[Asterisk-Users] Security Vulnerability in Asterisk

Michael Sandee ms at zeelandnet.nl
Mon Jun 28 10:21:13 MST 2004


It kind of seems to be the policy of... <asterisk maintainer(s)> to not 
disclose anything to the public and silently update it..
I didn't want to make a fuss about it (again)... but now it's on the ML 
anyway...

This type of "elitist" behaviour REALLY sucks...

I hope in the future announcements will be made on this type of 
problems... Yeah I was still running a system with an old version of 
asterisk/iax on the public internet when I saw this on bugtraq... 
Because it simply worked...

Other than that... if these problems are not being published when 
fixed... then other distro's do not have a chance to fix it... (think 
about distro's that use "stable" code, but haven't updated to 0.9 
because of problems)

Common people... this is far worse behaviour than Microsoft's policy on 
bugs... atleast they have *some* form of public disclosure...

Jim Rosenberg wrote:

>The following is pasted from SecurityFocus Newsletter #254:
>
>-------------------------
>Asterisk PBX Multiple Logging Format String Vulnerabilities
>BugTraq ID: 10569
>Remote: Yes
>Date Published: Jun 18 2004
>Relevant URL: http://www.securityfocus.com/bid/10569
>Summary:
>It is reported that Asterisk is susceptible to format string
>vulnerabilities in its logging functions.
>
>An attacker may use these vulnerabilities to corrupt memory, and read or
>write arbitrary memory. Remote code execution is likely possible.
>
>Due to the nature of these vulnerabilities, there may exist many different
>avenues of attack. Anything that can potentially call the logging functions
>with user-supplied data is vulnerable.
>
>Versions 0.7.0 through to 0.7.2 are reported vulnerable.
>-------------------------
>
>What is the status of CVS-current with respect to this?
>
>I don't remember seeing any discussion of this issue here; apologies if I
>missed it.
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>  
>




More information about the asterisk-users mailing list