Bug#632029: asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP users
Tzafrir Cohen
tzafrir at debian.org
Wed Jun 29 08:46:18 UTC 2011
Package: asterisk
Version: 1:1.8.4.2-1.8979
Severity: grave
Tags: security upstream patch
Justification: user security hole
Asterisk may respond differently to SIP requests from an invalid SIP
user than it does to a user configured on the system, even when the
alwaysauthreject option is set in the configuration. This can leak
information about what SIP users are valid on the Asterisk system.
Respond to SIP requests from invalid and valid SIP users in the same way.
Asterisk 1.4 (in Oldstable) and 1.6.2 (in Stable) do not respond
identically by default due to backward-compatibility reasons, and must
have alwaysauthreject=yes set in sip.conf. Asterisk 1.8 defaults to
alwaysauthreject=yes.
More information about the Pkg-voip-maintainers
mailing list