It kind of seems to be the policy of... <asterisk maintainer(s)> to not disclose anything to the public and silently update it.. I didn't want to make a fuss about it (again)... but now it's on the ML anyway... This type of "elitist" behaviour REALLY sucks... I hope in the future announcements will be made on this type of problems... Yeah I was still running a system with an old version of asterisk/iax on the public internet when I saw this on bugtraq... Because it simply worked... Other than that... if these problems are not being published when fixed... then other distro's do not have a chance to fix it... (think about distro's that use "stable" code, but haven't updated to 0.9 because of problems) Common people... this is far worse behaviour than Microsoft's policy on bugs... atleast they have *some* form of public disclosure... Jim Rosenberg wrote:>The following is pasted from SecurityFocus Newsletter #254: > >------------------------- >Asterisk PBX Multiple Logging Format String Vulnerabilities >BugTraq ID: 10569 >Remote: Yes >Date Published: Jun 18 2004 >Relevant URL: http://www.securityfocus.com/bid/10569 >Summary: >It is reported that Asterisk is susceptible to format string >vulnerabilities in its logging functions. > >An attacker may use these vulnerabilities to corrupt memory, and read or >write arbitrary memory. Remote code execution is likely possible. > >Due to the nature of these vulnerabilities, there may exist many different >avenues of attack. Anything that can potentially call the logging functions >with user-supplied data is vulnerable. > >Versions 0.7.0 through to 0.7.2 are reported vulnerable. >------------------------- > >What is the status of CVS-current with respect to this? > >I don't remember seeing any discussion of this issue here; apologies if I >missed it. >_______________________________________________ >Asterisk-Users mailing list >Asterisk-Users@lists.digium.com >http://lists.digium.com/mailman/listinfo/asterisk-users >To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > >
The following is pasted from SecurityFocus Newsletter #254: ------------------------- Asterisk PBX Multiple Logging Format String Vulnerabilities BugTraq ID: 10569 Remote: Yes Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10569 Summary: It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable. Versions 0.7.0 through to 0.7.2 are reported vulnerable. ------------------------- What is the status of CVS-current with respect to this? I don't remember seeing any discussion of this issue here; apologies if I missed it.
This was fixed in cvs HEAD and stable on 4/13/2004 and a new source release was made at the time (version 0.9.0) I'm not sure why it would be brought up on a recent newsletter, it was discussed in here (or maybe on -dev) sometime around 4/15/2004 James On Mon, 28 Jun 2004, Jim Rosenberg wrote:> The following is pasted from SecurityFocus Newsletter #254: > > ------------------------- > Asterisk PBX Multiple Logging Format String Vulnerabilities > BugTraq ID: 10569 > Remote: Yes > Date Published: Jun 18 2004 > Relevant URL: http://www.securityfocus.com/bid/10569 > Summary: > It is reported that Asterisk is susceptible to format string > vulnerabilities in its logging functions. > > An attacker may use these vulnerabilities to corrupt memory, and read or > write arbitrary memory. Remote code execution is likely possible. > > Due to the nature of these vulnerabilities, there may exist many different > avenues of attack. Anything that can potentially call the logging functions > with user-supplied data is vulnerable. > > Versions 0.7.0 through to 0.7.2 are reported vulnerable. > ------------------------- > > What is the status of CVS-current with respect to this? > > I don't remember seeing any discussion of this issue here; apologies if I > missed it. > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >