Your message dated Sun, 8 Feb 2009 13:39:44 +0100
with message-id <[email protected]>
and subject line Re: AST-2009-001: Information leak in IAX2 authentication
has caused the Debian Bug report #514524,
regarding asterisk: CVE-2009-0041 possible account enumeration via IAX2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
514524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514524
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: asterisk
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.
CVE-2009-0041[0]:
| IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before
| 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x,
| B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before
| C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a
| failed login attempt depending on whether the user account exists,
| which allows remote attackers to enumerate valid usernames.
Patch:
http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0041
http://security-tracker.debian.net/tracker/CVE-2009-0041
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpixplV4eTtd.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
tags 513413 + patch
severity 513413 important
thanks
Missed that Moritz already filed a bug.
A patch for this issue is at:
http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff
It applies fine to the package currently in unstable.
Btw this is CVE-2009-0041 not CVE-2008-0041.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpkIXx1jOEmn.pgp
Description: PGP signature
--- End Message ---
