<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
<pre>This message was generated by the Security Alerts service ( Free Trial 14th of August - 14th of September )
<a class="moz-txt-link-freetext" href="http://www.opensips.org/Resources/AlertsMain">http://www.opensips.org/Resources/AlertsMain</a>
<b>
SVN commit</b>:
<a class="moz-txt-link-freetext" href="http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=9157">http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=9157</a>
<b>Severity</b>: Critical, Security Risk
<b>Version</b> : 1.7, 1.8, trunk
<b>Affected modules</b> : Core, DNS Blacklist support
<b>Effect</b> : DNS Blacklists not evaluated in certain cases
<b>Affected scenarios</b>: When attempting to use DNS blacklists from the OpenSIPS main
route, simply using a branch route will automatically drop all enabled blacklists. The
dropping is permanent and global for the processing of that message ( for all following scripting ),
thus leading to a big security risk, as blacklists are not evaluated, so you could route to
forbidden destinations.
<b>Description:</b> The reason for this is that internally, OpenSIPS would reset the DNS
blacklists each time a route was run, but this was obviously a bug, since the DNS
blacklists set in the main route would not persist across all branches in case
a per-branch route was activated.
<b>Risks</b> : Even though some DNS Blacklists would have been set, OpenSIPS was still
vulnerable to DNS injection attacks. Thus, updating is critical since this was a
major vulnerability
<b>Update</b> :
- if you have an SVN checkout,1.7,1.8 and trunk were fixed; so
update to a revision later than 9157 (trunk) or 9158 (1.8 branch) or 9159 (1.7 branch)
- if you have OpenSIPS from sources, download and apply the patch from
<a class="moz-txt-link-freetext" href="http://opensips.svn.sourceforge.net/viewvc/opensips/branches/1.8/action.c?view=patch&r1=9158&r2=9157&pathrev=9158">http://opensips.svn.sourceforge.net/viewvc/opensips/branches/1.8/action.c?view=patch&r1=9158&r2=9157&pathrev=9158</a>
or see the attached patch;
- if using tarballs, they were already regenerated (and include the fix)
- If using the official Debian package (apt.opensips.org), they are also
re-generated including the fix.
</pre>
<pre class="moz-signature" cols="72">--
Vlad Paiu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a> </pre>
</body>
</html>