asterisk stable update for CVE-2009-0041
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sun Apr 26 14:09:08 UTC 2009
On Sun, Apr 26, 2009 at 03:40:35PM +0200, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for asterisk some time ago.
>
> CVE-2009-0041[0]:
> | IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before
> | 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x,
> | B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before
> | C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a
> | failed login attempt depending on whether the user account exists,
> | which allows remote attackers to enumerate valid usernames.
>
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
>
> This is Debian bug #513413.
>
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.
This, as well as CVE-2008-3903, are fixed in the SVN (branches/etch ,
branches/lenny )
http://svn.debian.org/viewsvn/pkg-voip/asterisk/branches/lenny/
http://svn.debian.org/viewsvn/pkg-voip/asterisk/branches/etch/
> _______________________________________________
> Pkg-voip-maintainers mailing list
> Pkg-voip-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list