[SR-Users] Kamailio vulnerable to header smuggling possible due to bypass of remove_hf

Alex Balashov abalashov at evaristesys.com
Wed Sep 2 20:28:00 CEST 2020


On 2020-09-02 14:21, Fred Posner wrote:

> As time progresses, attack metrics change. If a criteria meets a major
> announcement, the project has shown and demonstrated that information
> will be released in a security announcement, for example:
>  
> https://www.kamailio.org/w/2018/07/kamailio-security-announcement-for-kamailio-core/

For better or worse, one of the arguments made was that if 2018 was the 
last time we had an announcement of this magnitude, we must not be 
Serious About Security™.

It is worth taking the time to introspect about whether the threshold 
for such announcements is properly calibrated. That's never a bad idea.

However, to suggest that there must be a quota met of major 
vulnerability announcements per unit of time met in order for a project 
to be credibly Serious About Security™ is ludicrous.

-- Alex

-- 
Alex Balashov | Principal | Evariste Systems LLC

Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/



More information about the sr-users mailing list