On 14/11/2004 16:40 Olle E. Johansson said the following:
Dinesh Nair wrote:
would this patch help those who're not using broadvoice, i.e. does it
fix an issue with the way asterisk does not handle SIP registrations
correctly ?
No. The actual registration is still handled the same way. What pro
Dinesh Nair wrote:
would this patch help those who're not using broadvoice, i.e. does it
fix an issue with the way asterisk does not handle SIP registrations
correctly ?
No. The actual registration is still handled the same way. What problems do
you have, when does Asterisk not handle registrat
On 11/11/2004 06:08 Steven Sokol said the following:
The patch is necessary because (I think I have this correct -- forgive
me if I scramble any of the details) the Asterisk SIP channel was not
caching the MD5 result of the original authentication dialog, and was
instead forcing the BroadVoice s
> Don't most major Open Source projects ask that patches be e-mailed to
> a dev mailing list? Isn't the only problem with this patch that they
> didn't include the mailing list because it was of no consequence to
> the majority of Asterisk users?
>
> I can think of NO better way to distribute pat
On Fri, 2004-11-12 at 03:38, Tom Lahti wrote:
> Who cares? It's obviously a problem with asterisk, the maintainers should
> be glad to take the patch, look it over, and submit it themselves.
That would be a copyright violation. Broadvoice paid to have the patch
made, typically that would give t
Here are some others:
a) Log a bug on bugs.digium.com with/without the patch, if they
submitted a patch, also submit a disclaimer, wait for it to be added to
CVS, then ask people to either upgrade, or apply the patch found in bug
#
That doesn't work. They needed to alleviate their network NOW
On 2004.11.11 14:31 Adam Goryachev wrote:
Did they contribute to the codebase, or did they just write/release a
patch without contributing to the asterisk codebase? ie, have they
submitted the patch to the bug tracker *AND* signed the disclaimer.
In most other open-source projects there is no diffe
>Don't most major Open Source projects ask that patches be e-mailed to
>a dev mailing list? Isn't the only problem with this patch that they
>didn't include the mailing list because it was of no consequence to
>the majority of Asterisk users?
Well, I was not going to this thread, but if you're as
I'm giong to get totally flamed for this but:
Don't most major Open Source projects ask that patches be e-mailed to
a dev mailing list? Isn't the only problem with this patch that they
didn't include the mailing list because it was of no consequence to
the majority of Asterisk users?
I can think
On Thu, 2004-11-11 at 13:35, Tom Lahti wrote:
> At 02:39 PM 11/10/2004, you wrote:
> > >In any case, the patch has been positively identified as being genuine.
> >
> >Which one? Anyone who got an email like that?
> >
> >Get the point? :)
>
> Since (a) asterisk is not Broadvoice's product, (b) Broa
On Wednesday 10 November 2004 09:35 pm, Tom Lahti wrote:
> At 02:39 PM 11/10/2004, you wrote:
> > >In any case, the patch has been positively identified as being genuine.
> >
> >Which one? Anyone who got an email like that?
> >
> >Get the point? :)
>
> Holy beating a dead horse, Batman.
To some it
At 02:39 PM 11/10/2004, you wrote:
>In any case, the patch has been positively identified as being genuine.
Which one? Anyone who got an email like that?
Get the point? :)
Holy beating a dead horse, Batman.
No one is suggesting that because person X read and understood the patch
that it makes it a
On Wednesday 10 November 2004 07:37 pm, Michael Giagnocavo wrote:
> >Which once again brings home the fact that too few people understand
> >security
> >in the first place.
>
> Damn straight. Check out the replies on that thread.
>
> >It's like my posting about a security list. I was wondering if a
so good for * on the public
net ?
Cheers
Sathya
> -Original Message-
> From: Steven Sokol [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 10, 2004 2:08 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [Asterisk-Users] Broadvoice asteris
- Non-Commercial Discussion
Subject: Re: [Asterisk-Users] Broadvoice asterisk patch
I can confirm that the patch is legit. Olle wrote it up last week and
we have been testing the patch for several days. I have installed it on
all of my Asterisk boxes and it appears to do no
>Why don't you make your disdain known to Broadvoice, rather than
>Asterisk users? To claim that someone opens a security hole by
For the same reason this was originally posted to the asterisk-user list.
>accepting a verified patch via email, is the same as claiming that you
>never have a securi
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: RE: [Asterisk-Users] Broadvoice asterisk patch
>
>
> >I can confirm that the patch is legit. Olle wrote it up
> last week and
> >we have been testing the patch for several days. I have
>
>The links in an email can also be easily forged. I'm receiving several
>pishing emails from paypal and others with perfectly looking links to
>forged sites. You cannot trust email links either.
