On Wed, 2003-09-10 at 13:16, Tilghman Lesher wrote: > On Wednesday 10 September 2003 01:04 pm, Olle E. Johansson wrote: > > Tilghman Lesher wrote: > > > On Wednesday 10 September 2003 10:51 am, Olle E. Johansson wrote: > > >>Lubomir Christov wrote: > > >>>today I found this security report regarding Asterisk SIP > > >>>Security. > > >>> > > >>>http://www.securiteam.com/securitynews/5LP0720B5G.html > > >> > > >>Important information. Why a "silent" patch and no information to > > >>the mailing list? Security by obscurity :-( > > > > > > Probably because Mark doesn't have time to realize that somebody > > > is going to publish a temporary vulnerability that he fixes in 5 > > > minutes. When someone points out a bug in my own programs, I'll > > > go fix it, but I don't usually then publish a vulnerability page > > > describing the problem: it's a bug, I fixed it, what's next? > > > > I understand it from a programmer's view. But from the large user > > base point of view - there's a lot of installations out there that > > needs to be updated and they did not get the information that they > > had to update. Not all want to CVS-update running systems to the > > latest code. > > Read the security vulnerability. It referenced CVS as of a certain > date. If you aren't keeping up with CVS changes, why are you running > CVS at all?
Tilghman, the problem is that there was a large number of older installations out there that needed the updates, but no notice until lately about a problem that is almost a month old. That security site is not one I would have expected to read for asterisk news. Of course this is a good reminder to turn off options you are not running like SIP/MGCP/H323 if possible. This is how I dealt with this problem on my production needs to be rock solid * box. It is what is normally expected of good sys admins besides being on top of all the security mailing lists and project lists. -- Steven Critchfield <[EMAIL PROTECTED]> _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
