Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions

[Luk Claes]

Moritz Muehlenhoff wrote:
> On Wed, Dec 19, 2007 at 08:52:10PM +0200, Faidon Liambotis wrote:
>> Nico Golde wrote:
>>> CVE-2007-6430[0]:
>>> | Due to the way database-based registrations ("realtime")
>>> | are processed, IP addresses are not checked when the
>>> | username is correct and there is no password. An
>>> | attacker may impersonate any user using host-based
>>> | authentication without a secret, simply by guessing the
>>> | username of that user. This is limited in scope to
>>> | administrators who have set up the registration database
>>> | ("realtime") for authentication and are using only
>>> | host-based authentication, not passwords. However, both
>>> | the SIP and IAX protocols are affected.
>> This is affecting unstable and stable. oldstable is not affected.
>>
>> I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
>> unstable probably tomorrow or the day after that.
>>
>> For stable, I don't think that the vulnerability is serious enough to
>> warrant a DSA.
> 
> I agree that a DSA is not warranted.
> 
>>  Maybe s-p-u is a better candidate?
> 
> s-p-u handling is sluggish, the next asterisk DSA will likely
> appear before it enters the next point release.

Please don't denigrate SRM.

The next point release is planned to happen before the end of the year
or early next year. It's true that it took a long time, though it's not
because we were sluggish. There were some issues with the teams
internals. When they got solved ries crashed and we had to start from
scratch due to no backup being available which we asked for more than
one year. Apparantly the backup was not planned because of some backup
policy noone knew about. Those three problems are fixed in the meantime,
so without any unforseeable misfortune a release will happen very soon.

Cheers

Luk