No subject
Fri Sep 2 03:59:05 CDT 2011
{quote}
You do have a valid point there. auth_options_requests=no (the default) does mitigate the OPTIONS problem. But there are indeed a couple of other methods that do get the authentication process working and they should be sent to the security framework. \[Make new bug report #1]
{quote}
Two issues here:
- handle_incoming() sports the magic number 9:
if (res < 9) { sip_report_security_event(p, req, res); }
should be fixed using extra constants in sip/include/sip.h
- handle_incoming() calls other methods which can be used for brute forcing (OPTIONS, MESSAGE, ...).
the calls to sip_report_security_event() are missing there.
(perhaps it should be moved to check_auth)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list