<!DOCTYPE html><html><head><title></title><style type="text/css">
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div><br></div><div><br></div><div>On Tue, 22 Sep 2020, at 12:55 PM, Daniel-Constantin Mierla wrote:<br></div><blockquote type="cite" id="qt" style=""><p>At least in my case you push out some inaccurate information. I
never said my "deployments were not affected since non-standard
headers were not used".<br></p></blockquote><div><br></div><div>Sorry about the misquote. I have clarified that part of the post. <br></div><div><br></div><div>If anyone feels that I misquoted them, feel free to reach out directly on list, offlist or over matrix/wire etc (sandrogauci).<br></div><div><br></div><blockquote type="cite" id="qt" style=""><p>Iirc, I only said that none of my deployments were affected by
this issue -- respectively quoting from my message: "None of my
deployments were affected." from: <a class="qt-moz-txt-link-freetext" href="https://lists.kamailio.org/pipermail/sr-users/2020-September/110315.html">https://lists.kamailio.org/pipermail/sr-users/2020-September/110315.html</a> . If I am mistaken and you found another remark from me, just
point to my message from where you got that.<br></p><p>So, for further clarification: either non standard headers were
used for non-security related features (e.g., used for
troubleshooting purposes) or the issue didn't affect the
deployments from different perspective (e.g., traffic was checked
to be from a trusted source).<br></p><p>And remember that the issue was not with remove_hf() function
itself, like it is somehow propagated by blog posts, but it was in
the parser, so use of custom headers between two kamailio was not
affected if an edge proxy did something like:<br></p><p>remove_hf("X-H");<br></p><p>append_hf("X-H: abc\r\n");<br></p><p>And then, if next hop Kamailio was using $hdr(X-H), it will get
"abc" (value added by previous Kamailio), not what a bad actor
would add as "X-H : badvalue\r\n" sip header.<br></p><p>Then you listed two commits you consider there should have been
security advisories about. Have you analysed the code and found
cases where security was affected, or is just your opinion in
based on the commit message and code patch?<br></p><p>First, I would love that one or many spend time to dissect
commits and see their security implication. I am more that happy
when someone does it and let's everyone be aware of, also to write
and publish appropriate advisory.<br></p><p>Otherwise, for those two specific commits you listed, the one
from Federico is a memory leak, I haven't spent time on going
deeper to find the specific cases, From header should be parsed in
SIP requests. My commit was done based on a static code analyzer
and again I was not spending time to see what implications are.<br></p><p>In general, in the code we work a lot with str structure
(non-zero terminated char* and len), many of the "safety" commits
done lately were to silent static code analysers, not meaning that
it was a real issue found behind. Some can be, and here we
appreciate the time and effort of people like you to dissect them
and make appropriate advisories.<br></p><p>I would like people do verify what they write about what specific
people (of course, specially for my person) said before pushing
out, and eventually validate a commit to fix something has
security impact, instead of just personal guessing, if the
intention is to help the project and not to create more confusion
or other reactions for what so ever reasons.<br></p><p>This should be my last comment on the thread, I do not want to
spend any more time in clarifying what people think I said or I
did.<br></p><p><br></p><div>Cheers,<br></div><div>Daniel<br></div><p><br></p><div class="qt-moz-cite-prefix">On 22.09.20 11:31, Sandro Gauci wrote:<br></div><blockquote type="cite" cite="mid:39726c23-56f3-4069-b3b0-addd6118f36a@www.fastmail.com"><div>I know I am waking up an old debate by replying to this
thread. Deeply sorry :-)<br></div><div><br></div><div>Finally got around to writing up a blog post about this very
thread where I (think) I spared absolutely no one, not even
myself. <br></div><div><br></div><div>My post is called "The great Kamailio security debate and
some misconceptions debunked" and can be read here:<br></div><div><br></div><div><a href="https://www.rtcsec.com/2020/09/02-kamailio-security-debate-and-misconceptions/">https://www.rtcsec.com/2020/09/02-kamailio-security-debate-and-misconceptions/</a><br></div><div><br></div><div>The ToC:<br></div><ol><li>Introduction<br></li><li>A bit of background before diving in<br></li><li>Claim: this issue does not affect many organisations<br></li><li>Claim: custom headers are only known to internal users<br></li><li>Claim: if it’s an 18 year old bug, it can’t have been high
risk<br></li><li>Claim: this should have been found if people were doing
proper testing<br></li><li>Claim: infrequent advisories = project is not serious about
security<br></li><li>Claim: limited number of advisories = project is more secure<br></li><li>Claim: if you’re serious about security, monitor the mailing
