Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 254304 (CVE-2009-0041) - <net-misc/asterisk- Information leak in IAX2 authentication (CVE-2009-0041)
Summary: <net-misc/asterisk- Information leak in IAX2 authentication (CVE-2009...
Alias: CVE-2009-0041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on: 249573
  Show dependency tree
Reported: 2009-01-09 12:31 UTC by Bruno Buss
Modified: 2009-05-02 17:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Buss 2009-01-09 12:31:40 UTC
"IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts."

Bump to 1.2.31 ou just apply this patch:
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2009-03-11 17:48:30 UTC
+*asterisk- (11 Mar 2009)
+  11 Mar 2009; <>
+  +files/1.2.0/asterisk-,
+  +files/1.2.0/asterisk-,
+  +files/1.2.0/asterisk-, +asterisk-
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2009-03-12 15:18:32 UTC
Arch target keywords:
~alpha amd64 ~hppa ~ppc sparc x86

Ebuild is in tree, have asked for keywording in bug #250748.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:19 UTC
GLSA 200905-01