-----BEGIN PGP SIGNED MESSAGE-----

18 August 1999

A serious security alert was discovered in SDR. 

This allowed remote intruders to execute arbitrary code with the privileges 
of the sdr user. This problem existed in all recent versions of sdr and affects 
both unix and windows versions.

Thanks to Olaf Kirch for bringing this problem to our attention.

This security problem was related to the SIP code in that incoming 
announcements were not checked for TCL special characters thus allowing
the possibility that malicious users could embed tcl commands in SIP
packets which would then be executed.

This problem has been fixed in SDR 2.7. Users should not use SDR versions
older than Version 2.7.  

- -- 
Colin Perkins                   
Department of Computer Science  Email: c.perkins@cs.ucl.ac.uk
University College London       WWW  : http://www.cs.ucl.ac.uk/staff/c.perkins/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAgUBN7qKQbfj66MyK6VJAQE+gQP/caLrd+/DSVxGXWo9/sJ6bwTjRbw7hVRf
NBI2GrwUGNi/GcPUBtKI0HBZjzmUPXiUb9KqFVH5o0MR6ZKvCW0/pu25l8jtJcEP
vFyFO8U3KC4xfUf6kS4LVnzBLgjUFeCOsJp49h8nBXJCyduANU6OVD1Ug7NWz7w5
xSoEHjOQ4tE=
=+Fnh
-----END PGP SIGNATURE-----