8 jan 2010 kl. 10.52 skrev Henning Westerholt:
On Friday 08 January 2010, Olle E. Johansson wrote:
I know that the number of security reports for
SER and Kamailio are very
low, in fact so low that I can't remember any. However, it can still
happen to us in the future. Do we have any policies and procedure for how
to handle it?
Yes, this is being negative, but also realistic. It's not only about our
own code, we depend on a large number of external libraries that could
release security reports that will affect our user base too, and propably
should be forwarded.
Hi Olle,
we don't have a dedicated security mailing address at the moment, also because
the number of incidents in this regards has been pretty low. What about using
the existing 'management' and 'board' lists for this purpose as well?
Are the old SER team integrated to those lists?
In order to announce security related bugs i suggest to forward them to the
user lists, and also to the (low traffic) kamalio announce list.
Well, sounds like a good first plan - why don't you put it on the web site as a
starting point. We need a document that clearly states the process we've decided.
"If you find any security issues with the software, please send e-mail to
xxxx(a)sip-router.org or
kamailio.net. From there, a member of the management team will
handle it.
SIP-router security alerts will be sent to the -users list and published on the following
URL. Security releases, if needed, will be mentioned in the security alert that will also
point out which versions of the software that is affected by the issue."
/O