<!DOCTYPE html><html><head><title></title><style type="text/css">
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div><br></div><div><br></div><div>On Tue, 22 Sep 2020, at 12:55 PM, Daniel-Constantin Mierla wrote:<br></div><blockquote type="cite" id="qt" style=""><p>At least in my case you push out some inaccurate information. I
      never said my "deployments were not affected since non-standard
      headers were not used".<br></p></blockquote><div><br></div><div>Sorry about the misquote. I have clarified that part of the post.  <br></div><div><br></div><div>If anyone feels that I misquoted them, feel free to reach out directly on list, offlist or over matrix/wire etc (sandrogauci).<br></div><div><br></div><blockquote type="cite" id="qt" style=""><p>Iirc, I only said that none of my deployments were affected by
      this issue -- respectively quoting from my message: "None of my
      deployments were affected." from: <a class="qt-moz-txt-link-freetext" href="https://lists.kamailio.org/pipermail/sr-users/2020-September/110315.html">https://lists.kamailio.org/pipermail/sr-users/2020-September/110315.html</a> . If I am mistaken and you found another remark from me, just
      point to my message from where you got that.<br></p><p>So, for further clarification: either non standard headers were
      used for non-security related features (e.g., used for
      troubleshooting purposes) or the issue didn't affect the
      deployments from different perspective (e.g., traffic was checked
      to be from a trusted source).<br></p><p>And remember that the issue was not with remove_hf() function
      itself, like it is somehow propagated by blog posts, but it was in
      the parser, so use of custom headers between two kamailio was not
      affected if an edge proxy did something like:<br></p><p>remove_hf("X-H");<br></p><p>append_hf("X-H: abc\r\n");<br></p><p>And then, if next hop Kamailio was using $hdr(X-H), it will get
      "abc" (value added by previous Kamailio), not what a bad actor
      would add as "X-H : badvalue\r\n" sip header.<br></p><p>Then you listed two commits you consider there should have been
      security advisories about. Have you analysed the code and found
      cases where security was affected, or is just your opinion in
      based on the commit message and code patch?<br></p><p>First, I would love that one or many spend time to dissect
      commits and see their security implication. I am more that happy
      when someone does it and let's everyone be aware of, also to write
      and publish appropriate advisory.<br></p><p>Otherwise, for those two specific commits you listed, the one
      from Federico is a memory leak, I haven't spent time on going
      deeper to find the specific cases, From header should be parsed in
      SIP requests. My commit was done based on a static code analyzer
      and again I was not spending time to see what implications are.<br></p><p>In general, in the code we work a lot with str structure
      (non-zero terminated char* and len), many of the "safety" commits
      done lately were to silent static code analysers, not meaning that
      it was a real issue found behind. Some can be, and here we
      appreciate the time and effort of people like you to dissect them
      and make appropriate advisories.<br></p><p>I would like people do verify what they write about what specific
      people (of course, specially for my person) said before pushing
      out, and eventually validate a commit to fix something has
      security impact, instead of just personal guessing, if the
      intention is to help the project and not to create more confusion
      or other reactions for what so ever reasons.<br></p><p>This should be my last comment on the thread, I do not want to
      spend any more time in clarifying what people think I said or I
      did.<br></p><p><br></p><div>Cheers,<br></div><div>Daniel<br></div><p><br></p><div class="qt-moz-cite-prefix">On 22.09.20 11:31, Sandro Gauci wrote:<br></div><blockquote type="cite" cite="mid:39726c23-56f3-4069-b3b0-addd6118f36a@www.fastmail.com"><div>I know I am waking up an old debate by replying to this
        thread. Deeply sorry :-)<br></div><div><br></div><div>Finally got around to writing up a blog post about this very
        thread where I (think) I spared absolutely no one, not even
        myself. <br></div><div><br></div><div>My post is called "The great Kamailio security debate and
        some misconceptions debunked" and can be read here:<br></div><div><br></div><div><a href="https://www.rtcsec.com/2020/09/02-kamailio-security-debate-and-misconceptions/">https://www.rtcsec.com/2020/09/02-kamailio-security-debate-and-misconceptions/</a><br></div><div><br></div><div>The ToC:<br></div><ol><li>Introduction<br></li><li>A bit of background before diving in<br></li><li>Claim: this issue does not affect many organisations<br></li><li>Claim: custom headers are only known to internal users<br></li><li>Claim: if it’s an 18 year old bug, it can’t have been high
          risk<br></li><li>Claim: this should have been found if people were doing
          proper testing<br></li><li>Claim: infrequent advisories = project is not serious about
          security<br></li><li>Claim: limited number of advisories = project is more secure<br></li><li>Claim: if you’re serious about security, monitor the mailing
          lists<br></li><li>Claim: security experts should decide what is a security
          vulnerability<br></li><li>Discussion: when should the project publish an advisory?<br></li><li>Discussion: educational security role<br></li><li>Moving forward<br></li></ol><div>Hope that it is at least interesting and perhaps even
        constructive!<br></div><div><br></div><div>Best wishes,<br></div><div id="qt-sig45665722"><div><br></div><div>--<br></div><div> <br></div><div>    Sandro Gauci, CEO at Enable Security GmbH<br></div><div><br></div><div>    Register of Companies:      AG Charlottenburg HRB
          173016 B<br></div><div>    Company HQ:                       Pappelallee 78/79,
          10437 Berlin, Germany<br></div><div>    PGP/Encrypted comms:     <a class="qt-moz-txt-link-freetext" href="https://keybase.io/sandrogauci">https://keybase.io/sandrogauci</a><br></div><div>    Our blog:                                <a class="qt-moz-txt-link-freetext" href="https://www.rtcsec.com">https://www.rtcsec.com</a><br></div><div>    Other points of contact:      <a class="qt-moz-txt-link-freetext" href="https://enablesecurity.com/#contact-us">https://enablesecurity.com/#contact-us</a><br></div><div><br></div></div><div><br></div><div><br></div><div>On Thu, 3 Sep 2020, at 10:34 AM, Olle E. Johansson wrote:<br></div><blockquote type="cite" id="qt-qt" style="overflow-wrap:break-word;"><div>Well, you have defined one definitive line between being
