[sr-dev] Security announcement related to Kamailio

Henning Westerholt hw at kamailio.org
Sat Aug 4 11:52:09 CEST 2018


Am Montag, 30. Juli 2018, 09:53:39 CEST schrieb Henning Westerholt:
> I want to highlight that the last stable versions (for the two maintained
> series: 5.0 and 5.1) include fixes for an security issues that can crash a
> running instance of Kamailio, therefore it is strongly recommended to
> upgrade.
> [..]

Hello,

an addition to this security announcement related to a possible workaround:

For older Kamailio version and in case you need more time for an update you 
can add the following logic on top of to your `request_route` block in your 
kamailio configuration file. This will drop this malicious message and prevent 
its processing.

if($(hdr(To)[1]) != $null) {
    xlog("second To header not null - dropping message");
    drop;
}

The announcement on kamailio.org has been also updated to include this 
workaround:

https://www.kamailio.org/w/2018/07/kamailio-security-announcement-for-kamailio-core/

Best regards,

Henning

-- 
Henning Westerholt
https://skalatan.de/blog/



More information about the sr-dev mailing list