Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack

Julien BLACHE jblache at debian.org
Wed Oct 17 19:44:41 UTC 2007

Nico Golde <nion at debian.org> wrote:


> This was marked as a security flaw with low impact in the 
> security tracker by me. So this is no "please upload as fast 
> as possible" bug but I think the patch won't hurt.

The patch doesn't fix anything but makes it easier to do the check in
its simplest form in the config file.

This is not a vulnerability, it's not even a flaw because having the
two URIs mismatch is allowed by the standard and happens in some
setups for valid reasons.

There's no hole in OpenSER itself; depending on the user setup,
checking the URIs can be required or not, so it's entirely a config
issue from there on.

I don't consider this a security issue as far as Debian is concerned
and I recommend not issuing a DSA for this. I feel issuing a DSA for
this issue could potentially mislead our users, letting them think the
update handles the problem when it doesn't.

So if you agree with this, I'm just going to leave this bug open and
I'll close it with the OpenSER 1.3 upload in december.


 Julien BLACHE <jblache at debian.org>  |  Debian, because code matters more 
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 

More information about the Pkg-voip-maintainers mailing list