          stupid and following some current practise :-)<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">I like to think we as a project have an
          educational role as well. In this case explaining the bug we
          had and what it can cause.<br></div><div class="qt-qt-">We should definitely add a warning along the
          lines you write too - relying on headers alone is bad and not
          best current practise.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><div>/O<br></div><div><div><br></div><blockquote type="cite" class="qt-qt-"><div class="qt-qt-">On 3 Sep 2020, at 10:14, davy van de
                moere <<a href="mailto:davy.van.de.moere@gmail.com" class="qt-qt-">davy.van.de.moere@gmail.com</a>>
                wrote:<br></div><div><br></div><div class="qt-qt-"><div dir="ltr" class="qt-qt-"><div>After 20 years in voip, my 2 cents on this, if
                    you succeed in creating a voip system where the
                    security of the whole relies on the ability to
                    remove (or only keep specific) custom sip headers,
                    you will wake up one morning realizing a bunch of
                    people in Palestine made a gazillion calls over your
                    system to expensive destinations, bringing you to or
                    over the edge of bankruptcy.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">Security should be multilayered, one
                    header sneaking through should not give any big
                    problems. <br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><div class="qt-qt-">From a security point of view, this
                      could be called a 'normal' security risk, I think.
                      It's a bit more than low as you can do more than
                      just get some info, but it's not high, as you
                      would need to have many other factors going wrong
                      to get to a successful exploit. <br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><br></div></div></div><div><br></div><div class="qt-qt-gmail_quote"><div dir="ltr" class="qt-qt-gmail_attr">Op do 3 sep. 2020
                    om 09:18 schreef Olle E. Johansson <<a href="mailto:oej@edvina.net" class="qt-qt-">oej@edvina.net</a>>:<br></div><blockquote class="qt-qt-gmail_quote" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div style="overflow-wrap:break-word;" class="qt-qt-"><div>One thought - we may have to separate
                        security vulnerability reporting from security
                        advisory documents. I think in some cases, where
                        a common use of a product can lead to issues
                        (but it is not clearly a bug that cause crashes
                        in our code) we may have to send out an advisory
                        and publish it in the same way. The problem with
                        that is where the border is between just doing
                        stupid things like taking SQL statements from
                        SIP headers and issues like this that are harder
                        to catch.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">We had a long and hard discussion
                        about this in the Asterisk project many years
                        ago - a very common dialplan construct (that was
                        documented in many places) was indeed very
                        dangerous. It wasn’t any code in asterisk that
                        caused the issue, just a common dialplan
                        construct that existed in many, many production
                        systems. In the end, if I remember correctly,
                        the project issued an advisory and added a
                        README about it.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">Maybe that’s a way forward.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><div>/O<br></div><div class="qt-qt-"><div><br></div><blockquote type="cite" class="qt-qt-"><div class="qt-qt-">On 2 Sep 2020, at 21:25,
                              Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" class="qt-qt-">hw@skalatan.de</a>>
                              wrote:<br></div><div><br></div><div class="qt-qt-"><div style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-line:none;text-decoration-style:initial;text-decoration-color:initial;" class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-">Hello Maxim,</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">have a look
                                    to the first sentence:</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">“A security
                                    vulnerability is (for example) when
                                    a user of Kamailio can cause
                                    Kamailio to crash or lock up by
                                    sending messages to the server
                                    process.”</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">So there is
                                    some limitation regarding
                                    vulnerability criticality defined in
                                    there. But of course (as I already
                                    mentioned), it might be improved to
                                    e.g. use CVSS scoring instead.</span><span class="qt-qt-" lang="EN-GB"></span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Cheers,</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Henning</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="border-top-style:solid;border-right-style:none;border-bottom-style:none;border-left-style:none;border-top-width:1pt;border-top-color:rgb(225, 225, 225);padding-top:3pt;padding-right:0cm;padding-bottom:0cm;padding-left:0cm;" class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><b class="qt-qt-"><span class="qt-qt-" lang="EN-GB">From:</span></b><span class="qt-qt-" lang="EN-GB"><span class="qt-qt-"> </span>Maxim
