asterisk - several vulnerabilities

Several vulnerabilities have been discovered in asterisk, an Open Source
PBX and telephony toolkit. The Common Vulnerabilities and Exposures
project identifies the following problems:

• CVE-2009-0041
  It is possible to determine valid login names via probing, due to the
  IAX2 response from asterisk (AST-2009-001).
• CVE-2008-3903
  It is possible to determine a valid SIP username, when Digest
  authentication and authalwaysreject are enabled (AST-2009-003).
• CVE-2009-3727
  It is possible to determine a valid SIP username via multiple crafted
  REGISTER messages (AST-2009-008).
• CVE-2008-7220 CVE-2007-2383
  It was discovered that asterisk contains an obsolete copy of the
  Prototype JavaScript framework, which is vulnerable to several security
  issues. This copy is unused and now removed from asterisk
  (AST-2009-009).
• CVE-2009-4055
  It was discovered that it is possible to perform a denial of service
  attack via RTP comfort noise payload with a long data length
  (AST-2009-010).

The current version in oldstable is not supported by upstream anymore
and is affected by several security issues. Backporting fixes for these
and any future issues has become unfeasible and therefore we need to
drop our security support for the version in oldstable. We recommend
that all asterisk users upgrade to the stable distribution (lenny).

For the stable distribution (lenny), these problems have been fixed in
version 1:1.4.21.2~dfsg-3+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1:1.6.2.0~rc7-1.

We recommend that you upgrade your asterisk packages.