<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Hello Maxim,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">thank you for the clarification, appreciated.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Just one clarification, my comment regarding the advisory from 2018 was not meant as advertisement etc..<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">One suggestion to objectify the whole discussion, there exists a well-known and accepted metric for vulnerabilities: CVSS [1]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">If I calculate the CVSS score for this issue, it results in a medium level with score 5.8. But this is of course again (at least somewhat) influenced from my point of view to this bug.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Some projects have a policy to only do a security announcement for vulnerabilities with score high and critical. For Kamailio this is not yet defined in a detailed way, due to the size
of the project and other factors.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">So, If people in this discussion (or other people on the list) are interested in improving the project security processes – this wiki page with the current process might be a good starting
point: <a href="https://www.kamailio.org/wiki/security/policy">https://www.kamailio.org/wiki/security/policy</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Please suggest your improvements to the existing process (preferable in a new discussion thread) on the sr-dev list. If you want to do it in private, feel free contact the management
list.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Henning<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">[1] <a href="https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System">
https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System</a> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">-- <o:p>
</o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Henning Westerholt –
</span><span style="mso-fareast-language:EN-US"><a href="https://skalatan.de/blog/"><span lang="EN-GB" style="color:#0563C1">https://skalatan.de/blog/</span></a></span><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Kamailio services –
</span><span style="mso-fareast-language:EN-US"><a href="https://gilawa.com/"><span lang="EN-GB" style="color:#0563C1">https://gilawa.com</span></a></span><span style="mso-fareast-language:EN-US">
<span lang="EN-GB"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:35.4pt"><b>From:</b> Maxim Sobolev <sobomax@sippysoft.com>
<br>
<b>Sent:</b> Wednesday, September 2, 2020 7:27 PM<br>
<b>To:</b> Daniel-Constantin Mierla <miconda@gmail.com>; Henning Westerholt <hw@skalatan.de>; yufei.tao@gmail.com; Olle E. Johansson <oej@edvina.net><br>
<b>Cc:</b> Gerry | Rigatta <gjacobsen@rigatta.com>; Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org><br>
<b>Subject:</b> Re: [SR-Users] Kamailio vulnerable to header smuggling possible due to bypass of remove_hf<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Hey Daniel, Henning, Tao,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Thanks for commenting out. There are a lot of opinions for me to address individually, so I will just clarify my opinion. The only substantial difference I think is whether the issue at hand warrants a security
advisory to be issued by the Kamailio project or not. I totally think that it does, but it looks like I am in the minority here.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Why do I think this way? Well, the first argument is a bit empirical. It is hard to generalize out of sample size 1, but in like 90% engagements where I had to use SIP Proxy element and integrate it with different
SIP elements I ended up using "private headers" for passing information between elements within that setup. So the task of cleaning up those headers at the edge of the network is very relevant at least to some users. It also matches Sandro's assessment, which
gives it at least some credibility.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Second, a more general one. Not only I have some experience in software development field, but also I got a chance to participate in much bigger and older open source projects (i.e. FreeBSD Project, 400+ active
developers, 1,000+ contributors) so I have seen how security is dealt with properly in a mature open source project. You guys might fancy the fact that Kamailio issued the last security advisory in 2018 as a "code quality" indicator, but to me that shows a
total lack of proper security process. With the code base of its size, I'd expect at least several security issues of various criticality being found per year. I frankly don't understand the pushback I am getting. It almost looks like issuing such advisory
is viewed as harmful and damaging on project "spotless" reputation or something. However in my view it would show respect to users and understanding that many of those users might be using it in a way that differs from its creators.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">It might come as a surprise to some of you, but 95% of Kamailio users are not reading this and those lists or following Sandro's work in general. However, if there were a section "Security Advisories" on
<a href="http://kamailio.org">kamailio.org</a> that would be the place to go. And those users are often not individuals, but companies building their products and solutions atop of Kamailio. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Also properly issued security advisory helps package maintainers, any linux distro of decent size has its own process to handle and disseminate those among their own users to update package ASAP. But if Kamailio
chooses to not issue any it basically cuts itself out of that process.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">And last but not least, to the remark that I need to step in and fix things, well I am hardly a person to do that. Too many projects and too little time, however I also don't think I cannot voice my opinion, or
can I? By the way I know at least one person in the Kamailio community that might be more fit as a "Kamailio Security Officer": Olle E. Johansson. Olle, what's your take on this? Does this problem warrants security advisory?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">-Max<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>