[Asterisk-Users] Security Vulnerability in Asterisk
Michael Manousos
manousos at inaccessnetworks.com
Tue Jun 29 00:52:04 MST 2004
Jim Rosenberg wrote:
> --On Monday, June 28, 2004 7:21 PM +0200 Michael Sandee
> <ms at zeelandnet.nl> wrote:
>
>> Other than that... if these problems are not being published when
>> fixed... then other distro's do not have a chance to fix it... (think
>> about distro's that use "stable" code, but haven't updated to 0.9 because
>> of problems)
>
>
> I have to say -- with somewhat less vehemence -- that I'm another user
> who sure never noticed that the "stable" release of Asterisk had moved
> from 0.7.2 to 0.9x. This should have been an important announcement on
> *SEVERAL* security grounds. As of 0.7.2, the recommend version of
> channel H323 had some very serious vulnerabilities that the OpenH323
> folks had fixed months previously.
The latest versions of asterisk-oh323 use OpenH323 1.13.5, Pwlib 1.6.6.
Why don't you use that one?
>
> This is an opportune time to repeat: H.323 uses ASN.1. ASN.1 is
> fiendishly complex and is a "known bad boy" in which many security holes
> have appeared over the years. It would be naive to think there won't be
> more. As VOIP hits the big-time and Asterisk joins the ranks of some of
> the other more famous open-source projects, quick response to security
> vulnerabilities will be expected.
>
> It's nice to know in the case of these format string problems that they
> were in some sense addressed promptly, but we're not all subscribed to
> the dev list. A vulnerability that is fixed in CVS head but not
> back-patched to stable *is not fixed* as far as a large percentage of
> the user base is concerned.
Michael.
More information about the asterisk-users
mailing list