|Summary:||ASTERISK-08935: Not enough information about security issues.|
|Reporter:||Martin Juergens (pirast)||Labels:|
|Date Opened:||2007-03-05 08:19:06.000-0600||Date Closed:||2007-03-22 16:38:48|
|Description:||Not enough information about security issues is being published. For example, http://asterisk.org/node/48319 only says "including a fix for a recently discovered security vulnerability".|
What I and many others are missing is:
- Further information about the issue
- Patch or commit which fixes the issue (NOT a new release which fixes several other bugs)
- CVE number
Distributions like Debian or Ubuntu have to search for the code which fixed the security issue, which is a waste of manpower.
It would be much more appreciated if you would publish patches.
|Comments:||By: Joshua C. Colp (jcolp) 2007-03-11 20:25:07|
This situation was unique in the way it was reported and happened... normally it happens differently. I have forwarded on your details though and we'll see what we can do about future security issues.
By: Martin Juergens (pirast) 2007-03-22 15:23:33
Good evening ;)
Honestly, with the release of 1.2.17, I didn't find a diff in your announcment.
I can fully understand your point in wanting to release as less information as possible, but people that want to exploit Asterisk are probably not stupid and will have a look at the chagenlog.
But the problem again is that I want to publish a version which fixes the issue for Ubuntu.
My guess is that http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475 fixes the issue, but it would be good to have an official confirming that it fixes the problem.
By: Serge Vecher (serge-v) 2007-03-22 15:36:05
hi, pirast: that was indeed the revision that provided a fix for vulnerability in Mu Security's advisory. Please note that the following line was changed later on in rev.58052
-transmit_response(p, "503 Server error", req);
+transmit_response(p, "400 Bad request", req
By: Martin Juergens (pirast) 2007-03-22 16:15:07
serge, thanks for your reply !
i just noted that the patch that i "selected" is already included in 1.2.16 (which ubuntu already fixed).
now, it would be nice to know which revision fixes the security hole closed in 1.2.17.
By: Serge Vecher (serge-v) 2007-03-22 16:26:38
there were no *security* fixes in 1.2.17. Please try to abstain from reopening closed bugs -> if you have additional questions or comments, it is always better t o communicate realtime with a bug-marshall on #asterisk-bugs channel (freenode)
By: Joshua C. Colp (jcolp) 2007-03-22 16:38:48
There was indeed a security fix. The revision in question is (for 1.2) 58579.