Debian Bug report logs - #554487
AST-2009-008: SIP responses expose valid usernames

version graph

Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>; Source for asterisk is src:asterisk.

Reported by: Mark Purcell <msp@debian.org>

Date: Wed, 4 Nov 2009 20:54:02 UTC

Severity: minor

Tags: security

Found in version asterisk/1:1.4.21.2~dfsg-3

Fixed in versions asterisk/1:1.6.2.0~rc6-1, asterisk/1:1.4.21.2~dfsg-3+lenny1

Done: Faidon Liambotis <paravoid@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554487; Package asterisk. (Wed, 04 Nov 2009 20:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Wed, 04 Nov 2009 20:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: submit@bugs.debian.org
Subject: AST-2009-008: SIP responses expose valid usernames
Date: Thu, 5 Nov 2009 07:38:16 +1100
[Message part 1 (text/plain, inline)]
Package: asterisk
Version: 1:1.4.21.2~dfsg-3
Severity: minor
Tags: security

----------  Forwarded Message  ----------

Subject: [asterisk-announce] AST-2009-008: SIP responses expose valid usernames
Date: Thursday 05 November 2009
From: "Asterisk Security Team" <security@asterisk.org>
To: asterisk-announce@lists.digium.com

               Asterisk Project Security Advisory - AST-2009-008

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | SIP responses expose valid usernames            |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Information leak                                |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Minor                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | October 26, 2009                                |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Patrik Karlsson <patrik AT cqure DOT net>       |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 4, 2009                                |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Joshua Colp <jcolp AT digium DOT com>           |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | It is possible to determine if a peer with a specific    |
   |             | name is configured in Asterisk by sending a specially    |
   |             | crafted REGISTER message twice. The username that is to  |
   |             | be checked is put in the user portion of the URI in the  |
   |             | To header. A bogus non-matching value is put into the    |
   |             | username portion of the Digest in the Authorization      |
   |             | header. If the peer does exist the second REGISTER will  |
   |             | receive a response of "403 Authentication user name does |
   |             | not match account name". If the peer does not exist the  |
   |             | response will be "404 Not Found" if alwaysauthreject is  |
   |             | disabled and "401 Unauthorized" if alwaysauthreject is   |
   |             | enabled.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions below, or apply one of the |
   |            | patches specified in the Patches section.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | All versions prior to 1.2.35    |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to 1.4.26.3  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.0.x | All versions prior to 1.6.0.17  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.1.x | All versions prior to 1.6.1.9   |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |      Asterisk Addons       |  1.6.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | All versions                    |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | All versions prior to B.2.5.12  |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | All versions prior to C.2.4.5   |
   |                            |         | and C.3.2.2                     |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |   1.5   | All versions                    |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.2.x  | All versions prior to 1.3.0.5   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.35          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.26.3         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.17         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.1.9          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.12         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.4.5          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.3.2.2          |
   |---------------------------------------------+--------------------------|
   |         S800i (Asterisk Appliance)          |         1.3.0.5          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                            SVN URL                            |Revision|
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.2.diff.txt  |1.2     |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.4.diff.txt  |1.4     |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.6.0.diff.txt|1.6.0   |
   |---------------------------------------------------------------+--------|
   |http://downloads.digium.com/pub/asa/AST-2009-008-1.6.1.diff.txt|1.6.1   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links         |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-008.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-008.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |         Date          |      Editor       |       Revisions Made       |
   |-----------------------+-------------------+----------------------------|
   | November 4, 2009      | Joshua Colp       | Initial release            |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-008
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-announce mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-announce

-------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554487; Package asterisk. (Wed, 04 Nov 2009 21:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Wed, 04 Nov 2009 21:15:05 GMT) Full text and rfc822 format available.

Message #10 received at 554487@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: security@debian.org
Cc: 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: New asterisk vulnerabilities
Date: Wed, 04 Nov 2009 23:09:48 +0200
Security Team, hi,

Two new asterisk vulnerabilities were announced today, affecting lenny
and unstable; the first one affects also etch.

http://downloads.asterisk.org/pub/security/AST-2009-008.html
http://downloads.asterisk.org/pub/security/AST-2009-009.html

No CVE numbers yet.

These are tracked in Debian BTS as #554487 and #554486, respectively.

