Asterisk may respond differently to SIP requests from an invalid SIP user than it does to a user configured on the system, even when the alwaysauthreject option is set in the configuration. This can leak information about what SIP users are valid on the Asterisk system. 1.4 branch: Not in portage. 1.6.2 branch: Ebuilds in tree, need stable keywords. 1.8 branch: In portage, vulnerable ebuilds axed, no stable keywords. Arches, please test & stable 1.6.2.18.2. Suggested test procedure is to install the daemon with the default configs and to stop/start the daemon multiple times.
it works!
amd64 stable, thanks Agostino!
=net-misc/asterisk-1.6.2.18.2 seems good here on x86.
x86 stable, thanks Andreas. All arches done.
+ 29 Jun 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.18.1.ebuild: + Remove last vulnerable ebuild in 1.6.2 branch now that stabling has been + completed. For security bug #373409.
Thanks, folks. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml by GLSA coordinator Tim Sammut (underling).
