Jim Rosenberg
2004-Mar-03 19:26 UTC
[Asterisk-Users] H.323 ASN.1 Vulnerabilities: Request for "official" patch!
To recap: 1. Security vulnerabilities have been found in the ASN.1 parsing of *many* H.323 implementations. Some security experts consider them quite serious, others don't. 2. OpenH323 *was* vulnerable when the announcement was made. (About a month and a half ago, or so.) 3. The OpenH323 folks patched their code quite quickly. I belive that to obtain their fix you need to check code out of CVS. 4. If you visit asterisk.org, follow "the usual" download instructions, and build in H.323 support, your resulting Asterisk *WILL* be vulnerable. 5. Integrating a "fixed" version of OpenH323 with Asterisk is not straightforward. (I at least have not been able to get this to work.) 6. There is (in my opinion) *widespread misunderstanding* on this issue. E.g., I had Digium support try to convince me that Asterisk was not vulnerable. I would like to make a public appeal to whoever is in position to do this to issue an "official" patch -- and to update the asterisk.org website so newbies get a fixed version when they download and build in H.323 support. Please please please ... -T.i.A., Jim
Adam Hart
2004-Mar-03 19:33 UTC
[Asterisk-Users] H.323 ASN.1 Vulnerabilities: Request for "official" patch!
See the existing discussion on this - basically download compile the new pwlib & openh323 and recompile channels/h323 - you'll need to remove -Isomething/unix from the Makefile Jim Rosenberg wrote:> To recap: > > 1. Security vulnerabilities have been found in the ASN.1 parsing of > *many* H.323 implementations. Some security experts consider them > quite serious, others don't. > > 2. OpenH323 *was* vulnerable when the announcement was made. (About a > month and a half ago, or so.) > > 3. The OpenH323 folks patched their code quite quickly. I belive that > to obtain their fix you need to check code out of CVS. > > 4. If you visit asterisk.org, follow "the usual" download > instructions, and build in H.323 support, your resulting Asterisk > *WILL* be vulnerable. > > 5. Integrating a "fixed" version of OpenH323 with Asterisk is not > straightforward. (I at least have not been able to get this to work.) > > 6. There is (in my opinion) *widespread misunderstanding* on this > issue. E.g., I had Digium support try to convince me that Asterisk was > not vulnerable. > > I would like to make a public appeal to whoever is in position to do > this to issue an "official" patch -- and to update the asterisk.org > website so newbies get a fixed version when they download and build in > H.323 support. Please please please ... > > -T.i.A., Jim > > _______________________________________________ > >