[asterisk-dev] Re: Security Through Obscurity

Kevin P. Fleming kpfleming at digium.com
Sun Mar 4 22:56:42 MST 2007


Anthony Lamantia wrote:
> it would have been nice to know a problem existed in chan_sip (on the
> website, without having to ask or searching the commits list) and great
> if a advisory was posted to one  or all of the popular security mailing
> lists.

The fixed versions of Asterisk were posted within 24 hours (or less) of
us being notified of the issue. In fact, I believe the patch was
committed to Subversion within hours of the issue being reported to us.
These releases were made and announced on the asterisk-announce,
asterisk-dev and asterisk-users lists, along with the asterisk.org
website. Anyone who watches any of those lists would have known there
was an issue without 'having to ask'. This issue was also in active
discussion on the asterisk-users and asterisk-biz lists, and on IRC.

I will admit that I neglected to post anything to the asterisk-security
list, but we use it so infrequently it's easy to forget.


More information about the asterisk-dev mailing list