lists<br></li><li>Claim: security experts should decide what is a security
vulnerability<br></li><li>Discussion: when should the project publish an advisory?<br></li><li>Discussion: educational security role<br></li><li>Moving forward<br></li></ol><div>Hope that it is at least interesting and perhaps even
constructive!<br></div><div><br></div><div>Best wishes,<br></div><div id="qt-sig45665722"><div><br></div><div>--<br></div><div> <br></div><div> Sandro Gauci, CEO at Enable Security GmbH<br></div><div><br></div><div> Register of Companies: AG Charlottenburg HRB
173016 B<br></div><div> Company HQ: Pappelallee 78/79,
10437 Berlin, Germany<br></div><div> PGP/Encrypted comms: <a class="qt-moz-txt-link-freetext" href="https://keybase.io/sandrogauci">https://keybase.io/sandrogauci</a><br></div><div> Our blog: <a class="qt-moz-txt-link-freetext" href="https://www.rtcsec.com">https://www.rtcsec.com</a><br></div><div> Other points of contact: <a class="qt-moz-txt-link-freetext" href="https://enablesecurity.com/#contact-us">https://enablesecurity.com/#contact-us</a><br></div><div><br></div></div><div><br></div><div><br></div><div>On Thu, 3 Sep 2020, at 10:34 AM, Olle E. Johansson wrote:<br></div><blockquote type="cite" id="qt-qt" style="overflow-wrap:break-word;"><div>Well, you have defined one definitive line between being
stupid and following some current practise :-)<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">I like to think we as a project have an
educational role as well. In this case explaining the bug we
had and what it can cause.<br></div><div class="qt-qt-">We should definitely add a warning along the
lines you write too - relying on headers alone is bad and not
best current practise.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><div>/O<br></div><div><div><br></div><blockquote type="cite" class="qt-qt-"><div class="qt-qt-">On 3 Sep 2020, at 10:14, davy van de
moere <<a href="mailto:davy.van.de.moere@gmail.com" class="qt-qt-">davy.van.de.moere@gmail.com</a>>
wrote:<br></div><div><br></div><div class="qt-qt-"><div dir="ltr" class="qt-qt-"><div>After 20 years in voip, my 2 cents on this, if
you succeed in creating a voip system where the
security of the whole relies on the ability to
remove (or only keep specific) custom sip headers,
you will wake up one morning realizing a bunch of
people in Palestine made a gazillion calls over your
system to expensive destinations, bringing you to or
over the edge of bankruptcy.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">Security should be multilayered, one
header sneaking through should not give any big
problems. <br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><div class="qt-qt-">From a security point of view, this
could be called a 'normal' security risk, I think.
It's a bit more than low as you can do more than
just get some info, but it's not high, as you
would need to have many other factors going wrong
to get to a successful exploit. <br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><br></div></div></div><div><br></div><div class="qt-qt-gmail_quote"><div dir="ltr" class="qt-qt-gmail_attr">Op do 3 sep. 2020
om 09:18 schreef Olle E. Johansson <<a href="mailto:oej@edvina.net" class="qt-qt-">oej@edvina.net</a>>:<br></div><blockquote class="qt-qt-gmail_quote" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div style="overflow-wrap:break-word;" class="qt-qt-"><div>One thought - we may have to separate
security vulnerability reporting from security
advisory documents. I think in some cases, where
a common use of a product can lead to issues
(but it is not clearly a bug that cause crashes
in our code) we may have to send out an advisory
and publish it in the same way. The problem with
that is where the border is between just doing
stupid things like taking SQL statements from
SIP headers and issues like this that are harder
to catch.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">We had a long and hard discussion
about this in the Asterisk project many years
ago - a very common dialplan construct (that was
documented in many places) was indeed very
dangerous. It wasn’t any code in asterisk that
caused the issue, just a common dialplan
construct that existed in many, many production
systems. In the end, if I remember correctly,
the project issued an advisory and added a
README about it.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-">Maybe that’s a way forward.<br></div><div class="qt-qt-"><br></div><div class="qt-qt-"><div>/O<br></div><div class="qt-qt-"><div><br></div><blockquote type="cite" class="qt-qt-"><div class="qt-qt-">On 2 Sep 2020, at 21:25,
Henning Westerholt <<a href="mailto:hw@skalatan.de" target="_blank" class="qt-qt-">hw@skalatan.de</a>>
wrote:<br></div><div><br></div><div class="qt-qt-"><div style="font-family:Helvetica;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-line:none;text-decoration-style:initial;text-decoration-color:initial;" class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-">Hello Maxim,</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">have a look
to the first sentence:</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">“A security
