[Asterisk-Users] NEW Asterisk Security vulnerability report ...

Adam Goryachev mailinglists at websitemanagers.com.au
Wed Sep 17 07:17:38 MST 2003


> There is a new asterisk vulnerability report at this address:
>
> http://www.securiteam.com/unixfocus/5HP0H1PB5S.html
>
> This is the second security report regarding asterisk for 8 days
> (http://www.securiteam.com/securitynews/5LP0720B5G.html)
>
> Both fixes was reported and fixed silently.
>
> My question is: Is it possible in the future such a security problems to
> be reported in this mailing list or some other security related list?

Of course, this particular bug is likely only going to affect a small subset
of people for the following reasons:

a) Don't accept VoIP from untrusted sources
b) Their telco doesn't permit untrusted source to spoof callerid
c) They don't use the SQL CDR recording
d) Without actually looking into it, what is the maxlength of callerid
anyway?

I'm also wondering why it took so long for this bug to be fixed?
Also, the list should be notified once the fix is in CVS (which should be
when bugtraq etc is notified)

Regards,
Adam




More information about the asterisk-users mailing list