Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Julien BLACHE
jblache at debian.org
Wed Oct 17 09:33:56 UTC 2007
Daniel-Constantin Mierla <daniel at voice-system.ro> wrote:
Hi,
> Practically, the check can be done in all versions of openser>=1.0.0,
> but a bit more complex. The update in the SVN just eases the check, by
> making the digest URI directly available via a pseudo-variable.
That's what I thought too...
> The solution of letting the check in config file is to give more
> liberty in performing it. Imagine that the proxies are behind a load
> balancer, and the R-URI is changed by the LB, in that case all auth
> will fail. The admin can add the initial R-URI in a special header at
> LB and in the proxy compare that value with the digest URI. Embedding
> this check in auth modules seemed too rigid.
Indeed.
I think someone's been a bit too trigger-happy with the CVE
assignment. I'll upload packages patched with SVN rev 2852 if the
security team feels it's necessary, otherwise I'm perfectly happy with
just closing that bug report.
JB.
--
Julien BLACHE <jblache at debian.org> | Debian, because code matters more
Debian & GNU/Linux Developer | <http://www.debian.org>
Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
More information about the Pkg-voip-maintainers
mailing list