[Asterisk-Users] Security Vulnerability in Asterisk

[Steven Critchfield]

On Mon, 2004-06-28 at 20:44, Jim Rosenberg wrote:
> --On Monday, June 28, 2004 9:16 PM -0400 James Golovich <james at wwnet.net> 
> wrote:
> > It was fixed in CVS head and stable and at the same time 0.9.0 was
> > released.  The existance was noted in the ChangeLog as well that comes
> > with asterisk
> 
> Good. But the OpenH323 patches were not back-patched for *months*.

And who forces you to use H323? There are other options, and there is
firewalling built into linux.

> > I'm not sure if there was an announcement posted to the lists about the
> > code release, but it was definitely updated on the asterisk.org page and
> > the wiki
> 
> Hmm, I see I wasn't subscribed to announce. Shame on me. Well, hopefully in 
> the future new versions of stable can be announced.

Maybe you should check the -users list. Olle said the wiki changed to
-HEAD on 6-13 23:00:22 +0200. Of course earlier that day it was
mentioned by Olle in the Sunday News. 

> I'd like to put forward as a good example what the PostgreSQL folks do. 
> They post a kind of weekly progress report. It includes a digest of 
> important patches, and new releases are announced all over the place. The 
> "Sunday Asterisk News" posts seem to be filling that role here, and are a 
> good thing, which I applaud.

Subscribe to -cvs and pay attention to the files that are important to
your install. For example, my install doesn't have SIP, H323 nore
anything other than IAX and Zap channels. I can ignore large chuncks of
the changes and monitor the rest.

> A new release of stable should be something to brag about, yes?

If a stable had ever really been released. It was on feature freeze and
backports wheren't possible for too many fixes due to feature upgrades.
Life moved on, you missed the announcment, get over it. 

-- 
Steven Critchfield <critch at basesys.com>