[OpenSIPS-Users] [OpenSIPS Security Alerts] [FIX] [Severity Critical] Core, DNS Blacklist support

Vlad Paiu vladpaiu at opensips.org
Tue Aug 14 13:55:15 CEST 2012 

This message was generated by the Security Alerts service ( Free Trial 14th of August - 14th of September )
http://www.opensips.org/Resources/AlertsMain

*
SVN commit*:
http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=9157

*Severity*: Critical, Security Risk

*Version*  : 1.7, 1.8, trunk

*Affected modules*  : Core, DNS Blacklist support

*Effect*  : DNS Blacklists not evaluated in certain cases

*Affected scenarios*: When attempting to use DNS blacklists from the OpenSIPS main
route, simply using a branch route will automatically drop all enabled blacklists. The
dropping is permanent and global for the processing of that message ( for all following scripting ),
thus leading to a big security risk, as blacklists are not evaluated, so you could route to
forbidden destinations.

*Description:*  The reason for this is that internally, OpenSIPS would reset the DNS
blacklists each time a route was run, but this was obviously a bug, since the DNS
blacklists set in the main route would not persist across all branches in case
a per-branch route was activated.

*Risks*  : Even though some DNS Blacklists would have been set, OpenSIPS was still
vulnerable to DNS injection attacks. Thus, updating is critical since this was a
major vulnerability

*Update*  :
- if you have an SVN checkout,1.7,1.8 and trunk were fixed; so
update to a revision later than 9157 (trunk) or 9158 (1.8 branch) or 9159 (1.7 branch)
- if you have OpenSIPS from sources, download and apply the patch from
http://opensips.svn.sourceforge.net/viewvc/opensips/branches/1.8/action.c?view=patch&r1=9158&r2=9157&pathrev=9158
or see the attached patch;
- if using tarballs, they were already regenerated (and include the fix)
- If using the official Debian package (apt.opensips.org), they are also
re-generated including the fix.



-- 
Vlad Paiu
OpenSIPS Developer
http://www.opensips-solutions.com  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120814/aa71f62c/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: core_dns-9158.patch
Type: text/x-diff
Size: 483 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20120814/aa71f62c/attachment-0001.patch>
-------------- next part --------------
_______________________________________________
Alerts mailing list
Alerts at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/alerts

More information about the Users mailing list