Your message dated Thu, 27 Dec 2007 16:17:06 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#457063: fixed in asterisk 1:1.4.16.2~dfsg-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: asterisk Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for asterisk. CVE-2007-6430[0]: | Due to the way database-based registrations ("realtime") | are processed, IP addresses are not checked when the | username is correct and there is no password. An | attacker may impersonate any user using host-based | authentication without a secret, simply by guessing the | username of that user. This is limited in scope to | administrators who have set up the registration database | ("realtime") for authentication and are using only | host-based authentication, not passwords. However, both | the SIP and IAX protocols are affected. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://downloads.digium.com/pub/security/AST-2007-027.html Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpy7i9sdrTBZ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:1.4.16.2~dfsg-1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive: asterisk-config_1.4.16.2~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-config_1.4.16.2~dfsg-1_all.deb asterisk-dbg_1.4.16.2~dfsg-1_i386.deb to pool/main/a/asterisk/asterisk-dbg_1.4.16.2~dfsg-1_i386.deb asterisk-dev_1.4.16.2~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-dev_1.4.16.2~dfsg-1_all.deb asterisk-doc_1.4.16.2~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-doc_1.4.16.2~dfsg-1_all.deb asterisk-h323_1.4.16.2~dfsg-1_i386.deb to pool/main/a/asterisk/asterisk-h323_1.4.16.2~dfsg-1_i386.deb asterisk-sounds-main_1.4.16.2~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-sounds-main_1.4.16.2~dfsg-1_all.deb asterisk_1.4.16.2~dfsg-1.diff.gz to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg-1.diff.gz asterisk_1.4.16.2~dfsg-1.dsc to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg-1.dsc asterisk_1.4.16.2~dfsg-1_i386.deb to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg-1_i386.deb asterisk_1.4.16.2~dfsg.orig.tar.gz to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Faidon Liambotis <[EMAIL PROTECTED]> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 21 Dec 2007 22:38:03 +0200 Source: asterisk Binary: asterisk-sounds-main asterisk-h323 asterisk asterisk-config asterisk-dbg asterisk-dev asterisk-doc Architecture: source all i386 Version: 1:1.4.16.2~dfsg-1 Distribution: unstable Urgency: low Maintainer: Debian VoIP Team <[EMAIL PROTECTED]> Changed-By: Faidon Liambotis <[EMAIL PROTECTED]> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dbg - Debugging symbols for Asterisk asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-h323 - H.323 protocol support for Asterisk asterisk-sounds-main - Core Sound files for Asterisk (English) Closes: 454332 457063 Changes: asterisk (1:1.4.16.2~dfsg-1) unstable; urgency=low . * New upstream release. (Closes: #457063) (Fixes CVE-2007-6430) - Remove keep-1.4-abi, merged upstream. - Adapt hack-multiple-app-voicemail, use-libpri-bristuffed, tos-libcap. - Adapt bristuff patches app-dial-etc, chan-iax2-hangup-cause, app-dial-priority-202, zapata-bri+euroisdn. * Silence upstream's build sum warning but generate one on all modules so that we can enable it at a later point. * Make the init script's detection of a running daemon to be more precise. * Bump Standards-Version to 3.7.3, no changes needed. * Remove modem.conf on upgrades from 1.2 (i.e. etch). (Closes: #454332) * Ressurect long-forgotten logrotate script. Files: d86d9ab49a51e4861d2f61dc0ad52dba 1520 comm optional asterisk_1.4.16.2~dfsg-1.dsc d560a5c85dc3a8509f226f71ecd68b4d 5210662 comm optional asterisk_1.4.16.2~dfsg.orig.tar.gz ba8b4c5e51698b644f2ea71009847de7 177498 comm optional asterisk_1.4.16.2~dfsg-1.diff.gz 4fc615082d586f5196c9b6ef18b9154e 29313240 doc extra asterisk-doc_1.4.16.2~dfsg-1_all.deb 40bcd25de3bf10a11a034bba969026e0 368676 devel extra asterisk-dev_1.4.16.2~dfsg-1_all.deb 36608e881b3b2570702a4d8d37f9bd01 1826270 comm optional asterisk-sounds-main_1.4.16.2~dfsg-1_all.deb 45fe43777da2eb4ad84a46cedc1a3604 423532 comm optional asterisk-config_1.4.16.2~dfsg-1_all.deb 6b1ab041a79bb992721eb00834c60d56 2271514 comm optional asterisk_1.4.16.2~dfsg-1_i386.deb e3f641caf54cb25ab9d02010e27ef1f2 327344 comm optional asterisk-h323_1.4.16.2~dfsg-1_i386.deb 7444a28737722fde82f3c2cb5441445c 12768186 devel extra asterisk-dbg_1.4.16.2~dfsg-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHc820Vty5d8XpUzMRAoyPAJ4mdm3wFFylDoJja3BMezpaknFOgACdEBE2 5rajD4J3Yik10Tpx0AlHcLY= =GYek -----END PGP SIGNATURE-----
--- End Message ---
