On December 26th, Grey VoIP reported a security hole in Asterisk - an Asterisk SIP Channel Driver BYE Message Denial of Service (DoS) vulnerability. The vulnerability could allow a remote user to send a specially crafted BYE message using the 'BYE with Also' transfer method to trigger a NULL pointer error cause the target service to crash. In just a week, Digium, the founders of the open source Asterisk platform, released an update to fix the problem.Every IP-PBX will have its share of bugs and security holes, I get Cisco advisories all the time, so I wasn't too concerned when I heard about this security vulnerability in Asterisk. But what amazes me is the fast turnaround to fix it - and over the major holidays no less!
Kudos to the Digium team and/or the open source community which were quick to react to this security issue! I'd be curious if it was the open source community that issued the patch or Digium. I'll fire off an email to Mark Spencer and see if he can give some insights.
Update (10:16am): Mark Spencer got back to me in 5 minutes. Here's his response
"The issue was reported as simply a bug on the issue tracker, but Digium's development team recognized this was a security vulnerability and provided the fix, as well as testing each branch of Asterisk and backporting the fix to all versions of Asterisk that were affected (all 1.4 based). Thanks for your interest!"
Even though the open source community helps in the development of Asterisk, this certainly goes to show the importance of Digium and their hired programmers to update Asterisk. Again, kudos to the Digium team in fixing this so quickly.
Technorati
Del.icio.us
Slashdot
Digg
twitter
Not bad for free!