[SR-Users] INFO: Relevant fixes in the last releases

[Daniel-Constantin Mierla]

On 16.03.18 19:00, Daniel Tryba wrote:
> On Wed, Mar 14, 2018 at 05:30:23PM +0100, Daniel-Constantin Mierla wrote:
>> I want to highlight that the last stable versions (for the latest 3
>> release series: 4.4, 5.0 and 5.1) include fixes for two issues that can
>> crash a running instance of Kamailio, therefore it is strongly
>> recommended to upgrade if you are using tmx or lcr modules.
>>
>> Next week a CVE report is going to be created with more details about
>> one of these issues.
> It is not totaly clear for me if the issue that will be revealed is
> already fixed in 4.4.7, 5.0.6, and 5.1.2 or whether we will need to
> update to a new release next week. I guess/hope it is the former.
>
> Kudos to the people/organisations finding these flaws and disclosing
> responsibly.
>
I missed your response so far, today Henning sent also an email with
more details.

The issues were fixed before 4.4.7, 5.0.6, and 5.1.2 releases (on Feb 5
lcr and Feb 10 tmx). There is nothing else that is expected to be done
in the code to fix them.

The announcement was not done at the time of discovery and fix, being
rather old code not reported to be exploited at all till that moment --
but the commits were pushed to public git, as we do with usual fixes
(and still no report of exploit afterwards) -- anyhow, we wanted to get
the new releases propagated naturally for a while, then give more
details, just in case such announcement may make the issues popular.

As a matter of fact, there were similar cases in the past, but we aim to
become more organized in these aspects, especially now that we were
helped by Enabled Security guys with the tmx issue, which did some
fuzzing stress on Kamailio (no other issue discovered so far).

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - April 16-18, 2018, Berlin - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com