Lucene search

HistoryDec 15, 2009 - 12:00 a.m.

asterisk - several vulnerabilities






Several vulnerabilities have been discovered in asterisk, an Open Source
PBX and telephony toolkit. The Common Vulnerabilities and Exposures
project identifies the following problems:

  • CVE-2009-0041
    It is possible to determine valid login names via probing, due to the
    IAX2 response from asterisk (AST-2009-001).
  • CVE-2008-3903
    It is possible to determine a valid SIP username, when Digest
    authentication and authalwaysreject are enabled (AST-2009-003).
  • CVE-2009-3727
    It is possible to determine a valid SIP username via multiple crafted
    REGISTER messages (AST-2009-008).
  • CVE-2008-7220 CVE-2007-2383
    It was discovered that asterisk contains an obsolete copy of the
    Prototype JavaScript framework, which is vulnerable to several security
    issues. This copy is unused and now removed from asterisk
  • CVE-2009-4055
    It was discovered that it is possible to perform a denial of service
    attack via RTP comfort noise payload with a long data length

The current version in oldstable is not supported by upstream anymore
and is affected by several security issues. Backporting fixes for these
and any future issues has become unfeasible and therefore we need to
drop our security support for the version in oldstable. We recommend
that all asterisk users upgrade to the stable distribution (lenny).

For the stable distribution (lenny), these problems have been fixed in
version 1:

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1:

We recommend that you upgrade your asterisk packages.