[asterisk-bugs] [JIRA] (ASTERISK-29872) res_stir_shaken: Resource exhaustion with large files

Friendly Automation (JIRA) noreply at issues.asterisk.org
Thu Apr 14 14:35:57 CDT 2022


    [ https://issues.asterisk.org/jira/browse/ASTERISK-29872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=258770#comment-258770 ] 

Friendly Automation commented on ASTERISK-29872:
------------------------------------------------

Change 18391 merged by Michael Bradeen:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18391|https://gerrit.asterisk.org/c/asterisk/+/18391]

> res_stir_shaken: Resource exhaustion with large files
> -----------------------------------------------------
>
>                 Key: ASTERISK-29872
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29872
>             Project: Asterisk
>          Issue Type: Security
>      Security Level: None
>          Components: Resources/res_stir_shaken
>    Affects Versions: 16.23.0, 18.9.0, 19.1.0
>            Reporter: Benjamin Keith Ford
>            Severity: Blocker
>              Labels: security
>      Target Release: 16.25.2, 18.11.2, 19.3.2
>
>
> When we receive a SIP INVITE that has an Identity header, we attempt to download the certificate if stir_shaken is enabled. However, we don't have any checks in place to ensure that the file is not too large and that the file is actually a certificate.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list