Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack

Nico Golde nion at debian.org
Wed Oct 17 19:56:55 UTC 2007


Hi Julien,
* Julien BLACHE <jblache at debian.org> [2007-10-17 21:48]:
> Nico Golde <nion at debian.org> wrote:
> > This was marked as a security flaw with low impact in the 
> > security tracker by me. So this is no "please upload as fast 
> > as possible" bug but I think the patch won't hurt.
> 
> The patch doesn't fix anything but makes it easier to do the check in
> its simplest form in the config file.
> 
> This is not a vulnerability, it's not even a flaw because having the
> two URIs mismatch is allowed by the standard and happens in some
> setups for valid reasons.

Ok.

> There's no hole in OpenSER itself; depending on the user setup,
> checking the URIs can be required or not, so it's entirely a config
> issue from there on.

Ok sounds plausible.

> I don't consider this a security issue as far as Debian is concerned
> and I recommend not issuing a DSA for this. I feel issuing a DSA for
> this issue could potentially mislead our users, letting them think the
> update handles the problem when it doesn't.
> 
> So if you agree with this, I'm just going to leave this bug open and
> I'll close it with the OpenSER 1.3 upload in december.

Ok, I marked it as unimportant and downgraded this bug.
Thanks for your efforts!
Cheers
Nico
-- 
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20071017/f0e43ebd/attachment.pgp 


More information about the Pkg-voip-maintainers mailing list