Re: [Asterisk-Users] Security Vulnerability in Asterisk

Mon, 28 Jun 2004 13:14:40 -0700

It kind of seems to be the policy of... <asterisk maintainer(s)> to not disclose anything to the public and silently update it..
I didn't want to make a fuss about it (again)... but now it's on the ML anyway...

This type of "elitist" behaviour REALLY sucks...

I hope in the future announcements will be made on this type of problems... Yeah I was still running a system with an old version of asterisk/iax on the public internet when I saw this on bugtraq... Because it simply worked...

Other than that... if these problems are not being published when fixed... then other distro's do not have a chance to fix it... (think about distro's that use "stable" code, but haven't updated to 0.9 because of problems)

Common people... this is far worse behaviour than Microsoft's policy on bugs... atleast they have *some* form of public disclosure...

Jim Rosenberg wrote:

The following is pasted from SecurityFocus Newsletter #254:

-------------------------
Asterisk PBX Multiple Logging Format String Vulnerabilities
BugTraq ID: 10569
Remote: Yes
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10569
Summary:
It is reported that Asterisk is susceptible to format string
vulnerabilities in its logging functions.

An attacker may use these vulnerabilities to corrupt memory, and read or
write arbitrary memory. Remote code execution is likely possible.

Due to the nature of these vulnerabilities, there may exist many different
avenues of attack. Anything that can potentially call the logging functions
with user-supplied data is vulnerable.

Versions 0.7.0 through to 0.7.2 are reported vulnerable.
-------------------------

What is the status of CVS-current with respect to this?

I don't remember seeing any discussion of this issue here; apologies if I
missed it.
_______________________________________________
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users




_______________________________________________
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to