Hi Daniel, the word “only” makes it sound like a small issue, at least in my ears.
Best Gerry > On 2 Sep 2020, at 13:33, Daniel-Constantin Mierla <[email protected]> wrote: > > Hello, > > On 02.09.20 12:53, Gerry | Rigatta wrote: >> [...] >> >> I can only guess that Maxim took offence with your wording here, which can >> be understood as downplaying the risk >>>> The only security risk in my opinion > please provide further details why is downplaying. Have you identified > another security risk? I would like to be aware of and also let the others > know. Or maybe something else is wrong in my statement, my English is not > native and likely not the best out there, I am eager to learn from you and do > better from the future. > > Using custom header names to tighten or loose the security is a > per-deployment specific approach, expected that only an insider knows it, but > then such guy has probably access to more important sensitive data (such as > subscriber passwords, etc.). > > Based on my review (I could be wrong of course, but I stated clear is my > opinion), none of the standard security related specs were where impacted -- > user authentication, routing, etc ... that's the reason the bug lived for so > long time. > > Cheers, > Daniel > > -- > Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com/> > www.twitter.com/miconda <http://www.twitter.com/miconda> -- > www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> > Funding: https://www.paypal.me/dcmierla <https://www.paypal.me/dcmierla>
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
