[asterisk-bugs] [JIRA] (ASTERISK-24969) Named ACL's do not handle config errors.
Corey Farrell (JIRA)
noreply at issues.asterisk.org
Mon May 18 21:33:33 CDT 2015
[ https://issues.asterisk.org/jira/browse/ASTERISK-24969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=226253#comment-226253 ]
Corey Farrell commented on ASTERISK-24969:
------------------------------------------
This needs to be open, I've been a bit busy lately with other issues / work. I still need to post to gerrit for aborting Asterisk startup when acl.conf is invalid.
[~mmichelson]: Is any part of your patch going to 11 or 13?
> Named ACL's do not handle config errors.
> ----------------------------------------
>
> Key: ASTERISK-24969
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24969
> Project: Asterisk
> Issue Type: Bug
> Components: Core/ACL
> Affects Versions: 11.17.1, 13.3.2
> Reporter: Corey Farrell
> Assignee: Corey Farrell
> Attachments: acl.diff, ASTERISK-24969-acl-critical-startup.patch
>
>
> While investigating ASTERISK-24874 I found that an invalid acl.conf leaves the system vulnerable.
> # Invalid acl.conf on startup does not abort startup. ACL's are critical to security so this can be dangerous to allow the system to run in this state.
> # Even if we do not abort startup, running CLI {{module reload acl}} produces no output, leaving the admin to believe that ACL's were successfully loaded.
> I'm not convinced this is a security issue, this ticket is locked down for now until others can decide if it should be kept quiet or posted in the open.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list