5 Feb
2015
5 Feb
'15
10:04 a.m.
Hello
in the operators/carriers world, the 302 messages might be coming from
equipments beyond the immediate trusted endpoint. This one might can
just relay the reponse without processing it, there are really broken
systems out there. So I agree with Olle in dealing these issues in a
specific way. I was hesitant to raise the issue in a public list; but at
the same time I thought it was a good idea to make everybody aware of a
potential risk. Having a specific group devoted to security issues looks
like the way to go. I am happy to help with testing or any other thing.
Regards
Javi
On 05/02/15 15:54, Daniel-Constantin Mierla wrote:
Just to give proper details about the issue ...
It is not that any 30x response sent by anyone was causing a crash, only
those received in a transaction and handled via get_redirects(), with an
empty URI in Contact header. That means an authenticated/trusted
endpoint has to be involved in such a call. The code causing it is also
quite old (might be close to 10 years now).
So there is no risk of being hit by malicious/unknown attackers from the
wild.
Cheers,
Daniel
On 05/02/15 15:36, Olle E. Johansson wrote:
> Friends,
>
> I think today's issue with a 302 message sent to kamailio causing a crash is a
security issue. It was dealt with swiftly, but I feel we need a more formal procedure for
handling it, producing patches and releasing security information.
>
> I've made a quick proposal that outlines a few simple things and policys. We
should make it too complex, but I feel it's important for all our users that a project
has some procedure on how to handle situations like this.
>
> Please check the proposal in the dev meeting agenda and let's discuss it in the
dev meeting.
>
> http://www.kamailio.org/wiki/devel/irc-meetings/2015a
>
> /O
> _______________________________________________
> sr-dev mailing list
> sr-dev(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev