[sr-dev] [kamailio/kamailio] Outdated OpenSIPS Sources in Kamailio Project Lack Security Fixes (CVE-2023-28098) (Issue #3911)

Garnik Khroyan via sr-dev Wed, 10 Jul 2024 06:25:34 -0700

### Description
The master branch of the Kamailio project contains unpatched sources from 
OpenSIPS, in which 
[CVE-2023-28098](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-jrqg-vppj-hr2h)
 was reported. The function `parse_param_name()` from 
`kamailio/src/core/parser/digest/param_parser.c` does not include security 
patches and updates available in newer versions of OpenSIPS. The fix for CVE 
can be found in this commit: [OpenSIPS Commit 
dd9141b6](https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b73df5e102)


### Possible Solutions
I strongly recommend updating the sources from OpenSIPS to the latest version 
available.

### Report Origin
The bug is detected by a tool developed at [CAST](https://castech.am/).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3911
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/3...@github.com>

_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

[sr-dev] [kamailio/kamailio] Outdated OpenSIPS Sources in Kamailio Project Lack Security Fixes (CVE-2023-28098) (Issue #3911)

Reply via email to