<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">True, there is a lot to read.<br>
<br>
I haven't looked at the iax2 code to see what Jim's added in. If
I remember correctly, he's done an update to it for various
things. <br>
<br>
-Stacy<br>
KG7QIN<br>
<br>
On 10/05/2015 07:23 PM, Steve Zingman wrote:<br>
</div>
<blockquote cite="mid:561330A2.8090203@msgstor.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
There are going to be quite a few items to read.<br>
In the case of AST-2009-006.pdf If I read this right the fix is
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Call token validation.<br>
Looking at the source on the SVN I see around line 300 support for
the token.<br>
Lots more to read, one step at a time...<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/05/2015 10:09 PM, Stacy wrote:<br>
</div>
<blockquote cite="mid:56132D40.7050205@arrl.net" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Take a look at the Digium website.
The advisories are there.<br>
<br>
IAX2 has one (if I remember correctly it eats up all the
channel's resources causing a denial of service).<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.asterisk.org/downloads/security-advisories">http://www.asterisk.org/downloads/security-advisories</a><br>
<br>
-Stacy<br>
KG7QIN<br>
<br>
On 10/05/2015 04:40 PM, Steve Zingman wrote:<br>
</div>
<blockquote cite="mid:56130A86.6020009@msgstor.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Leon,<br>
I've heard this before about old Asterisk. Any notes you can
point to detailing security issues in 1.4?<br>
<br>
73, Steve N4IRS<br>
<br>
<div class="moz-cite-prefix">On 10/05/2015 06:43 PM, Leon
Zetekoff wrote:<br>
</div>
<blockquote cite="mid:5612FD12.3040606@backwoodswireless.net"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
If I can throw in my $0.02<br>
<br>
from someone who has worked at a service provider doing
managed services (routers and firewalls) you want to heed
NerdUno (Ward Mundy's) words to never expose Asterisk to the
internet, and especially since this is old ASterisk. You
want some sort of firewall appliance in front of it.<br>
<br>
I personally prefer VPN tunnels coming back in but you can
get crafty and do port forwards with unknown ports to like
22 and 80 but there's always that risk of someone catching
on. Tunnels are the safest way to get back inside. You only
want to expose only the ports specifically necessary to do
the job.<br>
<br>
73 leon wa4zlw<br>
<br>
<div class="moz-cite-prefix">On 10/5/2015 6:17 PM, Bryan
Fields wrote:<br>
</div>
<blockquote cite="mid:5612F713.1060902@bryanfields.net"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 10/5/15 4:56 PM, David AIf
I can throw inndrzejewski wrote:<br>
</div>
<blockquote
cite="mid:5612E411.3030905@davidandrzejewski.com"
type="cite">
<pre wrap="">This is a bad idea. Root should <b class="moz-txt-star"><span class="moz-txt-tag">*</span>never<span class="moz-txt-tag">*</span></b> be allowed to login to a system
remotely. It's better to log in as a normal user and then become root
via su, sudo, etc.</pre>
</blockquote>
meh, it's more of a local policy thing. I'd prefer it's
not enabled by default, but there are some reasons I could
see for enabling it.<br>
<br>
<pre class="moz-signature" cols="78">--
Bryan Fields
727-409-1194 - Voice
727-214-2508 - Fax
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bryanfields.net">http://bryanfields.net</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre>
</blockquote>
<br>
</body>
</html>