On Sun, Apr 26, 2009 at 03:40:35PM +0200, Nico Golde wrote: > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for asterisk some time ago. > > CVE-2009-0041[0]: > | IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before > | 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x, > | B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before > | C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a > | failed login attempt depending on whether the user account exists, > | which allows remote attackers to enumerate valid usernames. > > Unfortunately the vulnerability described above is not important enough > to get it fixed via regular security update in Debian stable. It does > not warrant a DSA. > > This is Debian bug #513413. > > However it would be nice if this could get fixed via a regular point > update[1]. > Please contact the release team for this.
This, as well as CVE-2008-3903, are fixed in the SVN (branches/etch , branches/lenny ) http://svn.debian.org/viewsvn/pkg-voip/asterisk/branches/lenny/ http://svn.debian.org/viewsvn/pkg-voip/asterisk/branches/etch/ > _______________________________________________ > Pkg-voip-maintainers mailing list > [email protected] > http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers -- Tzafrir Cohen icq#16849755 jabber:[email protected] +972-50-7952406 mailto:[email protected] http://www.xorcom.com iax:[email protected]/tzafrir -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
