[asterisk-users] AST-2008-006 - 3-way handshake in IAX2 incomplete

Tilghman Lesher tilghman at mail.jeffandtilghman.com
Wed Apr 23 08:52:44 CDT 2008


On Tuesday 22 April 2008 19:34, Brian J. Murrell wrote:
> On Tue, 2008-04-22 at 17:58 -0500, Security Officer wrote:
> > Asterisk Project Security Advisory - AST-2008-006
>
> So given that I'm new to asterisk's svn and bug tracking tool, is it
> sufficient then to apply the two patches (iax_dcallno_check-1.2.rev3.txt
> and iax_dcallno_check.rev9.txt) listed in
> http://bugs.digium.com/view.php?id=10078 to a 1.4.11ish release to
> correct this vulnerability?  I really don't feel like buying into
> any/all of the headaches that went into 1.4.11->1.4.20.  You know, "if
> it ain't broke don't fix it", and my corollary, "if it is broke, only
> fix what's broke, don't try to make it better".  :-)

Please understand that that's NOT the only security fix that has gone in
during that time.  If this is the only thing that you fix, you're likely to be
vulnerable on several other levels.  See our full list of security disclosures
at http://downloads.digium.com/pub/security/

-- 
Tilghman



More information about the asterisk-users mailing list