Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 254304 (CVE-2009-0041) - <net-misc/asterisk-1.2.31.1 Information leak in IAX2 authentication (CVE-2009-0041)
Summary: <net-misc/asterisk-1.2.31.1 Information leak in IAX2 authentication (CVE-2009...
Status: RESOLVED FIXED
Alias: CVE-2009-0041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://downloads.digium.com/pub/secur...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 249573
Blocks:
  Show dependency tree
 
Reported: 2009-01-09 12:31 UTC by Bruno Buss
Modified: 2009-05-02 17:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Buss 2009-01-09 12:31:40 UTC
"IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts."

Bump to 1.2.31 ou just apply this patch:
http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff
Comment 1 Tony Vroon gentoo-dev 2009-03-11 17:48:30 UTC
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 2 Tony Vroon gentoo-dev 2009-03-12 15:18:32 UTC
Arch target keywords:
~alpha amd64 ~hppa ~ppc sparc x86

Ebuild is in tree, have asked for keywording in bug #250748.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:19 UTC
GLSA 200905-01