The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
archives.neohapsis.com/archives/bugtraq/2011-12/0151.html
downloads.asterisk.org/pub/security/AST-2011-013.html
lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html
openwall.com/lists/oss-security/2011/12/09/3
openwall.com/lists/oss-security/2011/12/09/4
osvdb.org/77597
secunia.com/advisories/47273
www.debian.org/security/2011/dsa-2367