The issue happens since
<http://github.com/jitsi/jitsi/commit/cd62892c2706370b23d334ee28e07b2090269090>. It is not caused by <http://github.com/jitsi/jain-sip/tree/jitsi-oss-only/> itself, but how its API is used. I have a working patch.
Normally, I would proceed directly with a Pull Request on GitHub. However, there I am not able to mark it private and the current Jitsi FAQ states, I have to report on the users (!) mailing-list first.
The issue is rather obvious for an attacker. Therefore, I do not see much benefit by not disclosing it. However, I do not know the current policy by the Jitsi team on security issues. Furthermore, although my patch works and is backward compatible with older Java versions, I tested it in one scenario only. There could be more scenarios, I am not aware of, yet. Therefore, the patch might not be fully ready.
Another question: The issue unveiled because the JAIN-SIP library was changed. I want to investigate the root cause of that issue (to present it in my security class as learning object): Which source/project was used for as JAIN-SIP library before April 2016?