[asterisk-dev] Re: Security Through Obscurity

Marc Blanchet marc.blanchet at viagenie.ca
Mon Mar 5 04:00:46 MST 2007 

Kevin,
  to me, the practice that have emerged now since many years in the  
"industry" is to create a vulnerability report that contains  
information (not the recipe) of the vulnerability, with possible  
impacts of the vulnerability, work arounds, fixes and additional  
information.  This way, it gives users who run the software the  
ability to measure their urgency to update the software.  Not every  
security issue is a problem, it all depends on where/when/how/... is  
implemented the software. The only person who can really assess the  
vulnerability is the person running the software in question.
  These vulnerability reports are most often sent to security mailing  
lists such as Bugtraq.  Here is just an example of such report that  
appeared in today's bugtraq:  http://www.securityfocus.com/archive/ 
1/461716/30/0/threaded
  I would highly recommend that digium implements that practice.
  And I think, at the end, this is what many people in the thread  
were actually looking for, and I think it makes full sense to me that  
the community receive that information.

my 2 canadian cents...

Marc.

Le 07-03-05 à 00:56, Kevin P. Fleming a écrit :

> Anthony Lamantia wrote:
>> it would have been nice to know a problem existed in chan_sip (on the
>> website, without having to ask or searching the commits list) and  
>> great
>> if a advisory was posted to one  or all of the popular security  
>> mailing
>> lists.
>
> The fixed versions of Asterisk were posted within 24 hours (or  
> less) of
> us being notified of the issue. In fact, I believe the patch was
> committed to Subversion within hours of the issue being reported to  
> us.
> These releases were made and announced on the asterisk-announce,
> asterisk-dev and asterisk-users lists, along with the asterisk.org
> website. Anyone who watches any of those lists would have known there
> was an issue without 'having to ask'. This issue was also in active
> discussion on the asterisk-users and asterisk-biz lists, and on IRC.
>
> I will admit that I neglected to post anything to the asterisk- 
> security
> list, but we use it so infrequently it's easy to forget.
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev

-----
IPv6 book: Migrating to IPv6, Wiley, 2006, http://www.ipv6book.ca

More information about the asterisk-dev mailing list