Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
Faidon Liambotis
paravoid at debian.org
Wed Dec 19 18:52:10 UTC 2007
Nico Golde wrote:
> CVE-2007-6430[0]:
> | Due to the way database-based registrations ("realtime")
> | are processed, IP addresses are not checked when the
> | username is correct and there is no password. An
> | attacker may impersonate any user using host-based
> | authentication without a secret, simply by guessing the
> | username of that user. This is limited in scope to
> | administrators who have set up the registration database
> | ("realtime") for authentication and are using only
> | host-based authentication, not passwords. However, both
> | the SIP and IAX protocols are affected.
This is affecting unstable and stable. oldstable is not affected.
I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
unstable probably tomorrow or the day after that.
For stable, I don't think that the vulnerability is serious enough to
warrant a DSA. Maybe s-p-u is a better candidate?
Regards,
Faidon
More information about the Pkg-voip-maintainers
mailing list