Nico Golde wrote:
> CVE-2007-6430[0]:
> | Due to the way database-based registrations ("realtime")
> | are processed, IP addresses are not checked when the
> | username is correct and there is no password. An
> | attacker may impersonate any user using host-based
> | authentication without a secret, simply by guessing the
> | username of that user. This is limited in scope to
> | administrators who have set up the registration database
> | ("realtime") for authentication and are using only
> | host-based authentication, not passwords. However, both
> | the SIP and IAX protocols are affected.
This is affecting unstable and stable. oldstable is not affected.I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to unstable probably tomorrow or the day after that. For stable, I don't think that the vulnerability is serious enough to warrant a DSA. Maybe s-p-u is a better candidate? Regards, Faidon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