My opinion is that these are relatively minor. My plan is:
- for lenny, fixing them in an s-p-u upload (along with some other
  stacked up fixes)
- for sid, fixing them with the next upload, whenever is that,
- for etch, not fixing them but announce an EoL of its security support
  due to other vulnerabilities, as previously agreed with Moritz.

Let me know if you disagree with any of the above.

Thanks,
Faidon




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554487; Package asterisk. (Sat, 07 Nov 2009 17:39:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sat, 07 Nov 2009 17:39:10 GMT) Full text and rfc822 format available.

Message #15 received at 554487@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Faidon Liambotis <paravoid@debian.org>
Cc: security@debian.org, 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: Re: New asterisk vulnerabilities
Date: Sat, 7 Nov 2009 18:15:55 +0100
On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
> Security Team, hi,
> 
> Two new asterisk vulnerabilities were announced today, affecting lenny
> and unstable; the first one affects also etch.
> 
> http://downloads.asterisk.org/pub/security/AST-2009-008.html
> http://downloads.asterisk.org/pub/security/AST-2009-009.html
> 
> No CVE numbers yet.

AST-2009-008 is CVE-2009-3727, the ID for AST-2009-008 in the advisory
is wrong/duped.

> These are tracked in Debian BTS as #554487 and #554486, respectively.
> 
> My opinion is that these are relatively minor. My plan is:
> - for lenny, fixing them in an s-p-u upload (along with some other
>   stacked up fixes)
> - for sid, fixing them with the next upload, whenever is that,
> - for etch, not fixing them but announce an EoL of its security support
>   due to other vulnerabilities, as previously agreed with Moritz.
> 
> Let me know if you disagree with any of the above.

Agreed and added to the Security Tracker.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554487; Package asterisk. (Sun, 08 Nov 2009 19:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 08 Nov 2009 19:57:05 GMT) Full text and rfc822 format available.

Message #20 received at 554487@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Faidon Liambotis <paravoid@debian.org>
Cc: security@debian.org, 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: Re: New asterisk vulnerabilities
Date: Sun, 8 Nov 2009 20:53:40 +0100
On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
> Security Team, hi,
> 
> Two new asterisk vulnerabilities were announced today, affecting lenny
> and unstable; the first one affects also etch.
> 
> http://downloads.asterisk.org/pub/security/AST-2009-008.html
> http://downloads.asterisk.org/pub/security/AST-2009-009.html

This one is about a prototypejs issue, which is included in
Asterisk and which was fixed in the prototypejs Debian package
in 1.6.0.2-1. Since the code was removed since 1:1.6.2.0~rc3-1,
it should already be fixed, am I correct?

Cheers,
       Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#554487; Package asterisk. (Sun, 08 Nov 2009 20:42:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 08 Nov 2009 20:42:08 GMT) Full text and rfc822 format available.

Message #25 received at 554487@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: security@debian.org, 554487@bugs.debian.org, 554486@bugs.debian.org
Subject: Re: New asterisk vulnerabilities
Date: Sun, 08 Nov 2009 22:06:30 +0200
Moritz Muehlenhoff wrote:
> On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
>> Security Team, hi,
>>
>> Two new asterisk vulnerabilities were announced today, affecting lenny
>> and unstable; the first one affects also etch.
>>
>> http://downloads.asterisk.org/pub/security/AST-2009-008.html
>> http://downloads.asterisk.org/pub/security/AST-2009-009.html
> 
> This one is about a prototypejs issue, which is included in
> Asterisk and which was fixed in the prototypejs Debian package
> in 1.6.0.2-1. Since the code was removed since 1:1.6.2.0~rc3-1,
> it should already be fixed, am I correct?
Yes, it is mentioned in the 1:1.6.2.0~rc3-1 changelog:

* Stop shipping old static-http code in examples. Among other things, it
  includes a vulnerable version of the prototype Javascript library.

I've the same change on the lenny upload I'm preparing although I'm less
than happy with the fact that users that have already copied this from
examples to their web root will still be vulnerable.

Thanks,
Faidon




Reply sent to Faidon Liambotis <paravoid@debian.org>:
You have taken responsibility. (Mon, 16 Nov 2009 04:36:06 GMT) Full text and rfc822 format available.

