Your message dated Fri, 01 Jul 2011 15:32:40 +0000
with message-id <e1qcfhw-0003fb...@franck.debian.org>
and subject line Bug#632029: fixed in asterisk 1:1.8.4.4~dfsg-1
has caused the Debian Bug report #632029,
regarding asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP
users
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
632029: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632029
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: asterisk
Version: 1:1.8.4.2-1.8979
Severity: grave
Tags: security upstream patch
Justification: user security hole
Asterisk may respond differently to SIP requests from an invalid SIP
user than it does to a user configured on the system, even when the
alwaysauthreject option is set in the configuration. This can leak
information about what SIP users are valid on the Asterisk system.
Respond to SIP requests from invalid and valid SIP users in the same way.
Asterisk 1.4 (in Oldstable) and 1.6.2 (in Stable) do not respond
identically by default due to backward-compatibility reasons, and must
have alwaysauthreject=yes set in sip.conf. Asterisk 1.8 defaults to
alwaysauthreject=yes.
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:1.8.4.4~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.8.4.4~dfsg-1_all.deb
to main/a/asterisk/asterisk-config_1.8.4.4~dfsg-1_all.deb
asterisk-dahdi_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-dahdi_1.8.4.4~dfsg-1_amd64.deb
asterisk-dbg_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-dbg_1.8.4.4~dfsg-1_amd64.deb
asterisk-dev_1.8.4.4~dfsg-1_all.deb
to main/a/asterisk/asterisk-dev_1.8.4.4~dfsg-1_all.deb
asterisk-doc_1.8.4.4~dfsg-1_all.deb
to main/a/asterisk/asterisk-doc_1.8.4.4~dfsg-1_all.deb
asterisk-h323_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-h323_1.8.4.4~dfsg-1_amd64.deb
asterisk-mobile_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-mobile_1.8.4.4~dfsg-1_amd64.deb
asterisk-modules_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-modules_1.8.4.4~dfsg-1_amd64.deb
asterisk-mp3_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-mp3_1.8.4.4~dfsg-1_amd64.deb
asterisk-mysql_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-mysql_1.8.4.4~dfsg-1_amd64.deb
asterisk-ooh323_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-ooh323_1.8.4.4~dfsg-1_amd64.deb
asterisk-voicemail-imapstorage_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-voicemail-imapstorage_1.8.4.4~dfsg-1_amd64.deb
asterisk-voicemail-odbcstorage_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-voicemail-odbcstorage_1.8.4.4~dfsg-1_amd64.deb
asterisk-voicemail_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-voicemail_1.8.4.4~dfsg-1_amd64.deb
asterisk_1.8.4.4~dfsg-1.debian.tar.gz
to main/a/asterisk/asterisk_1.8.4.4~dfsg-1.debian.tar.gz
asterisk_1.8.4.4~dfsg-1.dsc
to main/a/asterisk/asterisk_1.8.4.4~dfsg-1.dsc
asterisk_1.8.4.4~dfsg-1_amd64.deb
to main/a/asterisk/asterisk_1.8.4.4~dfsg-1_amd64.deb
asterisk_1.8.4.4~dfsg.orig.tar.gz
to main/a/asterisk/asterisk_1.8.4.4~dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tzafrir Cohen <tzaf...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 01 Jul 2011 11:51:45 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-h323 asterisk-dahdi
asterisk-voicemail asterisk-voicemail-imapstorage
asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql
asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.4.4~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzaf...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h323 - H.323 protocol support for the Asterisk PBX
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX (DUMMY)
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the
Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the
Asterisk PBX
Closes: 632029
Changes:
asterisk (1:1.8.4.4~dfsg-1) unstable; urgency=high
.
* AST-2011-011 (CVE-2011-2536): Don't leak SIP username information
(closes: #632029)
* Clearly the NC-ND license for AST.{pdf,txt} is here to stay. Strip it.
- And while we're at at, strip out sound files and some generated files.