vulnerability is (for example) when
a user of Kamailio can cause
Kamailio to crash or lock up by
sending messages to the server
process.”</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">So there is
some limitation regarding
vulnerability criticality defined in
there. But of course (as I already
mentioned), it might be improved to
e.g. use CVSS scoring instead.</span><span class="qt-qt-" lang="EN-GB"></span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Cheers,</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Henning</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="border-top-style:solid;border-right-style:none;border-bottom-style:none;border-left-style:none;border-top-width:1pt;border-top-color:rgb(225, 225, 225);padding-top:3pt;padding-right:0cm;padding-bottom:0cm;padding-left:0cm;" class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><b class="qt-qt-"><span class="qt-qt-" lang="EN-GB">From:</span></b><span class="qt-qt-" lang="EN-GB"><span class="qt-qt-"> </span>Maxim
Sobolev <<a href="mailto:sobomax@sippysoft.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">sobomax@sippysoft.com</a>><span class="qt-qt-"> </span><br class="qt-qt-"> <b class="qt-qt-">Sent:</b><span class="qt-qt-"> </span>Wednesday,
September 2, 2020 9:15 PM<br class="qt-qt-"> <b class="qt-qt-">To:</b><span class="qt-qt-"> </span>Henning
Westerholt <<a href="mailto:hw@skalatan.de" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">hw@skalatan.de</a>><br class="qt-qt-"> <b class="qt-qt-">Cc:</b><span class="qt-qt-"> </span>Daniel-Constantin
Mierla <<a href="mailto:miconda@gmail.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">miconda@gmail.com</a>>;<span class="qt-qt-"> </span><a href="mailto:yufei.tao@gmail.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">yufei.tao@gmail.com</a>;
Olle E. Johansson <<a href="mailto:oej@edvina.net" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">oej@edvina.net</a>>;
Gerry | Rigatta <<a href="mailto:gjacobsen@rigatta.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">gjacobsen@rigatta.com</a>>;
Kamailio (SER) - Users Mailing
List <<a href="mailto:sr-users@lists.kamailio.org" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">sr-users@lists.kamailio.org</a>>;<span class="qt-qt-"> </span><a href="mailto:jbrower@signalogic.com" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">jbrower@signalogic.com</a><br class="qt-qt-"> <b class="qt-qt-">Subject:</b><span class="qt-qt-"> </span>Re:
[SR-Users] Kamailio vulnerable to
header smuggling possible due to
bypass of remove_hf</span></div></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">On Wed,
Sep 2, 2020 at 11:30 AM Henning
Westerholt <<a href="mailto:hw@skalatan.de" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">hw@skalatan.de</a>>
wrote:<br></div></div><div class="qt-qt-"><blockquote style="border-top-style:none;border-right-style:none;border-bottom-style:none;border-left-style:solid;border-left-width:1pt;border-left-color:rgb(204, 204, 204);padding-top:0cm;padding-right:0cm;padding-bottom:0cm;padding-left:6pt;margin-left:4.8pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Hello
Maxim,</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">thank
you for the clarification,
appreciated.</span><br></div></div></div></blockquote><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">No
worries, hope to have a
civilized discussion.<br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><blockquote style="border-top-style:none;border-right-style:none;border-bottom-style:none;border-left-style:solid;border-left-width:1pt;border-left-color:rgb(204, 204, 204);padding-top:0cm;padding-right:0cm;padding-bottom:0cm;padding-left:6pt;margin-left:4.8pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Just
one clarification, my
comment regarding the
advisory from 2018 was not
meant as advertisement
etc..</span><br></div></div></div></blockquote><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">Point
taken, I dramatized of course to
underline my point. <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><blockquote style="border-top-style:none;border-right-style:none;border-bottom-style:none;border-left-style:solid;border-left-width:1pt;border-left-color:rgb(204, 204, 204);padding-top:0cm;padding-right:0cm;padding-bottom:0cm;padding-left:6pt;margin-left:4.8pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">One
suggestion to objectify the
whole discussion, there
exists a well-known and
accepted metric for
vulnerabilities: CVSS [1]<br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">If
I calculate the CVSS score
for this issue, it results
in a medium level with
score 5.8. But this is of
course again (at least
somewhat) influenced from
my point of view to this
bug.</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Some
projects have a policy to
only do a security
announcement for
vulnerabilities with score
high and critical. For
Kamailio this is not yet
defined in a detailed way,
due to the size of the
project and other factors.</span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">So,
If people in this
