VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
mwatson at becon.org
Guest
|
 Posted: Wed Apr 23, 2008 12:06 am Post subject: [asterisk-users] AST-2008-006 - 3-way handshake in IAX2 inco |
 |
|
I can;t imagine what headaches you'd have going from 1.4.11 to 1.4.19.1... that is a minor version upgrade... no real change in functionality.... thats basically 8 versions of bug fixes... if you just apply the IAX2 patch, you'll be fixing 1 out of probably a hundreds of bugs. Going from 1.4.x to 1.6.x however... you'd run into some headaches probably... but if you are staying in the 1.4 series you shouldn;t have any problems... worst case is if its broke you just make install your 1.4.11 overtop of 1.4.19.1 to revert back.
--
Matt
________________________________________
From: asterisk-users-bounces at lists.digium.com [asterisk-users-bounces at lists.digium.com] On Behalf Of Brian J. Murrell [brian at interlinx.bc.ca]
Sent: Tuesday, April 22, 2008 8:34 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] AST-2008-006 - 3-way handshake in IAX2 incomplete
On Tue, 2008-04-22 at 17:58 -0500, Security Officer wrote:
| Quote: | Asterisk Project Security Advisory - AST-2008-006
|
So given that I'm new to asterisk's svn and bug tracking tool, is it
sufficient then to apply the two patches (iax_dcallno_check-1.2.rev3.txt
and iax_dcallno_check.rev9.txt) listed in
http://bugs.digium.com/view.php?id=10078 to a 1.4.11ish release to
correct this vulnerability? I really don't feel like buying into
any/all of the headaches that went into 1.4.11->1.4.20. You know, "if
it ain't broke don't fix it", and my corollary, "if it is broke, only
fix what's broke, don't try to make it better". 
Thanx,
b. |
|
| Back to top |
|
 |
tilghman at mail.jeffa...
Guest
|
| Posted: Thu Apr 24, 2008 9:13 am Post subject: [asterisk-users] AST-2008-006 - 3-way handshake in IAX2 inco |
|
|
On Wednesday 23 April 2008 18:26, Brian J. Murrell wrote:
| Quote: | On Wed, 2008-04-23 at 08:52 -0500, Tilghman Lesher wrote:
| Quote: | Please understand that that's NOT the only security fix that has gone in
during that time. If this is the only thing that you fix, you're likely
to be vulnerable on several other levels. See our full list of security
disclosures at http://downloads.digium.com/pub/security/
|
Hrm. Interesting. I don't recall seeing any of those others, such as
AST-2008-005 on this list. Is there some kind of "threat level"
threshold that's applied to what makes the list(s) and what doesn't?
|
Check the archives. Every single one of the advisories goes out to -users,
-dev, -announce, and -security, along with 4 outside lists (bugtraq, voipsec,
full disclosure, and one other that I can't think of at the moment). The
advisories are also posted at asterisk.org, and I think most of the people who
blog on Asterisk pick up the advisories, as well.
In short, I can't think of a reason why you should be unaware of any security
advisory regarding a past release of Asterisk.
--
Tilghman |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
