Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Target Release Version/s: None
-
Component/s: Core/General
-
Labels:None
-
Mantis ID:9203
-
Regression:No
Description
Not enough information about security issues is being published. For example, http://asterisk.org/node/48319 only says "including a fix for a recently discovered security vulnerability".
What I and many others are missing is:
- Further information about the issue
- Patch or commit which fixes the issue (NOT a new release which fixes several other bugs)
- CVE number
Distributions like Debian or Ubuntu have to search for the code which fixed the security issue, which is a waste of manpower.
It would be much more appreciated if you would publish patches.
Activity
Good evening 
Honestly, with the release of 1.2.17, I didn't find a diff in your announcment.
I can fully understand your point in wanting to release as less information as possible, but people that want to exploit Asterisk are probably not stupid and will have a look at the chagenlog.
But the problem again is that I want to publish a version which fixes the issue for Ubuntu.
My guess is that http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475 fixes the issue, but it would be good to have an official confirming that it fixes the problem.
Martin Juergens
added a comment - Good evening
Honestly, with the release of 1.2.17, I didn't find a diff in your announcment.
I can fully understand your point in wanting to release as less information as possible, but people that want to exploit Asterisk are probably not stupid and will have a look at the chagenlog.
But the problem again is that I want to publish a version which fixes the issue for Ubuntu.
My guess is that http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475 fixes the issue, but it would be good to have an official confirming that it fixes the problem. hi, pirast: that was indeed the revision that provided a fix for vulnerability in Mu Security's advisory. Please note that the following line was changed later on in rev.58052
-transmit_response(p, "503 Server error", req);
+transmit_response(p, "400 Bad request", req
Serge Vecher
added a comment - hi, pirast: that was indeed the revision that provided a fix for vulnerability in Mu Security's advisory. Please note that the following line was changed later on in rev.58052
-transmit_response(p, "503 Server error", req);
+transmit_response(p, "400 Bad request", req serge, thanks for your reply !
i just noted that the patch that i "selected" is already included in 1.2.16 (which ubuntu already fixed).
now, it would be nice to know which revision fixes the security hole closed in 1.2.17.
Martin Juergens
added a comment - serge, thanks for your reply !
i just noted that the patch that i "selected" is already included in 1.2.16 (which ubuntu already fixed).
now, it would be nice to know which revision fixes the security hole closed in 1.2.17. there were no security fixes in 1.2.17. Please try to abstain from reopening closed bugs -> if you have additional questions or comments, it is always better t o communicate realtime with a bug-marshall on #asterisk-bugs channel (freenode)
Serge Vecher
added a comment - there were no security fixes in 1.2.17. Please try to abstain from reopening closed bugs -> if you have additional questions or comments, it is always better t o communicate realtime with a bug-marshall on #asterisk-bugs channel (freenode) There was indeed a security fix. The revision in question is (for 1.2) 58579.
Joshua Colp
added a comment - There was indeed a security fix. The revision in question is (for 1.2) 58579. 
This situation was unique in the way it was reported and happened... normally it happens differently. I have forwarded on your details though and we'll see what we can do about future security issues.