Jim Rosenberg wrote:
To recap:
1. Security vulnerabilities have been found in the ASN.1 parsing of *many* H.323 implementations. Some security experts consider them quite serious, others don't.
2. OpenH323 *was* vulnerable when the announcement was made. (About a month and a half ago, or so.)
3. The OpenH323 folks patched their code quite quickly. I belive that to obtain their fix you need to check code out of CVS.
4. If you visit asterisk.org, follow "the usual" download instructions, and build in H.323 support, your resulting Asterisk *WILL* be vulnerable.
5. Integrating a "fixed" version of OpenH323 with Asterisk is not straightforward. (I at least have not been able to get this to work.)
6. There is (in my opinion) *widespread misunderstanding* on this issue. E.g., I had Digium support try to convince me that Asterisk was not vulnerable.
I would like to make a public appeal to whoever is in position to do this to issue an "official" patch -- and to update the asterisk.org website so newbies get a fixed version when they download and build in H.323 support. Please please please ...
-T.i.A., Jim
_______________________________________________
_______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
