[asterisk-dev] Re: Security Through Obscurity
marc.blanchet at viagenie.ca
Mon Mar 5 04:00:46 MST 2007
to me, the practice that have emerged now since many years in the
"industry" is to create a vulnerability report that contains
information (not the recipe) of the vulnerability, with possible
impacts of the vulnerability, work arounds, fixes and additional
information. This way, it gives users who run the software the
ability to measure their urgency to update the software. Not every
security issue is a problem, it all depends on where/when/how/... is
implemented the software. The only person who can really assess the
vulnerability is the person running the software in question.
These vulnerability reports are most often sent to security mailing
lists such as Bugtraq. Here is just an example of such report that
appeared in today's bugtraq: http://www.securityfocus.com/archive/
I would highly recommend that digium implements that practice.
And I think, at the end, this is what many people in the thread
were actually looking for, and I think it makes full sense to me that
the community receive that information.
my 2 canadian cents...
Le 07-03-05 à 00:56, Kevin P. Fleming a écrit :
> Anthony Lamantia wrote:
>> it would have been nice to know a problem existed in chan_sip (on the
>> website, without having to ask or searching the commits list) and
>> if a advisory was posted to one or all of the popular security
> The fixed versions of Asterisk were posted within 24 hours (or
> less) of
> us being notified of the issue. In fact, I believe the patch was
> committed to Subversion within hours of the issue being reported to
> These releases were made and announced on the asterisk-announce,
> asterisk-dev and asterisk-users lists, along with the asterisk.org
> website. Anyone who watches any of those lists would have known there
> was an issue without 'having to ask'. This issue was also in active
> discussion on the asterisk-users and asterisk-biz lists, and on IRC.
> I will admit that I neglected to post anything to the asterisk-
> list, but we use it so infrequently it's easy to forget.
> --Bandwidth and Colocation provided by Easynews.com --
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
IPv6 book: Migrating to IPv6, Wiley, 2006, http://www.ipv6book.ca
More information about the asterisk-dev