Hello
in the operators/carriers world, the 302 messages might be coming from equipments beyond the immediate trusted endpoint. This one might can just relay the reponse without processing it, there are really broken systems out there. So I agree with Olle in dealing these issues in a specific way. I was hesitant to raise the issue in a public list; but at the same time I thought it was a good idea to make everybody aware of a potential risk. Having a specific group devoted to security issues looks like the way to go. I am happy to help with testing or any other thing.
Regards
Javi On 05/02/15 15:54, Daniel-Constantin Mierla wrote:
Just to give proper details about the issue ...
It is not that any 30x response sent by anyone was causing a crash, only those received in a transaction and handled via get_redirects(), with an empty URI in Contact header. That means an authenticated/trusted endpoint has to be involved in such a call. The code causing it is also quite old (might be close to 10 years now).
So there is no risk of being hit by malicious/unknown attackers from the wild.
Cheers, Daniel
On 05/02/15 15:36, Olle E. Johansson wrote:
Friends,
I think today's issue with a 302 message sent to kamailio causing a crash is a security issue. It was dealt with swiftly, but I feel we need a more formal procedure for handling it, producing patches and releasing security information.
I've made a quick proposal that outlines a few simple things and policys. We should make it too complex, but I feel it's important for all our users that a project has some procedure on how to handle situations like this.
Please check the proposal in the dev meeting agenda and let's discuss it in the dev meeting.
http://www.kamailio.org/wiki/devel/irc-meetings/2015a
/O _______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev