Asterisk security update - and upgrading

Alex728

Alex728

Guru
Joined
Dec 22, 2007
Messages
416
Reaction score
1
just saw this on line

http://downloads.digium.com/pub/security/AST-2008-001.html

How worried should we all be? I'm no expert but it looks from this advisory like someone could only crash your box if they were already authenticated in via SIP so it would have to be a disgruntled user (with a lot of tech knowledge) or a rogue VOIP provider

That said, I'd rather close this hole now if its relatively easy as its a test system..

I take it that running update-source would be the first step, but I have made some changes to source to get OSLEC running and also in chan_zap.c to get correct Caller ID for internal calls (I'm in Britain where we have some different ringing patterns and caller ID protocols)

Am I correct that what I should do is

1. run update-source
2. add the caller ID patch and recompile
3. get OSLEC again and recompile OSLEC and Zaptel
4. copy the OSLEC and recompiled *.ko modules to the kernel startup directory
5. edit modules.dep to load OSLEC along with the relevant Zaptel module

how urgent would some of the experts on here say this upgrade actually is?
 
Just a WAG, but I'd say urgency is inversely proportional to the strength of the passwords on your SIP devices. ;)
 
Hi Alex

Why dont you send me a detailed list of what you did to get oslec working and I will include it as an option in the update-source. There have been a few people clamoring about it but I just have not had time to get to it. My usual path of development is make it work on my local hardware then get some others who want to test it then release it. 8^) I am sure everyone would benefit from your steps.

As for urgent well if you are running a pri card the update is essential as zaptel has been causing deadlocks with certain pri cards..... There are a number of entries on the digium dev site regarding this and it has caused a few systems to tumble. Luckily for piaf users it is a simple update-source away and no waiting for the "official corporatio rebranded release". (me ranting... never)


Tom
 
I will send you the details shortly..

In the end I ran the update-source this morning and all worked well!

I did get a script warning - this may be as I had changed /usr/src/zaptel to /usr/src/zaptel-1.4.7.1 the day before (when installing OSLEC)

it appears to have had an advantageous effect as everything else compiled worked fine but the new source didn't trash the patched zaptel from yesterday so when it rebooted OSLEC was still there (and already working with zaptel 1.4.7.1)

I had to (predictably) redo the patch for the caller ID and reload some of my custom sounds (I replaced some American announcements like "all circuits are busy now" with British style tones and announcements)

I was pleased at how quickly I was up and running again...
 
You must log in or register to reply here.

Members online

No members online now.
Total: 29 (members: 0, guests: 29)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top