Sure, if you're using HTML email :). That's why most places tell people to
type thesite.com in the URL
Hello,
On Wed, 10 Nov 2004 17:36:51 -0500, Ryan Wilkins <[EMAIL PROTECTED]> wrote:
> I agree that sending a patch out via email blindly is not the
> appropriate method. It would have been much better to send the email
> as they did but provide a link to download the patch from the
> Broadvoice we
>In any case, the patch has been positively identified as being genuine.
Which one? Anyone who got an email like that?
Get the point? :)
-Michael
___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-user
I agree that sending a patch out via email blindly is not the
appropriate method. It would have been much better to send the email
as they did but provide a link to download the patch from the
Broadvoice website. This would help verify the authenticity of the
patch and not cause the discussio
>I don't see a security issue with his method.
>
>If you (a) read the entire patch and (b) comprehend fully everything that
>it does, then there's nothing to worry about. Fear comes from the unknown,
>and if you know everything in the patch, there's nothing to fear.
I'll agree if you fully comp
>I can confirm that the patch is legit. Olle wrote it up last week and
>we have been testing the patch for several days. I have installed it on
>all of my Asterisk boxes and it appears to do no harm.
That's not the point. The point is distributing patches via email is a
horrible way to do patc
I can confirm that the patch is legit. Olle wrote it up last week and
we have been testing the patch for several days. I have installed it on
all of my Asterisk boxes and it appears to do no harm.
The patch is necessary because (I think I have this correct -- forgive
me if I scramble any of t
At 01:14 PM 11/10/2004, you wrote:
>the patch is pure c code. it took me 5 mins to read & understand
>it. is very simple (but useful).
>Simply that patch (apart from adding some logs, comments
>and little code formatting) simply caches auth data
>AND let * manage 403 responses from the server,
>and
>> If you're joking, :).
>>
>> If you're serious, go read a primer on security.
>>
>> Do you patch your kernel the same way?
>
>No. I was speaking of THAT patch.
>that one is not so difficult, imho.
>
>a more difficult one, of course, must be
>understood before. or let someone that can
>do for
Hi,
> If you're joking, :).
>
> If you're serious, go read a primer on security.
>
> Do you patch your kernel the same way?
No. I was speaking of THAT patch.
that one is not so difficult, imho.
a more difficult one, of course, must be
understood before. or let someone that can
do for you.
I
mmmh
> Simply that patch (apart from adding some logs, comments
> and little code formatting) simply caches auth data
too many "simply" here..
> so, just read it (or let someone do for it) and understand
> that's not a problem :)
or let someone do for you
too late... my english is getting wors
>the patch is pure c code. it took me 5 mins to read & understand
>it. is very simple (but useful).
>Simply that patch (apart from adding some logs, comments
>and little code formatting) simply caches auth data
>AND let * manage 403 responses from the server,
>and this last one perhaps is the issue
Hi,
Il mer, 2004-11-10 alle 21:51, Michael Giagnocavo ha scritto:
> They send patches out by email? Who thought of this brilliant idea? "Hmm,
> let's teach our users not to be cautious."
the patch is pure c code. it took me 5 mins to read & understand
it. is very simple (but useful).
Simply that
4 2:25 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [Asterisk-Users] Broadvoice asterisk patch
>
>
> I am working as well with this patch.
>
>
>
> Tim Jackson wrote:
>
> >I've applied the patch (after scan
ssing this is normal?
-Tim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Giagnocavo
Sent: Wednesday, November 10, 2004 2:52 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: RE: [Asterisk-Users] Broadvoice aster
They send patches out by email? Who thought of this brilliant idea? "Hmm,
let's teach our users not to be cautious."
/me wonders when someone on linux is gonna install a "patch" that
compromises their system cause some email said so
-Michael
-Original Message-
From: [EMAIL PROTECTED]
al(SIP/100|30)
> exten => s,2,VoiceMail([EMAIL PROTECTED])
> exten => s,102,VoiceMail([EMAIL PROTECTED])
>
> Send outbound PSTN calls to your BroadVoice account as follows:
>
> [outgoing-context]
> exten => _.,1,Dial(SIP/broadvoice/${EXTEN})
> exten => _.,2,Congest
004 1:59 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] Broadvoice asterisk patch
I was just about to ask a similar question having just received the
message.
I'm more concerned about someone trying to spread a virus or something
like that. Y
rcial Discussion
Subject: Re: [Asterisk-Users] Broadvoice asterisk patch
I was just about to ask a similar question having just received the
message.
I'm more concerned about someone trying to spread a virus or something
like that. You have to admit that the URGENT, INSTALL THIS messag
I was just about to ask a similar question having just received the
message.
I'm more concerned about someone trying to spread a virus or something
like that. You have to admit that the URGENT, INSTALL THIS message
with an attachment pretty much screams virus, even if its not.
I tried calling
37 matches
Mail list logo