Update for 21.7.0-rc2

diff --git a/.version b/.version
index 395c3eee959978010511d1179d7e4ec8ffa9016c..794b170ce2e08e1289e5ac506035b327cac4dadd 100644 (file)
--- a/.version
+++ b/.version
@@ -1 +1 @@
-21.7.0-rc1
+21.7.0-rc2

diff --git a/CHANGES.md b/CHANGES.md
index 799c8ab3bc1e73390a087e5ead14e4d223ca154c..0f9422fa940a5a3091af27851c5d6db3ed93e509 120000 (symlink)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1 +1 @@
-ChangeLogs/ChangeLog-21.7.0-rc1.md
\ No newline at end of file
+ChangeLogs/ChangeLog-21.7.0-rc2.md
\ No newline at end of file

diff --git a/ChangeLogs/ChangeLog-21.7.0-rc2.md b/ChangeLogs/ChangeLog-21.7.0-rc2.md
new file mode 100644 (file)
index 0000000..c845c89
--- /dev/null
+++ b/ChangeLogs/ChangeLog-21.7.0-rc2.md
@@ -0,0 +1,123 @@
+
+## Change Log for Release asterisk-21.7.0-rc2
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.7.0-rc2.md)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/21.7.0-rc1...21.7.0-rc2)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.7.0-rc2.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 3
+- Commit Authors: 1
+- Issues Resolved: 2
+- Security Advisories Resolved: 0
+
+### User Notes:
+
+
+### Upgrade Notes:
+
+- #### alembic: Database updates required.                                             
+  Two commits in this release...
+  'Add SHA-256 and SHA-512-256 as authentication digest algorithms'
+  'res_pjsip: Add new AOR option "qualify_2xx_only"'
+  ...have modified alembic scripts for the following database tables: ps_aors,
+  ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update
+  your database, reads from those tables will succeeed but inserts into the
+  ps_contacts table by res_pjsip_registrar will fail.
+
+
+### Commit Authors:
+
+- George Joseph: (3)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - 1095: [bug]: res_pjsip missing "Failed to authenticate" log entry for unknown endpoint
+  - 1097: [bug]: res_pjsip/pjsip_options. ODBC: Unknown column 'qualify_2xx_only'
+
+### Commits By Author:
+
+- #### George Joseph (3):
+  - res_pjsip: Fix startup/reload memory leak in config_auth.
+  - alembic: Database updates required.
+  - res_pjsip_authenticator_digest: Make correct error messages appear again.
+
+
+### Commit List:
+
+-  res_pjsip_authenticator_digest: Make correct error messages appear again.
+-  alembic: Database updates required.
+-  res_pjsip: Fix startup/reload memory leak in config_auth.
+
+### Commit Details:
+
+#### res_pjsip_authenticator_digest: Make correct error messages appear again.
+  Author: George Joseph
+  Date:   2025-01-28
+
+  When an incoming request can't be matched to an endpoint, the "artificial"
+  auth object is used to create a challenge to return in a 401 response and we
+  emit a "No matching endpoint found" log message. If the client then responds
+  with an Authorization header but the request still can't be matched to an
+  endpoint, the verification will fail and, as before, we'll create a challenge
+  to return in a 401 response and we emit a "No matching endpoint found" log
+  message.  HOWEVER, because there WAS an Authorization header and it failed
+  verification, we should have also been emitting a "Failed to authenticate"
+  log message but weren't because there was a check that short-circuited that
+  it if the artificial auth was used.  Since many admins use the "Failed to
+  authenticate" message with log parsers like fail2ban, those attempts were not
+  being recognized as suspicious.
+
+  Changes:
+
+  * digest_check_auth() now always emits the "Failed to authenticate" log
+    message if verification of an Authorization header failed even if the
+    artificial auth was used.
+
+  * The verification logic was refactored to be clearer about the handling
+    of the return codes from verify().
+
+  * Comments were added clarify what return codes digest_check_auth() should
+    return to the distributor and the implications of changing them.
+
+  Resolves: #1095
+
+#### alembic: Database updates required.
+  Author: George Joseph
+  Date:   2025-01-28
+
+  This commit doesn't actually change anything.  It just adds the following
+  upgrade notes that were omitted from the original commits.
+
+  Resolves: #1097
+
+  UpgradeNote: Two commits in this release...
+  'Add SHA-256 and SHA-512-256 as authentication digest algorithms'
+  'res_pjsip: Add new AOR option "qualify_2xx_only"'
+  ...have modified alembic scripts for the following database tables: ps_aors,
+  ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update
+  your database, reads from those tables will succeeed but inserts into the
+  ps_contacts table by res_pjsip_registrar will fail.
+
+#### res_pjsip: Fix startup/reload memory leak in config_auth.
+  Author: George Joseph
+  Date:   2025-01-23
+
+  An issue in config_auth.c:ast_sip_auth_digest_algorithms_vector_init() was
+  causing double allocations for the two supported_algorithms vectors to the
+  tune of 915 bytes.  The leak only happens on startup and when a reload is done
+  and doesn't get bigger with the number of auth objects defined.
+
+  * Pre-initialized the two vectors in config_auth:auth_alloc().
+  * Removed the allocations in ast_sip_auth_digest_algorithms_vector_init().
+  * Added a note to the doc for ast_sip_auth_digest_algorithms_vector_init()
+    noting that the vector passed in should be initialized and empty.
+  * Simplified the create_artificial_auth() function in pjsip_distributor.
+  * Set the vector initialization count to 0 in config_global:global_apply().
+