                                      Sobolev <<a href="mailto:sobomax@sippysoft.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">sobomax@sippysoft.com</a>><span class="qt-qt-"> </span><br class="qt-qt-"> <b class="qt-qt-">Sent:</b><span class="qt-qt-"> </span>Wednesday,
                                      September 2, 2020 9:15 PM<br class="qt-qt-"> <b class="qt-qt-">To:</b><span class="qt-qt-"> </span>Henning
                                      Westerholt <<a href="mailto:hw@skalatan.de" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">hw@skalatan.de</a>><br class="qt-qt-"> <b class="qt-qt-">Cc:</b><span class="qt-qt-"> </span>Daniel-Constantin
                                      Mierla <<a href="mailto:miconda@gmail.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">miconda@gmail.com</a>>;<span class="qt-qt-"> </span><a href="mailto:yufei.tao@gmail.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">yufei.tao@gmail.com</a>;
                                      Olle E. Johansson <<a href="mailto:oej@edvina.net" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">oej@edvina.net</a>>;
                                      Gerry | Rigatta <<a href="mailto:gjacobsen@rigatta.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">gjacobsen@rigatta.com</a>>;
                                      Kamailio (SER) - Users Mailing
                                      List <<a href="mailto:sr-users@lists.kamailio.org" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">sr-users@lists.kamailio.org</a>>;<span class="qt-qt-"> </span><a href="mailto:jbrower@signalogic.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">jbrower@signalogic.com</a><br class="qt-qt-"> <b class="qt-qt-">Subject:</b><span class="qt-qt-"> </span>Re:
                                      [SR-Users] Kamailio vulnerable to
                                      header smuggling possible due to
                                      bypass of remove_hf</span></div></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">On Wed,
                                      Sep 2, 2020 at 11:30 AM Henning
                                      Westerholt <<a href="mailto:hw@skalatan.de" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">hw@skalatan.de</a>>
                                      wrote:<br></div></div><div class="qt-qt-"><blockquote style="border-top-style:none;border-right-style:none;border-bottom-style:none;border-left-style:solid;border-left-width:1pt;border-left-color:rgb(204, 204, 204);padding-top:0cm;padding-right:0cm;padding-bottom:0cm;padding-left:6pt;margin-left:4.8pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Hello
                                              Maxim,</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">thank
                                              you for the clarification,
                                              appreciated.</span><br></div></div></div></blockquote><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">No
                                        worries, hope to have a
                                        civilized discussion.<br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><blockquote style="border-top-style:none;border-right-style:none;border-bottom-style:none;border-left-style:solid;border-left-width:1pt;border-left-color:rgb(204, 204, 204);padding-top:0cm;padding-right:0cm;padding-bottom:0cm;padding-left:6pt;margin-left:4.8pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Just
                                              one clarification, my
                                              comment regarding the
                                              advisory from 2018 was not
                                              meant as advertisement
                                              etc..</span><br></div></div></div></blockquote><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">Point
                                        taken, I dramatized of course to
                                        underline my point. <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><blockquote style="border-top-style:none;border-right-style:none;border-bottom-style:none;border-left-style:solid;border-left-width:1pt;border-left-color:rgb(204, 204, 204);padding-top:0cm;padding-right:0cm;padding-bottom:0cm;padding-left:6pt;margin-left:4.8pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">One
                                            suggestion to objectify the
                                            whole discussion, there
                                            exists a well-known and
                                            accepted metric for
                                            vulnerabilities: CVSS [1]<br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">If
                                              I calculate the CVSS score
                                              for this issue, it results
                                              in a medium level with
                                              score 5.8. But this is of
                                              course again (at least
                                              somewhat) influenced from
                                              my point of view to this
                                              bug.</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Some
                                              projects have a policy to
                                              only do a security
                                              announcement for
                                              vulnerabilities with score
                                              high and critical. For
                                              Kamailio this is not yet
                                              defined in a detailed way,
                                              due to the size of the
                                              project and other factors.</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">So,
                                              If people in this
                                              discussion (or other
                                              people on the list) are
                                              interested in improving
                                              the project security
