[App_rpt-users] New Official Allstar Distribution Released

Stacy kg7qin at arrl.net
Tue Oct 6 04:29:49 UTC 2015


True, there is a lot to read.

I haven't looked at the iax2 code to see what Jim's added in.  If I
remember correctly, he's done an update to it for various things. 

-Stacy
KG7QIN

On 10/05/2015 07:23 PM, Steve Zingman wrote:
> There are going to be quite a few items to read.
> In the case of AST-2009-006.pdf If I read this right the fix is Call
> token validation.
> Looking at the source on the SVN I see around line 300 support for the
> token.
> Lots more to read, one step at a time...
>
>
> On 10/05/2015 10:09 PM, Stacy wrote:
>> Take a look at the Digium website.  The advisories are there.
>>
>> IAX2 has one (if I remember correctly it eats up all the channel's
>> resources causing a denial of service).
>>
>> http://www.asterisk.org/downloads/security-advisories
>>
>> -Stacy
>> KG7QIN
>>
>> On 10/05/2015 04:40 PM, Steve Zingman wrote:
>>> Leon,
>>> I've heard this before about old Asterisk. Any notes you can point
>>> to detailing security issues in 1.4?
>>>
>>> 73, Steve N4IRS
>>>
>>> On 10/05/2015 06:43 PM, Leon Zetekoff wrote:
>>>> If I can throw in my $0.02
>>>>
>>>> from someone who has worked at a service provider doing managed
>>>> services (routers and firewalls) you want to heed NerdUno (Ward
>>>> Mundy's) words to never expose Asterisk to the internet, and
>>>> especially since this is old ASterisk. You want some sort of
>>>> firewall appliance in front of it.
>>>>
>>>> I personally prefer VPN tunnels coming back in but you can get
>>>> crafty and do port forwards with unknown ports to like 22 and 80
>>>> but there's always that risk of someone catching on. Tunnels are
>>>> the safest way to get back inside. You only want to expose only the
>>>> ports specifically necessary to do the job.
>>>>
>>>> 73 leon wa4zlw
>>>>
>>>> On 10/5/2015 6:17 PM, Bryan Fields wrote:
>>>>> On 10/5/15 4:56 PM, David AIf I can throw inndrzejewski wrote:
>>>>>> This is a bad idea.  Root should *never* be allowed to login to a system 
>>>>>> remotely.  It's better to log in as a normal user and then become root 
>>>>>> via su, sudo, etc.
>>>>> meh, it's more of a local policy thing.  I'd prefer it's not
>>>>> enabled by default, but there are some reasons I could see for
>>>>> enabling it.
>>>>>
>>>>> -- 
>>>>> Bryan Fields
>>>>>
>>>>> 727-409-1194 - Voice
>>>>> 727-214-2508 - Fax
>>>>> http://bryanfields.net
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> App_rpt-users mailing list
>>>>> App_rpt-users at ohnosec.org
>>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>>
>>>>> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> App_rpt-users mailing list
>>>> App_rpt-users at ohnosec.org
>>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>>
>>>> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 
>>>
>>> -- 
>>> "Anything is possible if you don't know what you are talking about."
>>> 1st Law of Logic
>>>
>>>
>>> _______________________________________________
>>> App_rpt-users mailing list
>>> App_rpt-users at ohnosec.org
>>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>>
>>> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
>>> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. 
>>
>
> -- 
> "Anything is possible if you don't know what you are talking about."
> 1st Law of Logic

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20151005/17813dd2/attachment.html>


More information about the App_rpt-users mailing list