[Asterisk-Users] Asterisk Security vulnerability report

Fearghas McKay fm-lists at st-kilda.org
Wed Sep 10 11:59:01 MST 2003


At 11:37 -0500 10/9/03, Tilghman Lesher wrote:
>Probably because Mark doesn't have time to realize that somebody
>is going to publish a temporary vulnerability that he fixes in 5
>minutes.  When someone points out a bug in my own programs, I'll
>go fix it, but I don't usually then publish a vulnerability page
>describing the problem:  it's a bug, I fixed it, what's next?

Well leaving aside the fact that it may or not be a temporary vulnerability
a short note to the users list and the website highlighting the fact that
users should update would be in order.

Asterisk is being used as a piece of critical infrastructure for many
people often on shared servers. If Mark does not have the time to write an
update perhaps the community could have another formalised way of getting
the notification.

It has certainly caused some fervent checking amongst users I know, and
since the last release was some months ago if the vulnerability was present
then there will be users who have had to move from taking a stable build to
building from CVS, which when I tried to do it the first couple of times
failed on my machine.

Perhaps it is time for another release?

	f



More information about the asterisk-users mailing list