Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 254304 (CVE-2009-0041)

Summary: <net-misc/asterisk-1.2.31.1 Information leak in IAX2 authentication (CVE-2009-0041)
Product: Gentoo Security Reporter: Bruno Buss <bruno.buss>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chainsaw, rajiv, voip+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://downloads.digium.com/pub/security/AST-2009-001.html
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 249573    
Bug Blocks:    

Description Bruno Buss 2009-01-09 12:31:40 UTC 
"IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts."

Bump to 1.2.31 ou just apply this patch:
http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2009-03-11 17:48:30 UTC 
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2009-03-12 15:18:32 UTC 
Arch target keywords:
~alpha amd64 ~hppa ~ppc sparc x86

Ebuild is in tree, have asked for keywording in bug #250748.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:19 UTC 
GLSA 200905-01