Hello,

thanks for sharing this. What was done in the security audit from them is something that was done from many people already done in the past for the Kamailio project. Several people presented about it at different conferences.

Many modules are also not similar due to the different ways both projects took (e.g., some modules are only present for one of the projects, Kamailio integrated many changes from the SER projects etc..).

That said, its probably still make sense to review the applicable parts and make sure that it does not affect the current code.

Cheers,

Henning

Henning Westerholt – https://skalatan.de/blog/

Kamailio services – https://gilawa.com

From: Dovid Bender <dovid@telecurve.com>
Sent: Mittwoch, 15. März 2023 20:20
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: [SR-Users] Issues/Vulnerabilities in OpenSipS that may affect Kamailio

Hi All,

OpenSipS just released an update to the audit that was done to OpenSips [1]. From my basic coding skills it seems like the changes that were done by the OpenSipS project were not implemented in Kamailio which means that Kamailio is potentially vulnerable? For example you can compare the changes made by OpenSips project here [2] and the Kamailio code here [3]

I am not active much on the list so please don't roast me if I am completely wrong here.

Regards,

Dovid

[1] http://lists.opensips.org/pipermail/users/2023-March/046849.html

[2] https://github.com/OpenSIPS/opensips/commit/dd9141b6f67d7df4072f3430f628d4b73df5e102

[3] https://github.com/kamailio/kamailio/blob/master/src/core/parser/digest/param_parser.c