It's one of those unfortunate weeks when everything gets put on hold in order to patch a denial of service security problem with Asterisk®. All versions are apparently affected. We obviously can't provide step-by-step instructions for each and every version of Asterisk@Home and TrixBox. But we have thousands of loyal readers that depend upon TrixBox 1.2.3 systems in a production environment. So today's column is for these folks. Our special thanks to Bubba for lending a technical hand as well. We've tested this pretty carefully on Nerd Vittles editions of TrixBox 1.2.3.
Update: For the latest information, please read our Primer on Asterisk Security.
If you're running a different system, you'll have to read between the lines and do the best you can. It reportedly works fine to upgrade Trixbox 2.x sysems as well. If you really get stumped, post your questions on the TrixBox forums and someone will come to your rescue. Make a backup of your system before you begin. For an excellent free backup solution, visit Thomas King's site for Backup 2 and follow the instructions.
The Asterisk Security Problem. The issue involves a hole which allows an improperly formatted SIP packet to crash your server. For more details, go here. In the scheme of things, security problems don't get much worse than this one. All Asterisk servers accept SIP INVITE packets so all Asterisk servers can be crashed from any remote location. New versions of both Asterisk and Zaptel are now available, and today we'll show you how to apply the upgrade to Nerd Vittles TrixBox 1.2.3 systems.
Getting the Latest Kernel Source for TrixBox. TrixBox systems don't ship with kernel source code so we have to begin there before we have the necessary pieces in place to compile the new version of Asterisk and Zaptel. Log into your Asterisk server as root and issue the following command:
Addressing the RedHat Bug. Every time there is an update using the Asterisk kernel, module support needs to be rebuilt using the new kernel. Unfortunately, a RedHat bug (inherited by CentOS) causes the rebuilding process to fail. Here's the fix. Log into your new server as root and issue the following commands to determine which new kernel source was loaded on your system:
You should see an entry that looks something like this: 2.6.9-34.0.2.EL-something. Depending upon the processor in your system, the something may be different than our machine. Write down the name of the new kernel directory and substitute it below for 2.6.9-34.0.2.EL-i686. Now issue these commands:
mv spinlock.h spinlock.h.old
shutdown -r now
Fixing a Source Code Wrinkle. At least one of the existing (older) source modules in the TrixBox 1.2.3 build will cause Asterisk to fail to restart after updating Asterisk. The simple fix below solved it for us. Your mileage may vary. If you have problems, look at the tail of the Asterisk error log (tail /var/log/asterisk/full) and then find the offending source module in the directory shown below. Rename the module and try the compiles again. Here's the error we received (app_speech_utils.so: Asterisk died with code 1.) and what solved it for us without breaking anything (actually it apparently does break Lumenvox; see Comment #7 below for how to fix it):
mv app_speech_utils.so app_speech_utils.so.old
Installing Asterisk 1.2.16 and Zaptel 1.2.15. Now we're ready to install the Asterisk and Zaptel updates. While still logged in as root, execute the following commands in order:
tar -zxvf zaptel-1.2.15.tar.gz
tar -zxvf libpri-1.2.4.tar.gz
tar -zxvf asterisk-1.2.16.tar.gz
tar -zxvf asterisk-addons-1.2.5.tar.gz
shutdown -r now
Now rebuild support for your ZAP devices or ztdummy if you have no ZAP devices. Log in as root again and type the following command: rebuild_zaptel. Then reboot your system: shutdown -r now. Now log in as root again. If you have zaptel devices, type modprobe wcfxo. Whether you have zaptel devices or not, type amportal stop and then genzaptelconf. Reboot your system again, and you should be back in business with a rock solid Asterisk system. Be sure to read the comments below, especially Comment #5. There was a slight glitch with Music on Hold, but we've found the fix for that as well. Enjoy!
Nerd Vittles Demo Hot Line (courtesy of les.net). You now can take a number of Nerd Vittles projects for a test drive... by phone! The current demos include (1) MailCall for Asterisk with password 1111 (retrieve your email by phone), (2) NewsClips for Asterisk (latest news headlines in dozens of categories), (3) Weather Forecasts by U.S. Airport Code, and (4) Weather Forecasts by U.S. ZIP Code. You're not prompted for #4 yet, but it does work! Just call our number (shown in the left margin) and take any or all of them for a spin. The sound quality may not be perfect due to performance limitations of our ancient Intel 386 demo machine. But the price is right.
Nerd Vittles Fan Club Map. Thanks for visiting! We hope you'll take a second and add yourself to our Frappr World Map compliments of Google. In making your entry, you can choose an icon: guy, gal, nerd, or geek. For those that don't know the difference in the last two, here's the best definition we've found: "a nerd is very similar to a geek, but with more RAM and a faster modem." We're always looking for the best BBQ joints on the planet. So, if you know of one, add it to the map while you're visiting as well.