Nico Golde <[EMAIL PROTECTED]> wrote: Hi,
> CVE-2007-5469[0]: > | OpenSER 1.2.2 does not verify the Digest authentication header URI > | against the Request URI in SIP messages, which allows remote attackers > | to use sniffed Digest authentication credentials to call arbitrary > | telephone numbers or spoof caller ID (aka "toll fraud and > | authentication forward attack"). I can dig up the patch mentionned on full-disclosure, but it's only one part of the solution. The user needs to add the required logic in its config to actually "fix" the problem. Also it's not clear yet whether this also applies to OpenSER < 1.2, though the post on full-disclosure seems to imply that all versions prior to SVN 20071004 are affected. JB. -- Julien BLACHE - Debian & GNU/Linux Developer - <[EMAIL PROTECTED]> Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
