asterisk stable update for CVE-2009-0041
Luk Claes
luk at debian.org
Sat May 2 12:49:30 UTC 2009
Tzafrir Cohen wrote:
> On Sun, Apr 26, 2009 at 03:40:35PM +0200, Nico Golde wrote:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for asterisk some time ago.
>>
>> CVE-2009-0041[0]:
>> | IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before
>> | 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x,
>> | B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before
>> | C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a
>> | failed login attempt depending on whether the user account exists,
>> | which allows remote attackers to enumerate valid usernames.
>>
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian stable. It does
>> not warrant a DSA.
>>
>> This is Debian bug #513413.
>>
>> However it would be nice if this could get fixed via a regular point update[1].
>> Please contact the release team for this.
>
> This, as well as CVE-2008-3903, are fixed in the SVN (branches/etch ,
> branches/lenny )
Please upload.
Cheers
Luk
More information about the Pkg-voip-maintainers
mailing list