[asterisk-dev] Permit/deny with negation patch
Matthew Jordan
mjordan at digium.com
Thu Jun 28 18:52:45 CDT 2012
----- Original Message -----
> From: "Kevin P. Fleming" <kpfleming at digium.com>
> To: asterisk-dev at lists.digium.com
> Sent: Thursday, March 22, 2012 10:15:35 AM
> Subject: Re: [asterisk-dev] Permit/deny with negation patch
>
> On 03/20/2012 03:09 PM, Mark Murawski wrote:
> > On 03/20/12 14:59, Tilghman Lesher wrote:
> >> On Thu, Mar 8, 2012 at 11:11 AM, Tilghman
> >> Lesher<tilghman at meg.abyt.es>
> >> wrote:
> >>> https://reviewboard.asterisk.org/r/1592/
<snip>
> >>> So in summary, is this a security fix? Or only a bug fix? Or just
> >>> a
> >>> new feature?
> >>
> >> So seeing no objection, we'll make this a security issue and patch
> >> 1.4, right? Bueller? Bueller?
> >>
> >> -Tilghman
<snip>
> > For me, I use permit/deny from a database but I have my data
> > returned
> > back in specific orders so I have expected results every time.
> >
> > I would call it a "new security feature", which... depending on how
> > badly people want it, might make sense to put into 1.4.
> >
> > No doubt it will sure make writing the permit/deny rules much
> > easier
> > when configured from a db though.
>
> My vote is to treat it as a security vulnerability of 'low' severity
> and
> merge it into 1.4 and later release branches.
>
Resurrecting this discussion one more time...
We're at a good time to get this feature put into Asterisk, if everyone
agrees that this can be viewed as a resolution to a low-risk security
vulnerability. If so, this feature will go into Asterisk 1.8+.
Otherwise, it can be committed to Asterisk trunk (11).
My inclination is to go with Kevin's suggestion at this point - does anyone
have any objections?
--
Matthew Jordan
Digium, Inc. | Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
More information about the asterisk-dev
mailing list