Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
Nico Golde
nion at debian.org
Wed Dec 19 21:38:25 UTC 2007
Hi Faidon,
* Faidon Liambotis <paravoid at debian.org> [2007-12-19 20:18]:
> Nico Golde wrote:
> > CVE-2007-6430[0]:
> > | Due to the way database-based registrations ("realtime")
> > | are processed, IP addresses are not checked when the
> > | username is correct and there is no password. An
> > | attacker may impersonate any user using host-based
> > | authentication without a secret, simply by guessing the
> > | username of that user. This is limited in scope to
> > | administrators who have set up the registration database
> > | ("realtime") for authentication and are using only
> > | host-based authentication, not passwords. However, both
> > | the SIP and IAX protocols are affected.
> This is affecting unstable and stable. oldstable is not affected.
>
> I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
> unstable probably tomorrow or the day after that.
[...]
Sounds good, thanks for taking care of it.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20071219/508f5ee8/attachment.pgp
More information about the Pkg-voip-maintainers
mailing list