oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request - Asterisk (AST-2009-008.html)

From: Josh Bressers <bressers () redhat com>
Date: Thu, 5 Nov 2009 12:35:09 -0500 (EST)
CVE-2009-3727 Asterisk AST-2009-008

    Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, and
    1.6.0.x before 1.6.0.17; Asterisk Business Edition A.x.x, B.x.x before
    B.2.5.12, C.1.x.x before C.2.x.x before C.2.4.5 and C.3.2.2; s800i 1.3.x
    before 1.3.0.5; Generates different responses when a specially crafted
    REGISTER message is sent twice depending on whether a SIP username is
    valid. This allows remote attackers to enumerate valid usernames.

    http://downloads.asterisk.org/pub/security/AST-2009-008.html

Thanks.

-- 
    JB

----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:


Hello Steve, vendors,

   Asterisk upstream has recently published two security advisories:

a, SIP responses expose valid usernames
    http://downloads.asterisk.org/pub/security/AST-2009-008.html

    This is similar issue to AST-2009-003.html (CVE-2008-3903)
    http://downloads.asterisk.org/pub/security/AST-2009-003.html

    But according to the patches:

    http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt
(AST-2009-003) vs
   
http://downloads.asterisk.org/pub/security/AST-2009-008-1.6.1.diff.txt
(AST-2009-003)

    it desires a new CVE id. Could you allocate one?

The second issue (b,) already got an CVE id of CVE-2008-7220.

b, Cross-site AJAX request vulnerability (CVE-2008-7220)
    http://downloads.asterisk.org/pub/security/AST-2009-009.html

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: