[sr-dev] Security vulnerability handling

Javi Gallart jgallart at systemonenoc.com
Thu Feb 5 16:04:24 CET 2015 

Hello

in the operators/carriers world, the 302 messages might be coming from 
equipments beyond the immediate trusted endpoint. This one might can 
just relay the reponse without processing it, there are really broken 
systems out there. So I agree with Olle in dealing these issues in a 
specific way. I was hesitant to raise the issue in a public list; but at 
the same time I thought it was a good idea to make everybody aware of a 
potential risk. Having a specific group devoted to security issues looks 
like the way to go. I am happy to help with testing or any other thing.

Regards

Javi
On 05/02/15 15:54, Daniel-Constantin Mierla wrote:
> Just to give proper details about the issue ...
>
> It is not that any 30x response sent by anyone was causing a crash, only
> those received in a transaction and handled via get_redirects(), with an
> empty URI in Contact header. That means an authenticated/trusted
> endpoint has to be involved in such a call. The code causing it is also
> quite old (might be close to 10 years now).
>
> So there is no risk of being hit by malicious/unknown attackers from the
> wild.
>
>
> Cheers,
> Daniel
>
> On 05/02/15 15:36, Olle E. Johansson wrote:
>> Friends,
>>
>> I think today's issue with a 302 message sent to kamailio causing a crash is a security issue. It was dealt with swiftly, but I feel we need a more formal procedure for handling it, producing patches and releasing security information.
>>
>> I've made a quick proposal that outlines a few simple things and policys. We should make it too complex, but I feel it's important for all our users that a project has some procedure on how to handle situations like this.
>>
>> Please check the proposal in the dev meeting agenda and let's discuss it in the dev meeting.
>>
>> http://www.kamailio.org/wiki/devel/irc-meetings/2015a
>>
>> /O
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

More information about the sr-dev mailing list