Notification sent to Mark Purcell <msp@debian.org>:
Bug acknowledged by developer. (Mon, 16 Nov 2009 04:36:06 GMT) Full text and rfc822 format available.

Message #30 received at 554487-close@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: 554487-close@bugs.debian.org
Subject: Bug#554487: fixed in asterisk 1:1.6.2.0~rc6-1
Date: Mon, 16 Nov 2009 04:32:40 +0000
Source: asterisk
Source-Version: 1:1.6.2.0~rc6-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.2.0~rc6-1_all.deb
  to main/a/asterisk/asterisk-config_1.6.2.0~rc6-1_all.deb
asterisk-dbg_1.6.2.0~rc6-1_i386.deb
  to main/a/asterisk/asterisk-dbg_1.6.2.0~rc6-1_i386.deb
asterisk-dev_1.6.2.0~rc6-1_all.deb
  to main/a/asterisk/asterisk-dev_1.6.2.0~rc6-1_all.deb
asterisk-doc_1.6.2.0~rc6-1_all.deb
  to main/a/asterisk/asterisk-doc_1.6.2.0~rc6-1_all.deb
asterisk-h323_1.6.2.0~rc6-1_i386.deb
  to main/a/asterisk/asterisk-h323_1.6.2.0~rc6-1_i386.deb
asterisk-sounds-main_1.6.2.0~rc6-1_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.6.2.0~rc6-1_all.deb
asterisk_1.6.2.0~rc6-1.debian.tar.gz
  to main/a/asterisk/asterisk_1.6.2.0~rc6-1.debian.tar.gz
asterisk_1.6.2.0~rc6-1.dsc
  to main/a/asterisk/asterisk_1.6.2.0~rc6-1.dsc
asterisk_1.6.2.0~rc6-1_i386.deb
  to main/a/asterisk/asterisk_1.6.2.0~rc6-1_i386.deb
asterisk_1.6.2.0~rc6.orig.tar.gz
  to main/a/asterisk/asterisk_1.6.2.0~rc6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 554487@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 16 Nov 2009 06:10:10 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.2.0~rc6-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h323 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 463983 554487
Changes: 
 asterisk (1:1.6.2.0~rc6-1) unstable; urgency=low
 .
   * New upstream release candidate.
     - Drop paches/AST-2009-007, included upstream.
     - Drop patches/configure-armel, merged upstream.
     - Fixes security-related information leak (SIP responses expose valid
       usernames), fixes AST-2009-008. (Closes: #554487)
   * Switch to the "3.0 (quilt)" package source format.
   * Create the /usr/share/asterisk/agi-bin directory. (Closes: #463983)
   * Stop shipping the refcounter tool since the required debugging
     compile-time switch is not enabled in our builds.
Checksums-Sha1: 
 28232b17ae96f004b0f05ecbdb17fe40d3afcad7 2120 asterisk_1.6.2.0~rc6-1.dsc
 388025eb588a3daae5b3213ac3677f1ea8823d42 23083400 asterisk_1.6.2.0~rc6.orig.tar.gz
 c4c73fceea0abe937b8296fa3e91eabff8e7c8f6 57183 asterisk_1.6.2.0~rc6-1.debian.tar.gz
 6fdee04a2656a41e86c0f6740c43c4cdf0c12560 1582708 asterisk-doc_1.6.2.0~rc6-1_all.deb
 fe26e0e0af7bc13f04ec84deffd79879bfa62a57 567518 asterisk-dev_1.6.2.0~rc6-1_all.deb
