[asterisk-bugs] [JIRA] (ASTERISK-22820) [patch] Plaintext auth is still supported in IAX2
Eugene (JIRA)
noreply at issues.asterisk.org
Tue Apr 14 03:26:33 CDT 2015
[ https://issues.asterisk.org/jira/browse/ASTERISK-22820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225886#comment-225886 ]
Eugene edited comment on ASTERISK-22820 at 4/14/15 3:25 AM:
------------------------------------------------------------
This was reported more than 1,5 years ago.
Fix is easy and safe.
Without fix we violate RFC and we have a security vulnerability in place.
Please fix this.
was (Author: varnav):
This was reported more that two years ago.
Fix is easy and safe.
Without fix we violate RFC and we have a security vulnerability in place.
Please fix this.
> [patch] Plaintext auth is still supported in IAX2
> -------------------------------------------------
>
> Key: ASTERISK-22820
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-22820
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_iax2
> Affects Versions: SVN, 12.0.0, 13.0.0
> Reporter: Eugene
> Severity: Minor
> Attachments: asterisk-12-chan_iax2-plaintext-auth-deprecated-v2.diff
>
>
> Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth is not supported in IAX2 protocol. Please refer to section 8.6.13 of RFC 5456.
> But plaintext auth is still supported by Asterisk implementation of IAX2. This support should be dropped.
> Attached patch, based on asterisk-dev discussion, adds deprecation warning on startup if 'auth' is set to 'plaintext', changes default values of 'auth' from 'md5, plaintext' to 'md5', and adds note to UPGRADE.txt
> Patch is safe in terms of backwards compatibility, will work even if remote peers have auth=plaintext and we have defaults.
> auth=plaintext setting will remain deprecated in Asterisk 14 and 15, and IAX2 plaintext support will be removed in Asterisk 16.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list