If almost one year ago we were releasing the first results of the security audit performed by of Enable Security over the OpenSIPS 3.2 code, now is the right time for the full disclosure.
What was missing?
As per the initial post, we hold back all the information about how to reproduce the crashes. Why? We wanted to give all our user a more than fair chance to protect themselves from any kind of malicious attacks based on the information disclosed in this report.
So we put ~1 year between the original brief results and the time to publish the full report.
And now is the time for the full report, detailing, for each found issue:
- bracktrace for the crash
- explanation of the crash
- detailed instructions on how to be reproduced
There are more then 50 pages of detailed information, thanks to the tremendous work done by the Enable Security team.
Work in progress
Right now, with all the information being public, we will have to complete some final steps
- GITHUB Security Advisories – we will go back to all the GIT commits related to the audit and properly fill in the data in the mentioned security advisories – in this way, the commits with the fixes will be directly linked to the detailed description of the issue.
- request CVEs – for all the items found, we will create public CVE’s to really help devops / engineers to upgrade.
More ?
More on security, testing and performance of OpenSIPS will be presented during the OpenSIPS Summit 2023 in Houston.
Drops of wisdom, knowledge and news from OpenSIPS 