[Asterisk-Users] Security Vulnerability in Asterisk
Jim Rosenberg
jr at amanue.com
Mon Jun 28 18:05:20 MST 2004
--On Monday, June 28, 2004 7:21 PM +0200 Michael Sandee <ms at zeelandnet.nl>
wrote:
> Other than that... if these problems are not being published when
> fixed... then other distro's do not have a chance to fix it... (think
> about distro's that use "stable" code, but haven't updated to 0.9 because
> of problems)
I have to say -- with somewhat less vehemence -- that I'm another user who
sure never noticed that the "stable" release of Asterisk had moved from
0.7.2 to 0.9x. This should have been an important announcement on *SEVERAL*
security grounds. As of 0.7.2, the recommend version of channel H323 had
some very serious vulnerabilities that the OpenH323 folks had fixed months
previously.
This is an opportune time to repeat: H.323 uses ASN.1. ASN.1 is fiendishly
complex and is a "known bad boy" in which many security holes have appeared
over the years. It would be naive to think there won't be more. As VOIP
hits the big-time and Asterisk joins the ranks of some of the other more
famous open-source projects, quick response to security vulnerabilities
will be expected.
It's nice to know in the case of these format string problems that they
were in some sense addressed promptly, but we're not all subscribed to the
dev list. A vulnerability that is fixed in CVS head but not back-patched to
stable *is not fixed* as far as a large percentage of the user base is
concerned.
More information about the asterisk-users
mailing list