[SR-Users] Kamailio vulnerable to header smuggling possible due to bypass of remove_hf

Maxim Sobolev sobomax at sippysoft.com
Wed Sep 2 21:14:42 CEST 2020

On Wed, Sep 2, 2020 at 11:30 AM Henning Westerholt <hw at skalatan.de> wrote:

> Hello Maxim,
> thank you for the clarification, appreciated.

No worries, hope to have a civilized discussion.

> Just one clarification, my comment regarding the advisory from 2018 was
> not meant as advertisement etc..

Point taken, I dramatized of course to underline my point.

One suggestion to objectify the whole discussion, there exists a well-known
> and accepted metric for vulnerabilities: CVSS [1]
> If I calculate the CVSS score for this issue, it results in a medium level
> with score 5.8. But this is of course again (at least somewhat) influenced
> from my point of view to this bug.
> Some projects have a policy to only do a security announcement for
> vulnerabilities with score high and critical. For Kamailio this is not yet
> defined in a detailed way, due to the size of the project and other factors.
> So, If people in this discussion (or other people on the list) are
> interested in improving the project security processes – this wiki page
> with the current process might be a good starting point:
> https://www.kamailio.org/wiki/security/policy
> Please suggest your improvements to the existing process (preferable in a
> new discussion thread) on the sr-dev list. If you want to do it in private,
> feel free contact the management list.

Well, first suggestion after having read it: to start actually following
what's documented before any improvements are made. ;-) The policy says
plain and simple (quote):

Publishing security vulnerabilities

Kamailio will publish security vulnerabilities, including an CVE ID, on the
kamailio-business mailing list, sr-dev, sr-users as well as related lists. The
advisories will also be published on the kamailio.org web site.

CVE entries should be created for vulnerabilities in the core and major
modules, for rarely used modules this is not necessary. If there are
several security issues together in one release, they should be announced

I might be missing something obvious, but there is no "if" or "maybe" or
"it depends". Any module that has been 18 years with the project qualifies
to be a "major module" to me...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200902/a216c884/attachment.htm>

More information about the sr-users mailing list