[Asterisk-Users] Asterisk Security vulnerability report
Tilghman Lesher
tilghman at mail.jeffandtilghman.com
Wed Sep 10 11:16:32 MST 2003
On Wednesday 10 September 2003 01:04 pm, Olle E. Johansson wrote:
> Tilghman Lesher wrote:
> > On Wednesday 10 September 2003 10:51 am, Olle E. Johansson wrote:
> >>Lubomir Christov wrote:
> >>>today I found this security report regarding Asterisk SIP
> >>>Security.
> >>>
> >>>http://www.securiteam.com/securitynews/5LP0720B5G.html
> >>
> >>Important information. Why a "silent" patch and no information to
> >>the mailing list? Security by obscurity :-(
> >
> > Probably because Mark doesn't have time to realize that somebody
> > is going to publish a temporary vulnerability that he fixes in 5
> > minutes. When someone points out a bug in my own programs, I'll
> > go fix it, but I don't usually then publish a vulnerability page
> > describing the problem: it's a bug, I fixed it, what's next?
>
> I understand it from a programmer's view. But from the large user
> base point of view - there's a lot of installations out there that
> needs to be updated and they did not get the information that they
> had to update. Not all want to CVS-update running systems to the
> latest code.
Read the security vulnerability. It referenced CVS as of a certain
date. If you aren't keeping up with CVS changes, why are you running
CVS at all?
-Tilghman
More information about the asterisk-users
mailing list