 d624c0c95286a80e8c4423acf60e535bae71a166 17412864 asterisk-sounds-main_1.6.2.0~rc6-1_all.deb
 17ab4f5b191f1b9b42da26925692ab974105944e 639630 asterisk-config_1.6.2.0~rc6-1_all.deb
 d8bf22d6eb3f40beb9d609ba20802ec0ecfca064 3382906 asterisk_1.6.2.0~rc6-1_i386.deb
 ca6ac7974476a5cfa6dcb7d32f8dffdd80564abf 463342 asterisk-h323_1.6.2.0~rc6-1_i386.deb
 3621798699eb5d87de744ee24cebe7bc91095cc6 21167902 asterisk-dbg_1.6.2.0~rc6-1_i386.deb
Checksums-Sha256: 
 876c4e685723f8e2bdf632afb5b9a3e24b8aca64b6ae7d341180927d96d1cb7e 2120 asterisk_1.6.2.0~rc6-1.dsc
 15202a1e38d20ab6f87674bf7f0007aa3363fdfd129b1a304712ca10bb6d24d6 23083400 asterisk_1.6.2.0~rc6.orig.tar.gz
 57fe951fec1cf106d17fa25fc320537760ab4ce4a95ecf5bef3349a9daff9431 57183 asterisk_1.6.2.0~rc6-1.debian.tar.gz
 f397b748ba7dcca14cbfccee468d9da4d623cc04d967a2c4c23d0445f31d8a3b 1582708 asterisk-doc_1.6.2.0~rc6-1_all.deb
 8372f344a0f4902465524c893391f42b78c824e1077e35db8f8a52b946140c4f 567518 asterisk-dev_1.6.2.0~rc6-1_all.deb
 f7372ed68fe8a9733d4ef265850fec0a44e505570a545e8317d9b2a81f019dbf 17412864 asterisk-sounds-main_1.6.2.0~rc6-1_all.deb
 af7dfd584caa6034c21a72b6c6b254b36fb00a582c027977ac7d35e2a9369497 639630 asterisk-config_1.6.2.0~rc6-1_all.deb
 9b0f10e8e235ea012a14dff01309248821ec6bf05455023fef4bc81d21112099 3382906 asterisk_1.6.2.0~rc6-1_i386.deb
 9719348477eec0096d97115957b4aa6ce33e0faa40d6ba1a203f1724e750a138 463342 asterisk-h323_1.6.2.0~rc6-1_i386.deb
 d8d45fa6e363d52aa1215a8f543f0571a7ae6f6bf6b36ed6a5fc68695ec6fb06 21167902 asterisk-dbg_1.6.2.0~rc6-1_i386.deb
Files: 
 5ef3cb0a2d59c8c4a84a423d968605b7 2120 comm optional asterisk_1.6.2.0~rc6-1.dsc
 770a80d306ccc928481ff9030d7fec38 23083400 comm optional asterisk_1.6.2.0~rc6.orig.tar.gz
 7be9d44077128681d4643a94de5f87af 57183 comm optional asterisk_1.6.2.0~rc6-1.debian.tar.gz
 8487035885e20390699927830f7467c4 1582708 doc extra asterisk-doc_1.6.2.0~rc6-1_all.deb
 6d05e0fffc52cdfffc6c5e69df39b93c 567518 devel extra asterisk-dev_1.6.2.0~rc6-1_all.deb
 ede3ffe9700d5f663ecb024fa689bc32 17412864 comm optional asterisk-sounds-main_1.6.2.0~rc6-1_all.deb
 d1e98fd69e9bb6ad9030b9139756457c 639630 comm optional asterisk-config_1.6.2.0~rc6-1_all.deb
 73191be1a64631559fc9bc607b16ebb7 3382906 comm optional asterisk_1.6.2.0~rc6-1_i386.deb
 3c910294c83a30fe1482c17cc4796271 463342 comm optional asterisk-h323_1.6.2.0~rc6-1_i386.deb
 f0687a8d6ec93cad0e0ea354248385ac 21167902 debug extra asterisk-dbg_1.6.2.0~rc6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksA000ACgkQVty5d8XpUzOkRACeMDw7GpeOAGjOU5J7ImOFx20Y
Z9EAniylp12K22uUrgRMVEvJdDLVR7tS
=WIAP
-----END PGP SIGNATURE-----





