Lubomir Christov
2003-Sep-17 06:15 UTC
[Asterisk-Users] NEW Asterisk Security vulnerability report ...
Hello, There is a new asterisk vulnerability report at this address: http://www.securiteam.com/unixfocus/5HP0H1PB5S.html This is the second security report regarding asterisk for 8 days (http://www.securiteam.com/securitynews/5LP0720B5G.html) Both fixes was reported and fixed silently. My question is: Is it possible in the future such a security problems to be reported in this mailing list or some other security related list? Lubo
Leif Madsen
2003-Sep-17 07:03 UTC
[Asterisk-Users] NEW Asterisk Security vulnerability report ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lubomir Christov wrote: | Hello, | | There is a new asterisk vulnerability report at this address: | | http://www.securiteam.com/unixfocus/5HP0H1PB5S.html | | This is the second security report regarding asterisk for 8 days | (http://www.securiteam.com/securitynews/5LP0720B5G.html) | | Both fixes was reported and fixed silently. | | My question is: Is it possible in the future such a security problems to | be reported in this mailing list or some other security related list? | I would really like to see Asterisk security fixes posted to BugTraq, as that is where I monitor for vulnerabilities in my boxes. - -- Leif Madsen. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Cygwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/aGm16gq3eQ0gpNURAohaAKCg9RL93co6fAfoxJA0fgrSsor0hgCdE1y1 C5sAMippFb6fK7q0xiik6O4=eL29 -----END PGP SIGNATURE-----
Adam Goryachev
2003-Sep-17 07:17 UTC
[Asterisk-Users] NEW Asterisk Security vulnerability report ...
> There is a new asterisk vulnerability report at this address: > > http://www.securiteam.com/unixfocus/5HP0H1PB5S.html > > This is the second security report regarding asterisk for 8 days > (http://www.securiteam.com/securitynews/5LP0720B5G.html) > > Both fixes was reported and fixed silently. > > My question is: Is it possible in the future such a security problems to > be reported in this mailing list or some other security related list?Of course, this particular bug is likely only going to affect a small subset of people for the following reasons: a) Don't accept VoIP from untrusted sources b) Their telco doesn't permit untrusted source to spoof callerid c) They don't use the SQL CDR recording d) Without actually looking into it, what is the maxlength of callerid anyway? I'm also wondering why it took so long for this bug to be fixed? Also, the list should be notified once the fix is in CVS (which should be when bugtraq etc is notified) Regards, Adam
Tilghman Lesher
2003-Sep-17 19:56 UTC
[Asterisk-Users] NEW Asterisk Security vulnerability report ...
On Wednesday 17 September 2003 08:15, Lubomir Christov wrote:> Hello, > > There is a new asterisk vulnerability report at this address: > > http://www.securiteam.com/unixfocus/5HP0H1PB5S.htmlThey lie. My email address is at the top of the cdr_mysql.c source file, and yet I was never contacted.> Both fixes was reported and fixed silently. > > My question is: Is it possible in the future such a security problems > to be reported in this mailing list or some other security related > list?Sure, why don't you ask the security "researchers" to post the problem to the -dev list, instead of only on their website (where we get to find out only long after the fact)? -Tilghman