discussion (or other
people on the list) are
interested in improving
the project security
processes – this wiki page
with the current process
might be a good starting
point:<a href="https://www.kamailio.org/wiki/security/policy" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">https://www.kamailio.org/wiki/security/policy</a></span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB"> </span><br></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span class="qt-qt-" lang="EN-GB">Please
suggest your improvements
to the existing process
(preferable in a new
discussion thread) on the
sr-dev list. If you want
to do it in private, feel
free contact the
management list.</span><br></div></div></div></blockquote><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">Well,
first suggestion after having
read it: to start actually
following what's documented
before any improvements are
made. ;-) The policy says plain
and simple (quote):<br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div></div><blockquote style="margin-left:30pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><h4 id="qt-qt-gmail-m_-221075449414644861gmail-publishing_security_vulnerabilities" style="margin-right:0cm;margin-left:35.4pt;font-size:12pt;font-family:Calibri, sans-serif;margin-bottom:12pt;" class="qt-qt-"><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">Publishing
security vulnerabilities</span></span></span></span></span><br></h4></div></div></blockquote><blockquote style="margin-left:30pt;margin-right:0cm;" class="qt-qt-"><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">Kamailio
will publish security
vulnerabilities,
including an CVE ID, on
the kamailio-business
mailing list, sr-dev,
sr-users as well as
related lists.<span class="qt-qt-"> </span></span></span></span></span></span><span style="color:red;" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">The
advisories will also be
published on the<span class="qt-qt-"> </span><a href="http://kamailio.org/" style="color:blue;text-decoration-line:underline;text-decoration-style:initial;text-decoration-color:initial;" target="_blank" class="qt-qt-">kamailio.org</a><span class="qt-qt-"> </span>web
site</span></span></span></span></span><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">.</span></span></span></span></span> <br></div></div></div><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div></div><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"><span style="color:rgb(51, 51, 51);" class="qt-qt-"><span class="qt-font" style=""><span class="font" style="font-family:Arial, sans-serif;"><span class="qt-size" style=""><span class="size" style="font-size:10.5pt;">CVE
entries should be
created for
vulnerabilities in the
core and major modules,
for rarely used modules
this is not necessary.
If there are several
security issues together
in one release, they
should be announced
together.</span></span></span></span></span> <br></div></div></div></blockquote><div class="qt-qt-"><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">I might
be missing something obvious,
but there is no "if" or "maybe"
or "it depends". Any module that
has been 18 years with the
project qualifies to be a "major
module" to me... <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-"> <br></div></div><div class="qt-qt-"><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt;font-size:11pt;font-family:Calibri, sans-serif;" class="qt-qt-">-Max<br></div></div></div></div></div></div></blockquote></div><div><br></div></div></div><div>_______________________________________________<br></div><div>Kamailio (SER) - Users Mailing List<br></div><div><a href="mailto:sr-users@lists.kamailio.org" target="_blank" class="qt-qt-">sr-users@lists.kamailio.org</a><br></div><div><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank" class="qt-qt-">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br></div></blockquote></div><div>_______________________________________________<br></div><div>Kamailio (SER) - Users Mailing List<br></div><div><a href="mailto:sr-users@lists.kamailio.org" class="qt-qt-">sr-users@lists.kamailio.org</a><br></div><div><a class="qt-moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br></div></div></blockquote></div></div><div>_______________________________________________<br></div><div>Kamailio (SER) - Users Mailing List<br></div><div><a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><br></div><div><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br></div><div><br></div></blockquote><div><br></div><div><br></div><pre class="qt-moz-quote-pre">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="qt-moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="qt-moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
<br></pre></blockquote><pre class="qt-moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="qt-moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="qt-moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="qt-moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="qt-moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a><br></pre></blockquote><div><br></div></body></html>