[Asterisk-Users] Security Vulnerability in Asterisk
James Golovich
james at wwnet.net
Mon Jun 28 18:16:13 MST 2004
On Mon, 28 Jun 2004, Jim Rosenberg wrote:
> I have to say -- with somewhat less vehemence -- that I'm another user who
> sure never noticed that the "stable" release of Asterisk had moved from
> 0.7.2 to 0.9x. This should have been an important announcement on *SEVERAL*
> security grounds. As of 0.7.2, the recommend version of channel H323 had
> some very serious vulnerabilities that the OpenH323 folks had fixed months
> previously.
>
> It's nice to know in the case of these format string problems that they
> were in some sense addressed promptly, but we're not all subscribed to the
> dev list. A vulnerability that is fixed in CVS head but not back-patched to
> stable *is not fixed* as far as a large percentage of the user base is
> concerned.
It was fixed in CVS head and stable and at the same time 0.9.0 was
released. The existance was noted in the ChangeLog as well that comes
with asterisk
Asterisk 0.9.0
-- Logging fixes (fixes remote DoS)
-- Fixes from the bug tracker
-- ADPCM Standardization
-- Branch to Stable CVS
I'm not sure if there was an announcement posted to the lists about the
code release, but it was definitely updated on the asterisk.org page and
the wiki
James
More information about the asterisk-users
mailing list