[Asterisk-Users] H.323 ASN.1 Vulnerabilities: Request for "official" patch!

[Jim Rosenberg]

To recap:

1. Security vulnerabilities have been found in the ASN.1 parsing of *many* 
H.323 implementations. Some security experts consider them quite serious, 
others don't.

2. OpenH323 *was* vulnerable when the announcement was made. (About a month 
and a half ago, or so.)

3. The OpenH323 folks patched their code quite quickly. I belive that to 
obtain their fix you need to check code out of CVS.

4. If you visit asterisk.org, follow "the usual" download instructions, and 
build in H.323 support, your resulting Asterisk *WILL* be vulnerable.

5. Integrating a "fixed" version of OpenH323 with Asterisk is not 
straightforward. (I at least have not been able to get this to work.)

6. There is (in my opinion) *widespread misunderstanding* on this issue. 
E.g., I had Digium support try to convince me that Asterisk was not 
vulnerable.

I would like to make a public appeal to whoever is in position to do this 
to issue an "official" patch -- and to update the asterisk.org website so 
newbies get a fixed version when they download and build in H.323 support. 
Please please please ...

-T.i.A., Jim