8 Jan
2010
8 Jan
'10
10:36 a.m.
Friends,
I know that the number of security reports for SER and Kamailio are very low, in fact so
low that I can't remember any. However, it can still happen to us in the future. Do we
have any policies and procedure for how to handle it?
Yes, this is being negative, but also realistic. It's not only about our own code, we
depend on a large number of external libraries that could release security reports that
will affect our user base too, and propably should be forwarded.
Any thoughts?
/O
8 Jan
8 Jan
11:52 a.m.
On Friday 08 January 2010, Olle E. Johansson wrote:
I know that the number of security reports for SER and
Kamailio are very
low, in fact so low that I can't remember any. However, it can still
happen to us in the future. Do we have any policies and procedure for how
to handle it?
Yes, this is being negative, but also realistic. It's not only about our
own code, we depend on a large number of external libraries that could
release security reports that will affect our user base too, and propably
should be forwarded.
Hi Olle,
we don't have a dedicated security mailing address at the moment, also because
the number of incidents in this regards has been pretty low. What about using
the existing 'management' and 'board' lists for this purpose as well?
In order to announce security related bugs i suggest to forward them to the
user lists, and also to the (low traffic) kamalio announce list.
Cheers,
Henning
11:57 a.m.
8 jan 2010 kl. 10.52 skrev Henning Westerholt:
On Friday 08 January 2010, Olle E. Johansson wrote:
Are the old SER team integrated to those lists?
I know that the number of security reports for
SER and Kamailio are very
low, in fact so low that I can't remember any. However, it can still
happen to us in the future. Do we have any policies and procedure for how
to handle it?
Yes, this is being negative, but also realistic. It's not only about our
own code, we depend on a large number of external libraries that could
release security reports that will affect our user base too, and propably
should be forwarded.
Hi Olle,
we don't have a dedicated security mailing address at the moment, also because
the number of incidents in this regards has been pretty low. What about using
the existing 'management' and 'board' lists for this purpose as well?
In order to announce security related bugs i suggest to forward them to the
user lists, and also to the (low traffic) kamalio announce list.
Well, sounds like a good first plan - why don't you put it on the web site as a
starting point. We need a document that clearly states the process we've decided.
"If you find any security issues with the software, please send e-mail to
xxxx(a)sip-router.org or kamailio.net. From there, a member of the management team will
handle it.
SIP-router security alerts will be sent to the -users list and published on the following
URL. Security releases, if needed, will be mentioned in the security alert that will also
point out which versions of the software that is affected by the issue."
/O
12:01 p.m.
On Friday 08 January 2010, Olle E. Johansson wrote:
Hey Olle,
no, we've two different lists at the moment:
- management at kamailio dot org
- board at iptel dot org
Sounds good.
we don't
have a dedicated security mailing address at the moment, also
because the number of incidents in this regards has been pretty low. What
about using the existing 'management' and 'board' lists for this purpose
as well?
Are the old SER team integrated to those lists? In order to
announce security related bugs i suggest to forward them to
the user lists, and also to the (low traffic) kamalio announce list.
Well, sounds like a good first plan - why don't you put it on the web site
as a starting point. We need a document that clearly states the process
we've decided. "If you find any security issues with the
software, please send e-mail to
xxxx(a)sip-router.org or kamailio.net. From there, a member of the
management team will handle it.
Also fine with me, other projects do it like this as well.
SIP-router security alerts will be sent to the -users
list and published on
the following URL. Security releases, if needed, will be mentioned in the
security alert that will also point out which versions of the software
that is affected by the issue."
If its ok to place this on the wiki, you could just create the page and post
the link in this discussion, in order to get more/ other feedback. :)
Henning
5462
days inactive
5462
days old
3 comments
2 participants
participants (2)
-
Henning Westerholt -
Olle E. Johansson