[asterisk-users] AST-2008-006 - 3-way handshake in IAX2 incomplete

[Tilghman Lesher]

On Tuesday 22 April 2008 19:34, Brian J. Murrell wrote:
> On Tue, 2008-04-22 at 17:58 -0500, Security Officer wrote:
> > Asterisk Project Security Advisory - AST-2008-006
>
> So given that I'm new to asterisk's svn and bug tracking tool, is it
> sufficient then to apply the two patches (iax_dcallno_check-1.2.rev3.txt
> and iax_dcallno_check.rev9.txt) listed in
> http://bugs.digium.com/view.php?id=10078 to a 1.4.11ish release to
> correct this vulnerability?  I really don't feel like buying into
> any/all of the headaches that went into 1.4.11->1.4.20.  You know, "if
> it ain't broke don't fix it", and my corollary, "if it is broke, only
> fix what's broke, don't try to make it better".  :-)

Please understand that that's NOT the only security fix that has gone in
during that time.  If this is the only thing that you fix, you're likely to be
vulnerable on several other levels.  See our full list of security disclosures
at http://downloads.digium.com/pub/security/

-- 
Tilghman