Other than that... if these problems are not being published when fixed... then other distro's do not have a chance to fix it... (think about distro's that use "stable" code, but haven't updated to 0.9 because of problems)
I have to say -- with somewhat less vehemence -- that I'm another user who sure never noticed that the "stable" release of Asterisk had moved from 0.7.2 to 0.9x. This should have been an important announcement on *SEVERAL* security grounds. As of 0.7.2, the recommend version of channel H323 had some very serious vulnerabilities that the OpenH323 folks had fixed months previously.
This is an opportune time to repeat: H.323 uses ASN.1. ASN.1 is fiendishly complex and is a "known bad boy" in which many security holes have appeared over the years. It would be naive to think there won't be more. As VOIP hits the big-time and Asterisk joins the ranks of some of the other more famous open-source projects, quick response to security vulnerabilities will be expected.
It's nice to know in the case of these format string problems that they were in some sense addressed promptly, but we're not all subscribed to the dev list. A vulnerability that is fixed in CVS head but not back-patched to stable *is not fixed* as far as a large percentage of the user base is concerned.
_______________________________________________
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
