[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu, 5 Nov 2009 12:35:09 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request - Asterisk (AST-2009-008.html)
CVE-2009-3727 Asterisk AST-2009-008
Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, and
1.6.0.x before 1.6.0.17; Asterisk Business Edition A.x.x, B.x.x before
B.2.5.12, C.1.x.x before C.2.x.x before C.2.4.5 and C.3.2.2; s800i 1.3.x
before 1.3.0.5; Generates different responses when a specially crafted
REGISTER message is sent twice depending on whether a SIP username is
valid. This allows remote attackers to enumerate valid usernames.
http://downloads.asterisk.org/pub/security/AST-2009-008.html
Thanks.
--
JB
----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote:
> Hello Steve, vendors,
>
> Asterisk upstream has recently published two security advisories:
>
> a, SIP responses expose valid usernames
> http://downloads.asterisk.org/pub/security/AST-2009-008.html
>
> This is similar issue to AST-2009-003.html (CVE-2008-3903)
> http://downloads.asterisk.org/pub/security/AST-2009-003.html
>
> But according to the patches:
>
> http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt
> (AST-2009-003) vs
>
> http://downloads.asterisk.org/pub/security/AST-2009-008-1.6.1.diff.txt
> (AST-2009-003)
>
> it desires a new CVE id. Could you allocate one?
>
> The second issue (b,) already got an CVE id of CVE-2008-7220.
>
> b, Cross-site AJAX request vulnerability (CVE-2008-7220)
> http://downloads.asterisk.org/pub/security/AST-2009-009.html
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