[asterisk-dev] Dialstring injection - security advisory release?

[Leif Madsen]

Nick Lewis wrote:
>> If you feel this is the case, please file a proper issue 
>> so it can be dealt with appropriately.
> 
> https://issues.asterisk.org/view.php?id=16810 
> 
> This is just the arm waving stuff - do you want something requesting a
> security advisory too?

Unnecessary. After additional discussion with Tighman and Russell, we have a 
game plan.

As this is a situation where it is not a security issue that is 
fix-it-and-forget-it, but rather is an ongoing system administration issue that 
must be dealt with appropriately in the dialplan.

Because of this, we've deemed it appropriate to create a best practices document 
that will describe these types of issues going forward, with information on what 
issues are a potential pitfall in the dialplan that could open your system up to 
abuse, and examples of how to avoid those types of problems.

The best practices document will live in the doc/ directory of Asterisk. After 
this initial document is created, documenting the issue at hand, a security 
advisory will be released pointing at the document, thereby informing the 
community how to protect itself.

If the document is further updated in the future for practices which provide 
information for how to protect a system, additional security notices will be 
published pointing back to the resulting updates to documentation.

I'll be starting work on this document later today, and will provide links to it 
in the mantis issue noted above, and will also provide a reviewboard link once 
I'm far enough to have it reviewed by the community.

Thanks in advance!
Leif Madsen.