Re: asterisk stable update for CVE-2009-0041
On Sun, Apr 26, 2009 at 03:40:35PM +0200, Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for asterisk some time ago.
> | IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before
> | 1.4.23-rc4, and 1.6.x before 220.127.116.11-rc2; Business Edition A.x.x,
> | B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before
> | C.18.104.22.168; and s800i 1.2.x before 1.3.0 responds differently to a
> | failed login attempt depending on whether the user account exists,
> | which allows remote attackers to enumerate valid usernames.
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
> This is Debian bug #513413.
> However it would be nice if this could get fixed via a regular point update.
> Please contact the release team for this.
This, as well as CVE-2008-3903, are fixed in the SVN (branches/etch ,
> Pkg-voip-maintainers mailing list