Hi Bastian,
First of all thanks for pointing this out. Currently both bugs have been
fixed in 1.1.x (stable) and 1.2.x (devel) versions.
The fixes were done by Di-Shi Sun for the OSP module (he is its
maintainer) and by me for the SMS module.
doing a search on the site, reveals 7 bugs, but there are only 3
district, the rest of 4 being duplicates. Not sure why :-/.
Bastian Friedrich wrote:
Hi,
happy new year!
As I have not seen the topic mentioned here, I'd like to report that there
were two more openser bugs disclosed on the security mailing list BugTraq:
http://www.securityfocus.com/archive/1/455415/30/30/threaded
http://www.securityfocus.com/archive/1/455412/30/30/threaded
Both describe possible buffer overflows (this time, with _possibly_ remote
exploitability) in two modules (sms and osp). Sadly, the hacker seems not to
have contacted the openser team before dislosing the bugs...
1) Is there any dedicated security contact for openser? It might be a good
idea to have a dedicated email address and/or dedicated security contact
information on the openser web page.
for the moment let us use the deve list or the bug tracker. maybe in the
feature we create a new tracker entry for vulnerabilities.
2) Have you been aware of the leaks? Is it ok that I forward these reports
here, or should I have opened new bugtracker tickets?
guess nobody had no idea about them....feel free to use the list.
Best regards,
Bogdan
Best,
Bastian
_______________________________________________
Devel mailing list
Devel@openser.org
http://openser.org/cgi-bin/mailman/listinfo/devel