Checksums-Sha1:
d6876cb55fb9e9491659ce6177b4890aa8f89be2 2518 asterisk_1.8.4.4~dfsg-1.dsc
80545e32e4f01f44c74097d702cb3c8b4ccff8a4 10074348
asterisk_1.8.4.4~dfsg.orig.tar.gz
8f9887be61adb753870f818cc62bc4b9ac9a447e 111320
asterisk_1.8.4.4~dfsg-1.debian.tar.gz
70a79dace590de6eccff56650352233b43a192f6 4576504
asterisk-doc_1.8.4.4~dfsg-1_all.deb
568bddf4403ea9fe79653dced97d5029be28934d 792368
asterisk-dev_1.8.4.4~dfsg-1_all.deb
f5827e63331930eaef9945cecb628b94acc7cc62 843054
asterisk-config_1.8.4.4~dfsg-1_all.deb
361c5e3eab531e5a9c5a91ec49752dd6ad0a0aea 1566098
asterisk_1.8.4.4~dfsg-1_amd64.deb
5b6e723f6be13b13f1db5aff036a1b295664a47e 2558956
asterisk-modules_1.8.4.4~dfsg-1_amd64.deb
1c6ef56f395856e684e1fff60710b6a5a4fd85b6 603756
asterisk-h323_1.8.4.4~dfsg-1_amd64.deb
49eae788e3ac4653f264235c457ae3f2eb9c3115 735286
asterisk-dahdi_1.8.4.4~dfsg-1_amd64.deb
88c09df22c361aa5726804e8e9290ac03d2b02f4 530142
asterisk-voicemail_1.8.4.4~dfsg-1_amd64.deb
ea18c1c081fd0ae8c0242839743624cd0ededcbc 545048
asterisk-voicemail-imapstorage_1.8.4.4~dfsg-1_amd64.deb
247e915dc78766bd49347e0340e078a1839bb59f 535704
asterisk-voicemail-odbcstorage_1.8.4.4~dfsg-1_amd64.deb
77c8c28ed7f4783b03a380b2677b5f3752fcf00b 869684
asterisk-ooh323_1.8.4.4~dfsg-1_amd64.deb
a2f638e442202ebd450782c0bcaca19b96f1ca3c 473628
asterisk-mp3_1.8.4.4~dfsg-1_amd64.deb
c696b3e5caa9bbbeaef3321fe468fe5762f2104c 497332
asterisk-mysql_1.8.4.4~dfsg-1_amd64.deb
c36dbf01c293a463c0b317098a806880be89ba91 487318
asterisk-mobile_1.8.4.4~dfsg-1_amd64.deb
b7fddf2d8b123a8197127c997a2c29a6356ab490 28676842
asterisk-dbg_1.8.4.4~dfsg-1_amd64.deb
Checksums-Sha256:
c6b76b88bcc1957f4a7b857a42aac70debe16fbc5f2287034471048a6f0a4a65 2518
asterisk_1.8.4.4~dfsg-1.dsc
73e2b0d7b64902948afc13bbb9bea3081cc036b9183e0e4d575bac5ae2d6d0e6 10074348
asterisk_1.8.4.4~dfsg.orig.tar.gz
607552d0872b28190dec53cde05e564ddb179d58e184ef399f474bd701c663d9 111320
asterisk_1.8.4.4~dfsg-1.debian.tar.gz
b6b3d51b0c8e0130766fb1a91399f76e7f8f4757368c2f11885118d5da99e084 4576504
asterisk-doc_1.8.4.4~dfsg-1_all.deb
209bddef587a357575fc87d28d3396f5cd55261e5ab6caa723c9bcd268827f14 792368
asterisk-dev_1.8.4.4~dfsg-1_all.deb
78e6421f3f03d3d8190a33ce9bc20be0e7030dd02d4f5dddcc59173e3a247894 843054
asterisk-config_1.8.4.4~dfsg-1_all.deb
b5cc47b53b4dd0c5ecba5ef07e8f848409aa33bbaa1c37b1fbd7a7744a0f7821 1566098
asterisk_1.8.4.4~dfsg-1_amd64.deb
f08749800c7d613c04c42a645fab6e739007736862e2a02e2dbc6052c7e3b851 2558956
asterisk-modules_1.8.4.4~dfsg-1_amd64.deb
a38e424d592c425b2688f40aca997625323392451c94a1ce397ae39c40dc56f8 603756
asterisk-h323_1.8.4.4~dfsg-1_amd64.deb
4d28f11d4149212a3c3195775046bcda82d9ce5b44523936d84ef0afd987c327 735286
asterisk-dahdi_1.8.4.4~dfsg-1_amd64.deb
927a0d68751050b50cb46a892f39c974895e08c4f23d15513058f5962e003d0b 530142
