Lubomir Christov
2003-Sep-09 12:54 UTC
[Asterisk-Users] Asterisk Security vulnerability report
Hello, today I found this security report regarding Asterisk SIP Security. http://www.securiteam.com/securitynews/5LP0720B5G.html Maybe It could help somebody who isn't using a newer than 15th of August cvs version. Best regards Lubo
I heard about this a while ago too. How come I didn't hear anything about it from asterisk-announce? (at least I don't recall receiving any emails about it. Also, is there any plans in the future to create a stable and development branches of code? Upgrading to the lastest CVS version may be difficult for some who have complex installations. It would be easier just to recieve a patch for the stable version. Brian. ----- Original Message ----- From: "Lubomir Christov" <voip@minitelecom.org> To: <asterisk-users@lists.digium.com>; <asterisk-dev@lists.digium.com> Sent: Tuesday, September 09, 2003 3:54 PM Subject: [Asterisk-Users] Asterisk Security vulnerability report> Hello, > > today I found this security report regarding Asterisk SIP Security. > > http://www.securiteam.com/securitynews/5LP0720B5G.html > > Maybe It could help somebody who isn't using a newer than 15th of August > cvs version. > > Best regards > Lubo > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > >
Olle E. Johansson
2003-Sep-10 08:51 UTC
[Asterisk-Users] Asterisk Security vulnerability report
Lubomir Christov wrote:> today I found this security report regarding Asterisk SIP Security. > > http://www.securiteam.com/securitynews/5LP0720B5G.html >Important information. Why a "silent" patch and no information to the mailing list? Security by obscurity :-( Let's be open. I've added a security page to the Wiki: http://www.voip-info.org/tiki-index.php?page=Asterisk+security /Olle
Chris Albertson
2003-Sep-10 09:29 UTC
[Asterisk-Users] Asterisk Security vulnerability report
What I do is periodically is a recursive "grep" of all my source code for "strcat()" and the like. In EVERY case, there is NO reason to use strcat() and it should be replaced with either strlcat() or strncat() same for sprintf, strcpy and so on. The "l" versions should be prefreed over the "n" versions but some UNIXes lack the "l" kinds so you need to use autoconf and "ifdef HAVE_STRLCAT". Every use of the non "l" or "n" functions is a potential buffer overwrite exploit or a potential segfalt. Yes you can do an analysis and determine the no overflow is possible but then 2 years later someone patches the code. ====Chris Albertson Home: 310-376-1029 chrisalbertson90278@yahoo.com Cell: 310-990-7550 Office: 310-336-5189 Christopher.J.Albertson@aero.org KG6OMK __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com