Bug#747302: Security flaw: deleted config files get restored
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sun May 11 17:28:03 UTC 2014
On Wed, May 07, 2014 at 12:41:01PM +0200, Petr Tomášek wrote:
> Package: asterisk
> Version: 1.8.13.1~dfsg1-3+deb7u3
>
> The Asterisk (open source telephony switching and private branch
> exchange service) comes with many example config files in place
> which post possible security risk as they configure features which
> should not be present on a production system.
>
> Now, if these config files are deleted they are restored by the next
> update meaning that the system get screwed and it may lead to a security
> problem.
Configuration files don't just get deleted. Did you remove asterisk (or
rather; asterisk-config) or purge it? If you did not purge
asterisk-config, the configuration files should not have been removed.
Did you have any local changes that were not preserved?
Could you please give a more specific scenario?
>
> Therfore I'd suggest that config files that are just examples (and not
> feasible defaults like e.g. ) all be moved out of the /etc/asterisk to
> some documentation directory.
Without any configuration files Asterisk will behave in different ways
than expected. Some of the "defaults" are hard-coded in the
configuration rather than in the code. Most notable example: by default
asterisk will not load any module. The standard modules.conf has
[modules]
autoload => yes
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com
More information about the Pkg-voip-maintainers
mailing list