If your PBX is Asterisk based, you need to subscribe to the asterisk-announce mailing list. This is where Asterisk developers post information regarding new releases and security updates for all versions of Asterisk. If you were on this mailing list, you would know that two recent security alerts (see below) had forced Asterisk developers to issue new minor releases for all major Asterisk branches. Not only would you be aware of the alerts, you would also understand why the version numbering has changed slightly to accommodate these releases.
For those that aren’t subscribed, be aware of the following two security vulnerabilities:
- AST-2009-008 SIP responses expose valid usernames
- AST-2009-009 Cross-site AJAX request vulnerability
The second vulnerability is really only a problem if you are running the demo manager interface, ajamdemo.html.
Get Slaptijack updates delivered to your Inbox or RSS Reader for free!
I’m such a newbie when it comes to all this, thanks for taking the time to write this up, keep them coming! Subscribe to asterisk-announce | Slaptijack was a wonderful read.