[asterisk-dev] Permit/deny with negation patch
Tilghman Lesher
tilghman at meg.abyt.es
Thu Mar 8 11:11:35 CST 2012
https://reviewboard.asterisk.org/r/1592/
I have a patch that has been languishing on the review tracker, even
though it got a "Ship It" several months ago, and someone pointed out
that it could plausibly be a bug fix, because permit/deny in realtime
is incredibly difficult to use properly, because it depends upon the
columns coming back from the database in a particular order. There's
a plausible argument that this, therefore, could be a bug fix for
realtime. Furthermore, since permit/deny controls a security aspect
of realtime peers, if a realtime backend (such as LDAP) was not
consistent in returning columns in a particular order, it could be
considered a possible security issue.
So I'm asking the developer community for opinions. Ostensibly, this
would otherwise only go into trunk, as a new feature. However, if
it's only a bug fix, it could go into 1.8 forwards, and if it's a
security fix, it could go into 1.4, 1.6.2, and forward, and generate
the release of a security document and new releases for these branches
that are in security support mode.
I don't consider this a high security issue, as nobody has yet
demonstrated that this is vulnerable in the wild. It is likely that
only certain systems _might_ be vulnerable in very limited
circumstances, so the developer community (specifically those who use
permit/deny in realtime peers) are encouraged to voice their opinions
and even to try out the patch.
So in summary, is this a security fix? Or only a bug fix? Or just a
new feature?
-Tilghman
More information about the asterisk-dev
mailing list