asterisk-voicemail_1.8.4.4~dfsg-1_amd64.deb
d8e1b0b9402b073a88bed7ec84b32ce0d60430aa656f6296705cb032008cca3c 545048
asterisk-voicemail-imapstorage_1.8.4.4~dfsg-1_amd64.deb
13f21b247e24022bcd198fcbefbe04a9de976be3379846ecee6c387d65b0a0e2 535704
asterisk-voicemail-odbcstorage_1.8.4.4~dfsg-1_amd64.deb
768b85ec8968d0b678cdf6713e8940a57f1b262fa2bf814143d6ae8d835cfbfa 869684
asterisk-ooh323_1.8.4.4~dfsg-1_amd64.deb
612a6a66c5e3889b97b84a1a0e90dd0c560108086a6e3c461875c61eb7f58c65 473628
asterisk-mp3_1.8.4.4~dfsg-1_amd64.deb
a5dc280a2f3f1885530ded1231f2122bf2253c11594b0ab36d51d5aba6c426a4 497332
asterisk-mysql_1.8.4.4~dfsg-1_amd64.deb
17b324346298722d808e86ddbb5447007d2a58973e16b9c789a0794da0cbbe00 487318
asterisk-mobile_1.8.4.4~dfsg-1_amd64.deb
f31684fa5299d9838beaeea2bc9b9d26baa5c10e5f7b5a4cf07619d675d66563 28676842
asterisk-dbg_1.8.4.4~dfsg-1_amd64.deb
Files:
d23573ce9086842b10e31bc115f9be15 2518 comm optional asterisk_1.8.4.4~dfsg-1.dsc
8799ba4c063e52b0ff96c5c3e47ad785 10074348 comm optional
asterisk_1.8.4.4~dfsg.orig.tar.gz
1e1223a80d5d9ac00c3ee5b4f6411bb6 111320 comm optional
asterisk_1.8.4.4~dfsg-1.debian.tar.gz
5eedc704549e029f05d77c1a8bb96a48 4576504 doc extra
asterisk-doc_1.8.4.4~dfsg-1_all.deb
66ac63f0f8f3a00fa921a07f3521040a 792368 devel extra
asterisk-dev_1.8.4.4~dfsg-1_all.deb
af5bab65140c7e7e688eec33bab1f4f8 843054 comm optional
asterisk-config_1.8.4.4~dfsg-1_all.deb
0dfb6abb25ec4ec1006fe50e3a7fbc43 1566098 comm optional
asterisk_1.8.4.4~dfsg-1_amd64.deb
d6d3a5fc8114de33114fe9b9e26f52a8 2558956 libs optional
asterisk-modules_1.8.4.4~dfsg-1_amd64.deb
baa7f6c3f38d0a98cf84ff9345254b21 603756 comm optional
asterisk-h323_1.8.4.4~dfsg-1_amd64.deb
07e8ae728220c0890c4cce9425f87fc1 735286 comm optional
asterisk-dahdi_1.8.4.4~dfsg-1_amd64.deb
10a7f446653bb15c923577b855265118 530142 comm optional
asterisk-voicemail_1.8.4.4~dfsg-1_amd64.deb
abceb986654d15782d9270581083c0d1 545048 comm optional
asterisk-voicemail-imapstorage_1.8.4.4~dfsg-1_amd64.deb
a492018cbe057ada09a952e993f2cdc3 535704 comm optional
asterisk-voicemail-odbcstorage_1.8.4.4~dfsg-1_amd64.deb
1f1e10efed01a84cda624e2e6ec6a532 869684 comm optional
asterisk-ooh323_1.8.4.4~dfsg-1_amd64.deb
9074f28ec9f833b4a69027cd749fb3f2 473628 comm optional
asterisk-mp3_1.8.4.4~dfsg-1_amd64.deb
bfec29a801e737b5fb71c620149aa8ad 497332 comm optional
asterisk-mysql_1.8.4.4~dfsg-1_amd64.deb
fd9b618deec786b703ff129f02f595bf 487318 comm optional
asterisk-mobile_1.8.4.4~dfsg-1_amd64.deb
51685c10038a80b253c1855e89774541 28676842 debug extra
asterisk-dbg_1.8.4.4~dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk4N4nAACgkQxArWdkN9MosrVwCbBxa/irsDLyNbbaantjMJjJsW
Zf4AoNi2I5DE7gvg7BU21oE5gQ47laF1
=mCS+
-----END PGP SIGNATURE-----
--- End Message ---
