Bug#514524: asterisk: CVE-2009-0041 possible account enumeration via IAX2
Nico Golde
nion at debian.org
Sun Feb 8 12:35:50 UTC 2009
Source: asterisk
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.
CVE-2009-0041[0]:
| IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before
| 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x,
| B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before
| C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a
| failed login attempt depending on whether the user account exists,
| which allows remote attackers to enumerate valid usernames.
Patch:
http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0041
http://security-tracker.debian.net/tracker/CVE-2009-0041
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20090208/0bea50a6/attachment.pgp
More information about the Pkg-voip-maintainers
mailing list