Summary:ASTERISK-08935: Not enough information about security issues.
Reporter:Martin Juergens (pirast)Labels:
Date Opened:2007-03-05 08:19:06.000-0600Date Closed:2007-03-22 16:38:48
Versions:Frequency of
Description:Not enough information about security issues is being published. For example, http://asterisk.org/node/48319 only says "including a fix for a recently discovered security vulnerability".

What I and many others are missing is:

- Further information about the issue
- Patch or commit which fixes the issue (NOT a new release which fixes several other bugs)
- CVE number

Distributions like Debian or Ubuntu have to search for the code which fixed the security issue, which is a waste of manpower.

It would be much more appreciated if you would publish patches.
Comments:By: Joshua C. Colp (jcolp) 2007-03-11 20:25:07

This situation was unique in the way it was reported and happened... normally it happens differently. I have forwarded on your details though and we'll see what we can do about future security issues.

By: Martin Juergens (pirast) 2007-03-22 15:23:33

Good evening ;)

Honestly, with the release of 1.2.17, I didn't find a diff in your announcment.

I can fully understand your point in wanting to release as less information as possible, but people that want to exploit Asterisk are probably not stupid and will have a look at the chagenlog.

But the problem again is that I want to publish a version which fixes the issue for Ubuntu.

My guess is that http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475 fixes the issue, but it would be good to have an official confirming that it fixes the problem.

By: Serge Vecher (serge-v) 2007-03-22 15:36:05

hi, pirast: that was indeed the revision that provided a fix for vulnerability in Mu Security's advisory. Please note that the following line was changed later on in rev.58052

-transmit_response(p, "503 Server error", req);
+transmit_response(p, "400 Bad request", req

By: Martin Juergens (pirast) 2007-03-22 16:15:07

serge, thanks for your reply !

i just noted that the patch that i "selected" is already included in 1.2.16 (which ubuntu already fixed).

now, it would be nice to know which revision fixes the security hole closed in 1.2.17.

By: Serge Vecher (serge-v) 2007-03-22 16:26:38

there were no *security* fixes in 1.2.17. Please try to abstain from reopening closed bugs -> if you have additional questions or comments, it is always better t o communicate realtime with a bug-marshall on #asterisk-bugs channel (freenode)

By: Joshua C. Colp (jcolp) 2007-03-22 16:38:48

There was indeed a security fix. The revision in question is (for 1.2) 58579.