On 16.03.18 19:00, Daniel Tryba wrote:
On Wed, Mar 14, 2018 at 05:30:23PM +0100, Daniel-Constantin Mierla wrote:
I want to highlight that the last stable versions (for the latest 3 release series: 4.4, 5.0 and 5.1) include fixes for two issues that can crash a running instance of Kamailio, therefore it is strongly recommended to upgrade if you are using tmx or lcr modules.
Next week a CVE report is going to be created with more details about one of these issues.
It is not totaly clear for me if the issue that will be revealed is already fixed in 4.4.7, 5.0.6, and 5.1.2 or whether we will need to update to a new release next week. I guess/hope it is the former.
Kudos to the people/organisations finding these flaws and disclosing responsibly.
I missed your response so far, today Henning sent also an email with more details.
The issues were fixed before 4.4.7, 5.0.6, and 5.1.2 releases (on Feb 5 lcr and Feb 10 tmx). There is nothing else that is expected to be done in the code to fix them.
The announcement was not done at the time of discovery and fix, being rather old code not reported to be exploited at all till that moment -- but the commits were pushed to public git, as we do with usual fixes (and still no report of exploit afterwards) -- anyhow, we wanted to get the new releases propagated naturally for a while, then give more details, just in case such announcement may make the issues popular.
As a matter of fact, there were similar cases in the past, but we aim to become more organized in these aspects, especially now that we were helped by Enabled Security guys with the tmx issue, which did some fuzzing stress on Kamailio (no other issue discovered so far).
Cheers, Daniel