Re: [Asterisk-Users] Security Vulnerability in Asterisk
Jim Rosenberg wrote: --On Monday, June 28, 2004 7:21 PM +0200 Michael Sandee [EMAIL PROTECTED] wrote: Other than that... if these problems are not being published when fixed... then other distro's do not have a chance to fix it... (think about distro's that use stable code, but haven't updated to 0.9 because of problems) I have to say -- with somewhat less vehemence -- that I'm another user who sure never noticed that the stable release of Asterisk had moved from 0.7.2 to 0.9x. This should have been an important announcement on *SEVERAL* security grounds. As of 0.7.2, the recommend version of channel H323 had some very serious vulnerabilities that the OpenH323 folks had fixed months previously. The latest versions of asterisk-oh323 use OpenH323 1.13.5, Pwlib 1.6.6. Why don't you use that one? This is an opportune time to repeat: H.323 uses ASN.1. ASN.1 is fiendishly complex and is a known bad boy in which many security holes have appeared over the years. It would be naive to think there won't be more. As VOIP hits the big-time and Asterisk joins the ranks of some of the other more famous open-source projects, quick response to security vulnerabilities will be expected. It's nice to know in the case of these format string problems that they were in some sense addressed promptly, but we're not all subscribed to the dev list. A vulnerability that is fixed in CVS head but not back-patched to stable *is not fixed* as far as a large percentage of the user base is concerned. Michael. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Security Vulnerability in Asterisk
This was fixed in cvs HEAD and stable on 4/13/2004 and a new source release was made at the time (version 0.9.0) I'm not sure why it would be brought up on a recent newsletter, it was discussed in here (or maybe on -dev) sometime around 4/15/2004 James On Mon, 28 Jun 2004, Jim Rosenberg wrote: The following is pasted from SecurityFocus Newsletter #254: - Asterisk PBX Multiple Logging Format String Vulnerabilities BugTraq ID: 10569 Remote: Yes Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10569 Summary: It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable. Versions 0.7.0 through to 0.7.2 are reported vulnerable. - What is the status of CVS-current with respect to this? I don't remember seeing any discussion of this issue here; apologies if I missed it. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Security Vulnerability in Asterisk
--On Monday, June 28, 2004 7:21 PM +0200 Michael Sandee [EMAIL PROTECTED] wrote: Other than that... if these problems are not being published when fixed... then other distro's do not have a chance to fix it... (think about distro's that use stable code, but haven't updated to 0.9 because of problems) I have to say -- with somewhat less vehemence -- that I'm another user who sure never noticed that the stable release of Asterisk had moved from 0.7.2 to 0.9x. This should have been an important announcement on *SEVERAL* security grounds. As of 0.7.2, the recommend version of channel H323 had some very serious vulnerabilities that the OpenH323 folks had fixed months previously. This is an opportune time to repeat: H.323 uses ASN.1. ASN.1 is fiendishly complex and is a known bad boy in which many security holes have appeared over the years. It would be naive to think there won't be more. As VOIP hits the big-time and Asterisk joins the ranks of some of the other more famous open-source projects, quick response to security vulnerabilities will be expected. It's nice to know in the case of these format string problems that they were in some sense addressed promptly, but we're not all subscribed to the dev list. A vulnerability that is fixed in CVS head but not back-patched to stable *is not fixed* as far as a large percentage of the user base is concerned. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Security Vulnerability in Asterisk
On Mon, 28 Jun 2004, Jim Rosenberg wrote: I have to say -- with somewhat less vehemence -- that I'm another user who sure never noticed that the stable release of Asterisk had moved from 0.7.2 to 0.9x. This should have been an important announcement on *SEVERAL* security grounds. As of 0.7.2, the recommend version of channel H323 had some very serious vulnerabilities that the OpenH323 folks had fixed months previously. It's nice to know in the case of these format string problems that they were in some sense addressed promptly, but we're not all subscribed to the dev list. A vulnerability that is fixed in CVS head but not back-patched to stable *is not fixed* as far as a large percentage of the user base is concerned. It was fixed in CVS head and stable and at the same time 0.9.0 was released. The existance was noted in the ChangeLog as well that comes with asterisk Asterisk 0.9.0 -- Logging fixes (fixes remote DoS) -- Fixes from the bug tracker -- ADPCM Standardization -- Branch to Stable CVS I'm not sure if there was an announcement posted to the lists about the code release, but it was definitely updated on the asterisk.org page and the wiki James ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Security Vulnerability in Asterisk
--On Monday, June 28, 2004 9:16 PM -0400 James Golovich [EMAIL PROTECTED] wrote: It was fixed in CVS head and stable and at the same time 0.9.0 was released. The existance was noted in the ChangeLog as well that comes with asterisk Good. But the OpenH323 patches were not back-patched for *months*. I'm not sure if there was an announcement posted to the lists about the code release, but it was definitely updated on the asterisk.org page and the wiki Hmm, I see I wasn't subscribed to announce. Shame on me. Well, hopefully in the future new versions of stable can be announced. I'd like to put forward as a good example what the PostgreSQL folks do. They post a kind of weekly progress report. It includes a digest of important patches, and new releases are announced all over the place. The Sunday Asterisk News posts seem to be filling that role here, and are a good thing, which I applaud. A new release of stable should be something to brag about, yes? ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Security Vulnerability in Asterisk
On Mon, 2004-06-28 at 20:44, Jim Rosenberg wrote: --On Monday, June 28, 2004 9:16 PM -0400 James Golovich [EMAIL PROTECTED] wrote: It was fixed in CVS head and stable and at the same time 0.9.0 was released. The existance was noted in the ChangeLog as well that comes with asterisk Good. But the OpenH323 patches were not back-patched for *months*. And who forces you to use H323? There are other options, and there is firewalling built into linux. I'm not sure if there was an announcement posted to the lists about the code release, but it was definitely updated on the asterisk.org page and the wiki Hmm, I see I wasn't subscribed to announce. Shame on me. Well, hopefully in the future new versions of stable can be announced. Maybe you should check the -users list. Olle said the wiki changed to -HEAD on 6-13 23:00:22 +0200. Of course earlier that day it was mentioned by Olle in the Sunday News. I'd like to put forward as a good example what the PostgreSQL folks do. They post a kind of weekly progress report. It includes a digest of important patches, and new releases are announced all over the place. The Sunday Asterisk News posts seem to be filling that role here, and are a good thing, which I applaud. Subscribe to -cvs and pay attention to the files that are important to your install. For example, my install doesn't have SIP, H323 nore anything other than IAX and Zap channels. I can ignore large chuncks of the changes and monitor the rest. A new release of stable should be something to brag about, yes? If a stable had ever really been released. It was on feature freeze and backports wheren't possible for too many fixes due to feature upgrades. Life moved on, you missed the announcment, get over it. -- Steven Critchfield [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users