause some minor problems with the freePBX configuration. Some users report that Music on Hold stops functioning while others have indicated that the introductory prompt for voice mail stops functioning. Both fixes are simple. Here's how.
For the Music on Hold problem, open freePBX with your web browser. Click MusicOnHold, then click Default under the Add Music Category listing. Now click Enable Random Play button, and click the Red Bar to reload Asterisk.
For the introductory voice prompt with voice mail, click General Settings. The fifth option on the page is Direct Dial to VoiceMail Message Type. Change the setting from Default to Unavailable. Save your change and click the Red Bar to reload Asterisk. You should have smooth sailing after these tweaks. Enjoy!
Securing AsteriDex. If you have a preconfigured TrixBox system that includes our very own AsteriDex, you'll need to download and install this simple patch to resolve a security vulnerability that was discovered. Log into your Asterisk server as root and issue the following commands:
rm -f callboth.php
rm -f callboth.zip
chown asterisk:asterisk callboth.php
chmod 775 callboth.php
Nerd Vittles Demo Hot Line (courtesy of les.net). You now can take a number of Nerd Vittles projects for a test drive... by phone! The current demos include (1) MailCall for Asterisk with password 1111 (retrieve your email by phone), (2) NewsClips for Asterisk (latest news headlines in dozens of categories), (3) Weather Forecasts by U.S. Airport Code, and (4) Weather Forecasts by U.S. ZIP Code. You're not prompted for #4 yet, but it does work! Just call our number (shown in the left margin) and take any or all of them for a spin. The sound quality may not be perfect due to performance limitations of our ancient Intel 386 demo machine. But the price is right.
Nerd Vittles Fan Club Map. Thanks for visiting! We hope you'll take a second and add yourself to our Frappr World Map compliments of Google. In making your entry, you can choose an icon: guy, gal, nerd, or geek. For those that don't know the difference in the last two, here's the best definition we've found: "a nerd is very similar to a geek, but with more RAM and a faster modem." We're always looking for the best BBQ joints on the planet. So, if you know of one, add it to the map while you're visiting as well.
Some Recent Nerd Vittles Articles of Interest...