AST-2011-011: Possible enumeration of SIP users due to differing authentication responses

Possible enumeration of SIP users due to differing authentication responses. Asterisk may respond differently to SIP requests from an invalid SIP user than it does to a user configured on the system, even when the alwaysauthreject option is set in the configuration. This can leak information about what SIP users are valid on the Asterisk system. Respond to SIP requests from invalid and valid SIP users in the same way. Asterisk 1.4 and 1.6.2 do not respond identically by default due to backward-compatibility reasons, and must have alwaysauthreject=yes set in sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes. IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4 and 1.6.2 set alwaysauthreject=yes in the general section of sip.conf