Reply sent to Faidon Liambotis <paravoid@debian.org>:
You have taken responsibility. (Wed, 16 Dec 2009 23:33:10 GMT) Full text and rfc822 format available.

Notification sent to Mark Purcell <msp@debian.org>:
Bug acknowledged by developer. (Wed, 16 Dec 2009 23:33:10 GMT) Full text and rfc822 format available.

Message #35 received at 554487-close@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: 554487-close@bugs.debian.org
Subject: Bug#554487: fixed in asterisk 1:1.4.21.2~dfsg-3+lenny1
Date: Wed, 16 Dec 2009 23:32:30 +0000
Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny1.dsc
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc
asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 554487@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Dec 2009 01:11:44 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.4.21.2~dfsg-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h323 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 522528 554486 554487 559103
Changes: 
 asterisk (1:1.4.21.2~dfsg-3+lenny1) stable-security; urgency=high
 .
   * Multiple security fixes:
     - "Information leak in IAX2 authentication", AST-2009-001, CVE-2009-0041.
     - "Remote Crash Vulnerability in SIP channel driver", AST-2009-002.
     - "SIP responses expose valid usernames", AST-2009-003, CVE-2008-3903.
       (Closes: #522528)
     - "SIP responses expose valid usernames", AST-2009-008, CVE-2009-3727.
       (Closes: #554487)
     - Stop shipping old static-http code in examples. Among other things, it
       includes a vulnerable version of the prototype Javascript library.
       AST-2009-009, CVE-2008-7220. (Closes: #554486)
     - "RTP Remote Crash Vulnerability", AST-2009-010, CVE-2009-4055.
       (Closes: #559103)
Checksums-Sha1: 
 b39571677b5dee2efda9fc794b3d2ab5cebeb9ab 1984 asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 3b64d5aba93d38381d4e80b904f66741631aae89 5295205 asterisk_1.4.21.2~dfsg.orig.tar.gz
 880546ae3b24c47f6bb6de248599086626772b47 150880 asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 db42a0cbcb3bd6a5b44f0acebc91b809e15176c3 32514900 asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 9426e6a3e3dc12834c7e705fa8513b8d4fdae092 427650 asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 bb1cfceef93bdef38fc64aac7ea13dcb1130d7e6 1897736 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 14839ed0b3cb721459ddad32b87cfa4b3e11d558 478858 asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 a2121ba035dbbc96bb6b92ed3f3fd70f5ed235db 2407006 asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 db4f0873783fdea719309109b080facb75b5c1a1 388450 asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 a23c992cd677082e793f4b96d150792fb7436d85 12937820 asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Checksums-Sha256: 
 3c1c8a5e5054d30c2aad0546deac4907fb8c46cf82732f4598f0d34baa69aafc 1984 asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 18a2c244568f11b75afd0850cae65b394be888c778869fce61651e64a181603d 5295205 asterisk_1.4.21.2~dfsg.orig.tar.gz
 5dd0f5c19b6d458a1ef432818247c98b2ad4e2ceb4b3f4535b2b91243d1e4a6e 150880 asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 196f07874797f359adb03111311abe1893b1623d7808ab206da90d6847797a2e 32514900 asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 c060a368134b247aa1d27374b683ee3f273da951bee28659cbabab2f3c7d004a 427650 asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 3309cb55110e7b43a47a5cd7c7488731282ac128a2d40e937292e760232c6434 1897736 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 34341baafa36917469e4d72429ea642418628bf2626cb9208baf17337186e788 478858 asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 187122e727887bdbb9cd62b3a1701a8de53b81e27cbb4a427d1437f9f154f167 2407006 asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 80619106ec8570c3a584bf81e8a1f5cb64e1c4af7a50e31ad6308b381821512e 388450 asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 4ee223894f928d207c29e62e3f15bb14a7b57da491ccfd2bdb61820efa62693f 12937820 asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Files: 
 69dcaf09361976f55a053512fb26d7b5 1984 comm optional asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 f641d1140b964e71e38d27bf3b2a2d80 5295205 comm optional asterisk_1.4.21.2~dfsg.orig.tar.gz
 ba6e81cd6ab443ef04467d57a1d954b3 150880 comm optional asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 8d959ce35cc61436ee1e09af475459d1 32514900 doc extra asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 fb8a7dd925c8d209f3007e2a7d6602d8 427650 devel extra asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 f0b7912d2ea0377bbb3c56cbc067d230 1897736 comm optional asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 b483c77c21df4ae9cea8a4277f96966a 478858 comm optional asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 2bbd456e2d36a734ac0789b6ff7e9d22 2407006 comm optional asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 7c9e49cb8610a577d63f3fb77ecd92da 388450 comm optional asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 46acd420961efc6c932d94eec0452ad3 12937820 devel extra asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksmj6cACgkQVty5d8XpUzMwHgCeKbMGyk0QDov48qlK09G5Fdzb
w2gAn2POsBO9cc4Dv+PrArwit8Is90D1
=M94m
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 14 Jan 2010 07:48:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:44:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.