[Asterisk-Users] Asterisk Security vulnerability report
Steven Critchfield
critch at basesys.com
Wed Sep 10 11:46:14 MST 2003
On Wed, 2003-09-10 at 13:16, Tilghman Lesher wrote:
> On Wednesday 10 September 2003 01:04 pm, Olle E. Johansson wrote:
> > Tilghman Lesher wrote:
> > > On Wednesday 10 September 2003 10:51 am, Olle E. Johansson wrote:
> > >>Lubomir Christov wrote:
> > >>>today I found this security report regarding Asterisk SIP
> > >>>Security.
> > >>>
> > >>>http://www.securiteam.com/securitynews/5LP0720B5G.html
> > >>
> > >>Important information. Why a "silent" patch and no information to
> > >>the mailing list? Security by obscurity :-(
> > >
> > > Probably because Mark doesn't have time to realize that somebody
> > > is going to publish a temporary vulnerability that he fixes in 5
> > > minutes. When someone points out a bug in my own programs, I'll
> > > go fix it, but I don't usually then publish a vulnerability page
> > > describing the problem: it's a bug, I fixed it, what's next?
> >
> > I understand it from a programmer's view. But from the large user
> > base point of view - there's a lot of installations out there that
> > needs to be updated and they did not get the information that they
> > had to update. Not all want to CVS-update running systems to the
> > latest code.
>
> Read the security vulnerability. It referenced CVS as of a certain
> date. If you aren't keeping up with CVS changes, why are you running
> CVS at all?
Tilghman, the problem is that there was a large number of older
installations out there that needed the updates, but no notice until
lately about a problem that is almost a month old. That security site is
not one I would have expected to read for asterisk news.
Of course this is a good reminder to turn off options you are not
running like SIP/MGCP/H323 if possible. This is how I dealt with this
problem on my production needs to be rock solid * box. It is what is
normally expected of good sys admins besides being on top of all the
security mailing lists and project lists.
--
Steven Critchfield <critch at basesys.com>
More information about the asterisk-users
mailing list