Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
Moritz Muehlenhoff
jmm at inutil.org
Wed Dec 19 19:52:56 UTC 2007
On Wed, Dec 19, 2007 at 08:52:10PM +0200, Faidon Liambotis wrote:
> Nico Golde wrote:
> > CVE-2007-6430[0]:
> > | Due to the way database-based registrations ("realtime")
> > | are processed, IP addresses are not checked when the
> > | username is correct and there is no password. An
> > | attacker may impersonate any user using host-based
> > | authentication without a secret, simply by guessing the
> > | username of that user. This is limited in scope to
> > | administrators who have set up the registration database
> > | ("realtime") for authentication and are using only
> > | host-based authentication, not passwords. However, both
> > | the SIP and IAX protocols are affected.
> This is affecting unstable and stable. oldstable is not affected.
>
> I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
> unstable probably tomorrow or the day after that.
>
> For stable, I don't think that the vulnerability is serious enough to
> warrant a DSA.
I agree that a DSA is not warranted.
> Maybe s-p-u is a better candidate?
s-p-u handling is sluggish, the next asterisk DSA will likely
appear before it enters the next point release.
A more serious asterisk issue will surely appear, so let's just
postpone it.
Cheers,
Moritz
More information about the Pkg-voip-maintainers
mailing list