oss-sec mailing list archives
Re: CVE Request - Asterisk (AST-2009-008.html)
From: Josh Bressers <bressers () redhat com>
Date: Thu, 5 Nov 2009 12:35:09 -0500 (EST)
CVE-2009-3727 Asterisk AST-2009-008 Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, and 1.6.0.x before 1.6.0.17; Asterisk Business Edition A.x.x, B.x.x before B.2.5.12, C.1.x.x before C.2.x.x before C.2.4.5 and C.3.2.2; s800i 1.3.x before 1.3.0.5; Generates different responses when a specially crafted REGISTER message is sent twice depending on whether a SIP username is valid. This allows remote attackers to enumerate valid usernames. http://downloads.asterisk.org/pub/security/AST-2009-008.html Thanks. -- JB ----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
Hello Steve, vendors, Asterisk upstream has recently published two security advisories: a, SIP responses expose valid usernames http://downloads.asterisk.org/pub/security/AST-2009-008.html This is similar issue to AST-2009-003.html (CVE-2008-3903) http://downloads.asterisk.org/pub/security/AST-2009-003.html But according to the patches: http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt (AST-2009-003) vs http://downloads.asterisk.org/pub/security/AST-2009-008-1.6.1.diff.txt (AST-2009-003) it desires a new CVE id. Could you allocate one? The second issue (b,) already got an CVE id of CVE-2008-7220. b, Cross-site AJAX request vulnerability (CVE-2008-7220) http://downloads.asterisk.org/pub/security/AST-2009-009.html Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request - Asterisk (AST-2009-008.html) Jan Lieskovsky (Nov 05)
- Re: CVE Request - Asterisk (AST-2009-008.html) Josh Bressers (Nov 05)
- Re: CVE Request - Asterisk (AST-2009-008.html) Moritz Muehlenhoff (Nov 07)
- Re: CVE Request - Asterisk (AST-2009-008.html) Alex Legler (Nov 07)