Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
Package: asterisk Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for asterisk. CVE-2007-6430[0]: | Due to the way database-based registrations (realtime) | are processed, IP addresses are not checked when the | username is correct and there is no password. An | attacker may impersonate any user using host-based | authentication without a secret, simply by guessing the | username of that user. This is limited in scope to | administrators who have set up the registration database | (realtime) for authentication and are using only | host-based authentication, not passwords. However, both | the SIP and IAX protocols are affected. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://downloads.digium.com/pub/security/AST-2007-027.html Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp819ZJpmcrS.pgp Description: PGP signature
Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
Nico Golde wrote: CVE-2007-6430[0]: | Due to the way database-based registrations (realtime) | are processed, IP addresses are not checked when the | username is correct and there is no password. An | attacker may impersonate any user using host-based | authentication without a secret, simply by guessing the | username of that user. This is limited in scope to | administrators who have set up the registration database | (realtime) for authentication and are using only | host-based authentication, not passwords. However, both | the SIP and IAX protocols are affected. This is affecting unstable and stable. oldstable is not affected. I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to unstable probably tomorrow or the day after that. For stable, I don't think that the vulnerability is serious enough to warrant a DSA. Maybe s-p-u is a better candidate? Regards, Faidon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
On Wed, Dec 19, 2007 at 08:52:10PM +0200, Faidon Liambotis wrote: Nico Golde wrote: CVE-2007-6430[0]: | Due to the way database-based registrations (realtime) | are processed, IP addresses are not checked when the | username is correct and there is no password. An | attacker may impersonate any user using host-based | authentication without a secret, simply by guessing the | username of that user. This is limited in scope to | administrators who have set up the registration database | (realtime) for authentication and are using only | host-based authentication, not passwords. However, both | the SIP and IAX protocols are affected. This is affecting unstable and stable. oldstable is not affected. I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to unstable probably tomorrow or the day after that. For stable, I don't think that the vulnerability is serious enough to warrant a DSA. I agree that a DSA is not warranted. Maybe s-p-u is a better candidate? s-p-u handling is sluggish, the next asterisk DSA will likely appear before it enters the next point release. A more serious asterisk issue will surely appear, so let's just postpone it. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
Hi Faidon, * Faidon Liambotis [EMAIL PROTECTED] [2007-12-19 20:18]: Nico Golde wrote: CVE-2007-6430[0]: | Due to the way database-based registrations (realtime) | are processed, IP addresses are not checked when the | username is correct and there is no password. An | attacker may impersonate any user using host-based | authentication without a secret, simply by guessing the | username of that user. This is limited in scope to | administrators who have set up the registration database | (realtime) for authentication and are using only | host-based authentication, not passwords. However, both | the SIP and IAX protocols are affected. This is affecting unstable and stable. oldstable is not affected. I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to unstable probably tomorrow or the day after that. [...] Sounds good, thanks for taking care of it. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpFizsJlLXyP.pgp Description: PGP signature
Bug#457063: asterisk: CVE-2007-6430 remote unauthenticated sessions
Moritz Muehlenhoff wrote: On Wed, Dec 19, 2007 at 08:52:10PM +0200, Faidon Liambotis wrote: Nico Golde wrote: CVE-2007-6430[0]: | Due to the way database-based registrations (realtime) | are processed, IP addresses are not checked when the | username is correct and there is no password. An | attacker may impersonate any user using host-based | authentication without a secret, simply by guessing the | username of that user. This is limited in scope to | administrators who have set up the registration database | (realtime) for authentication and are using only | host-based authentication, not passwords. However, both | the SIP and IAX protocols are affected. This is affecting unstable and stable. oldstable is not affected. I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to unstable probably tomorrow or the day after that. For stable, I don't think that the vulnerability is serious enough to warrant a DSA. I agree that a DSA is not warranted. Maybe s-p-u is a better candidate? s-p-u handling is sluggish, the next asterisk DSA will likely appear before it enters the next point release. Please don't denigrate SRM. The next point release is planned to happen before the end of the year or early next year. It's true that it took a long time, though it's not because we were sluggish. There were some issues with the teams internals. When they got solved ries crashed and we had to start from scratch due to no backup being available which we asked for more than one year. Apparantly the backup was not planned because of some backup policy noone knew about. Those three problems are fixed in the meantime, so without any unforseeable misfortune a release will happen very soon. Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
