[Asterisk-Users] H.323 ASN.1 Vulnerabilities: Request for "official"
patch!
Adam Hart
adam at teragen.com.au
Wed Mar 3 19:33:36 MST 2004
See the existing discussion on this - basically download compile the new
pwlib & openh323 and recompile channels/h323 - you'll need to remove
-Isomething/unix from the Makefile
Jim Rosenberg wrote:
> To recap:
>
> 1. Security vulnerabilities have been found in the ASN.1 parsing of
> *many* H.323 implementations. Some security experts consider them
> quite serious, others don't.
>
> 2. OpenH323 *was* vulnerable when the announcement was made. (About a
> month and a half ago, or so.)
>
> 3. The OpenH323 folks patched their code quite quickly. I belive that
> to obtain their fix you need to check code out of CVS.
>
> 4. If you visit asterisk.org, follow "the usual" download
> instructions, and build in H.323 support, your resulting Asterisk
> *WILL* be vulnerable.
>
> 5. Integrating a "fixed" version of OpenH323 with Asterisk is not
> straightforward. (I at least have not been able to get this to work.)
>
> 6. There is (in my opinion) *widespread misunderstanding* on this
> issue. E.g., I had Digium support try to convince me that Asterisk was
> not vulnerable.
>
> I would like to make a public appeal to whoever is in position to do
> this to issue an "official" patch -- and to update the asterisk.org
> website so newbies get a fixed version when they download and build in
> H.323 support. Please please please ...
>
> -T.i.A., Jim
>
> _______________________________________________
>
>
More information about the asterisk-users
mailing list