[asterisk-dev] Dialstring injection - security advisory release?

[Olle E. Johansson]

11 feb 2010 kl. 17.00 skrev Leif Madsen:

> Nick Lewis wrote:
>>> If you feel this is the case, please file a proper issue 
>>> so it can be dealt with appropriately.
>> 
>> https://issues.asterisk.org/view.php?id=16810 
>> 
>> This is just the arm waving stuff - do you want something requesting a
>> security advisory too?
> 
> Unnecessary. After additional discussion with Tighman and Russell, we have a 
> game plan.
> 
> As this is a situation where it is not a security issue that is 
> fix-it-and-forget-it, but rather is an ongoing system administration issue that 
> must be dealt with appropriately in the dialplan.
> 
> Because of this, we've deemed it appropriate to create a best practices document 
> that will describe these types of issues going forward, with information on what 
> issues are a potential pitfall in the dialplan that could open your system up to 
> abuse, and examples of how to avoid those types of problems.
> 
> The best practices document will live in the doc/ directory of Asterisk. After 
> this initial document is created, documenting the issue at hand, a security 
> advisory will be released pointing at the document, thereby informing the 
> community how to protect itself.
> 
> If the document is further updated in the future for practices which provide 
> information for how to protect a system, additional security notices will be 
> published pointing back to the resulting updates to documentation.
> 
> I'll be starting work on this document later today, and will provide links to it 
> in the mantis issue noted above, and will also provide a reviewboard link once 
> I'm far enough to have it reviewed by the community.

Which is exactly what I proposed. Thank you.

Any feedback on my dot/dot-dot proposals?

/O