| Summary: | ASTERISK-08935: Not enough information about security issues. | ||
| Reporter: | Martin Juergens (pirast) | Labels: | |
| Date Opened: | 2007-03-05 08:19:06.000-0600 | Date Closed: | 2007-03-22 16:38:48 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Not enough information about security issues is being published. For example, http://asterisk.org/node/48319 only says "including a fix for a recently discovered security vulnerability". What I and many others are missing is: - Further information about the issue - Patch or commit which fixes the issue (NOT a new release which fixes several other bugs) - CVE number Distributions like Debian or Ubuntu have to search for the code which fixed the security issue, which is a waste of manpower. It would be much more appreciated if you would publish patches. | ||
| Comments: | By: Joshua C. Colp (jcolp) 2007-03-11 20:25:07 This situation was unique in the way it was reported and happened... normally it happens differently. I have forwarded on your details though and we'll see what we can do about future security issues. By: Martin Juergens (pirast) 2007-03-22 15:23:33 Good evening ;) Honestly, with the release of 1.2.17, I didn't find a diff in your announcment. I can fully understand your point in wanting to release as less information as possible, but people that want to exploit Asterisk are probably not stupid and will have a look at the chagenlog. But the problem again is that I want to publish a version which fixes the issue for Ubuntu. My guess is that http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475 fixes the issue, but it would be good to have an official confirming that it fixes the problem. By: Serge Vecher (serge-v) 2007-03-22 15:36:05 hi, pirast: that was indeed the revision that provided a fix for vulnerability in Mu Security's advisory. Please note that the following line was changed later on in rev.58052 -transmit_response(p, "503 Server error", req); +transmit_response(p, "400 Bad request", req By: Martin Juergens (pirast) 2007-03-22 16:15:07 serge, thanks for your reply ! i just noted that the patch that i "selected" is already included in 1.2.16 (which ubuntu already fixed). now, it would be nice to know which revision fixes the security hole closed in 1.2.17. By: Serge Vecher (serge-v) 2007-03-22 16:26:38 there were no *security* fixes in 1.2.17. Please try to abstain from reopening closed bugs -> if you have additional questions or comments, it is always better t o communicate realtime with a bug-marshall on #asterisk-bugs channel (freenode) By: Joshua C. Colp (jcolp) 2007-03-22 16:38:48 There was indeed a security fix. The revision in question is (for 1.2) 58579. | ||