Bug#522528: marked as done (AST-2009-003: SIP responses expose valid usernames)

[Debian Bug Tracking System]

Your message dated Wed, 16 Dec 2009 23:32:30 +0000
with message-id <e1nl3m6-0008ll...@ries.debian.org>
and subject line Bug#522528: fixed in asterisk 1:1.4.21.2~dfsg-3+lenny1
has caused the Debian Bug report #522528,
regarding AST-2009-003: SIP responses expose valid usernames
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
522528: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522528
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: asterisk
version: 1:1.4.21.2~dfsg-3
Severity: grave
Tags: patch

The Asterisk Project has issued the following advisory:
http://downloads.digium.com/pub/asa/AST-2009-003.html

It affects the versions in oldstable (1.2.13), stable/testing/unstable 
(1.4.21) and experimental (1.6.1-rc3. rc4, fixing this should be
released shortly). 

CVE entry: CVE-2008-3903

I'd like to include here the text of the advisory, as I believe it is
worth restating:

  In 2006, the Asterisk maintainers made it more difficult to scan for
  valid SIP usernames by implementing an option called
  "alwaysauthreject", which should return a 401 error on all replies
  which are generated for users which do not exist. While this was
  sufficient at the time, due to ever increasing compliance with RFC
  3261, the SIP specification, that is no longer sufficient as a means
  towards preventing attackers from checking responses to verify whether
  a SIP account exists on a machine.

  What we have done is to carefully emulate exactly the same responses
  throughout possible dialogs, which should prevent attackers from
  gleaning this information. All invalid users, if this option is turned
  on, will receive the same response throughout the dialog, as if a
  username was valid, but the password was incorrect.

  It is important to note several things. First, this vulnerability is
  derived directly from the SIP specification, and it is a technical
  violation of RFC 3261 (and subsequent RFCs, as of this date), for us
  to return these responses. Second, this attack is made much more
  difficult if administrators avoided creating all-numeric usernames and
  especially all-numeric passwords. This combination is extremely
  vulnerable for servers connected to the public Internet, even with
  this patch in place. While it may make configuring SIP telephones
  easier in the short term, it has the potential to cause grief over the
  long term.

Patches are linked from the advisory and are now being tested.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.co...@xorcom.com
+972-50-7952406           mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com  iax:gu...@local.xorcom.com/tzafrir

--- End Message ---

--- Begin Message ---

Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny1.dsc
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc
asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 522...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <parav...@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Dec 2009 01:11:44 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg 
asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.4.21.2~dfsg-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <parav...@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h323 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 522528 554486 554487 559103
Changes: 
 asterisk (1:1.4.21.2~dfsg-3+lenny1) stable-security; urgency=high
 .
   * Multiple security fixes:
     - "Information leak in IAX2 authentication", AST-2009-001, CVE-2009-0041.
     - "Remote Crash Vulnerability in SIP channel driver", AST-2009-002.
     - "SIP responses expose valid usernames", AST-2009-003, CVE-2008-3903.
       (Closes: #522528)
     - "SIP responses expose valid usernames", AST-2009-008, CVE-2009-3727.
       (Closes: #554487)
     - Stop shipping old static-http code in examples. Among other things, it
       includes a vulnerable version of the prototype Javascript library.
       AST-2009-009, CVE-2008-7220. (Closes: #554486)
     - "RTP Remote Crash Vulnerability", AST-2009-010, CVE-2009-4055.
       (Closes: #559103)
Checksums-Sha1: 
 b39571677b5dee2efda9fc794b3d2ab5cebeb9ab 1984 
asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 3b64d5aba93d38381d4e80b904f66741631aae89 5295205 
asterisk_1.4.21.2~dfsg.orig.tar.gz
 880546ae3b24c47f6bb6de248599086626772b47 150880 
asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 db42a0cbcb3bd6a5b44f0acebc91b809e15176c3 32514900 
asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 9426e6a3e3dc12834c7e705fa8513b8d4fdae092 427650 
asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 bb1cfceef93bdef38fc64aac7ea13dcb1130d7e6 1897736 
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 14839ed0b3cb721459ddad32b87cfa4b3e11d558 478858 
asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 a2121ba035dbbc96bb6b92ed3f3fd70f5ed235db 2407006 
asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 db4f0873783fdea719309109b080facb75b5c1a1 388450 
asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 a23c992cd677082e793f4b96d150792fb7436d85 12937820 
asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Checksums-Sha256: 
 3c1c8a5e5054d30c2aad0546deac4907fb8c46cf82732f4598f0d34baa69aafc 1984 
asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 18a2c244568f11b75afd0850cae65b394be888c778869fce61651e64a181603d 5295205 
asterisk_1.4.21.2~dfsg.orig.tar.gz
 5dd0f5c19b6d458a1ef432818247c98b2ad4e2ceb4b3f4535b2b91243d1e4a6e 150880 
asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 196f07874797f359adb03111311abe1893b1623d7808ab206da90d6847797a2e 32514900 
asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 c060a368134b247aa1d27374b683ee3f273da951bee28659cbabab2f3c7d004a 427650 
asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 3309cb55110e7b43a47a5cd7c7488731282ac128a2d40e937292e760232c6434 1897736 
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 34341baafa36917469e4d72429ea642418628bf2626cb9208baf17337186e788 478858 
asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 187122e727887bdbb9cd62b3a1701a8de53b81e27cbb4a427d1437f9f154f167 2407006 
asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 80619106ec8570c3a584bf81e8a1f5cb64e1c4af7a50e31ad6308b381821512e 388450 
asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 4ee223894f928d207c29e62e3f15bb14a7b57da491ccfd2bdb61820efa62693f 12937820 
asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Files: 
 69dcaf09361976f55a053512fb26d7b5 1984 comm optional 
asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 f641d1140b964e71e38d27bf3b2a2d80 5295205 comm optional 
asterisk_1.4.21.2~dfsg.orig.tar.gz
 ba6e81cd6ab443ef04467d57a1d954b3 150880 comm optional 
asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 8d959ce35cc61436ee1e09af475459d1 32514900 doc extra 
asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 fb8a7dd925c8d209f3007e2a7d6602d8 427650 devel extra 
asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 f0b7912d2ea0377bbb3c56cbc067d230 1897736 comm optional 
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 b483c77c21df4ae9cea8a4277f96966a 478858 comm optional 
asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 2bbd456e2d36a734ac0789b6ff7e9d22 2407006 comm optional 
asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 7c9e49cb8610a577d63f3fb77ecd92da 388450 comm optional 
asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 46acd420961efc6c932d94eec0452ad3 12937820 devel extra 
asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksmj6cACgkQVty5d8XpUzMwHgCeKbMGyk0QDov48qlK09G5Fdzb
w2gAn2POsBO9cc4Dv+PrArwit8Is90D1
=M94m
-----END PGP SIGNATURE-----

--- End Message ---