                                              processes – this wiki page
                                              with the current process
                                              might be a good starting
                                              point:<a href="https://www.kamailio.org/wiki/security/policy" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">https://www.kamailio.org/wiki/security/policy</a></span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Please
                                              suggest your improvements
                                              to the existing process
                                              (preferable in a new
                                              discussion thread) on the
                                              sr-dev list. If you want
                                              to do it in private, feel
                                              free contact the
                                              management list.</span><br></div></div></div></blockquote><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">Well,
                                        first suggestion after having
                                        read it: to start actually
                                        following what's documented
                                        before any improvements are
                                        made. ;-) The policy says plain
                                        and simple (quote):<br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div></div><blockquote style="margin-left:30pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><h4 id="qt-qt-gmail-m_-221075449414644861gmail-publishing_security_vulnerabilities" style="margin-right:0cm;margin-left:35.4pt;font-size:12pt;font-family:Calibri, sans-serif;margin-bottom:12pt;" class="qt-qt-"><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">Publishing
                                                security vulnerabilities</span></span></span></span></span><br></h4></div></div></blockquote><blockquote style="margin-left:30pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">Kamailio
                                                will publish security
                                                vulnerabilities,
                                                including an CVE ID, on
                                                the kamailio-business
                                                mailing list, sr-dev,
                                                sr-users as well as
                                                related lists.<span class="qt-qt-"> </span></span></span></span></span></span><span style="color:red;" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">The
                                                advisories will also be
                                                published on the<span class="qt-qt-"> </span><a href="http://kamailio.org/" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">kamailio.org</a><span class="qt-qt-"> </span>web
                                                site</span></span></span></span></span><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">.</span></span></span></span></span> <br></div></div></div><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div></div><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">CVE
                                                entries should be
                                                created for
                                                vulnerabilities in the
                                                core and major modules,
                                                for rarely used modules
                                                this is not necessary.
                                                If there are several
                                                security issues together
                                                in one release, they
                                                should be announced
                                                together.</span></span></span></span></span>  <br></div></div></div></blockquote><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">I might
                                        be missing something obvious,
                                        but there is no "if" or "maybe"
                                        or "it depends". Any module that
                                        has been 18 years with the
                                        project qualifies to be a "major
                                        module" to me... <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">-Max<br></div></div></div></div></div></div></blockquote></div><div><br></div></div></div><div>_______________________________________________<br></div><div>Kamailio (SER) - Users Mailing List<br></div><div><a href="mailto:sr-users@lists.kamailio.org" target="_blank" class="qt-qt-">sr-users@lists.kamailio.org</a><br></div><div><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank" class="qt-qt-">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br></div></blockquote></div><div>_______________________________________________<br></div><div>Kamailio (SER) - Users Mailing List<br></div><div><a href="mailto:sr-users@lists.kamailio.org" class="qt-qt-">sr-users@lists.kamailio.org</a><br></div><div><a class="qt-moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br></div></div></blockquote></div></div><div>_______________________________________________<br></div><div>Kamailio (SER) - Users Mailing List<br></div><div><a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><br></div><div><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br></div><div><br></div></blockquote><div><br></div><div><br></div><pre class="qt-moz-quote-pre">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="qt-moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="qt-moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
<br></pre></blockquote><pre class="qt-moz-signature" cols="72">-- 
Daniel-Constantin Mierla -- <a class="qt-moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="qt-moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="qt-moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="qt-moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a><br></pre></blockquote><div><br></div></body></html>