Your message dated Tue, 19 May 2009 23:17:35 +0000
with message-id <e1m6yyx-0006zs...@ries.debian.org>
and subject line Bug#522528: fixed in asterisk 1:1.6.1.0~dfsg-1
has caused the Debian Bug report #522528,
regarding AST-2009-003: SIP responses expose valid usernames
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
522528: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522528
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: asterisk
version: 1:1.4.21.2~dfsg-3
Severity: grave
Tags: patch
The Asterisk Project has issued the following advisory:
http://downloads.digium.com/pub/asa/AST-2009-003.html
It affects the versions in oldstable (1.2.13), stable/testing/unstable
(1.4.21) and experimental (1.6.1-rc3. rc4, fixing this should be
released shortly).
CVE entry: CVE-2008-3903
I'd like to include here the text of the advisory, as I believe it is
worth restating:
In 2006, the Asterisk maintainers made it more difficult to scan for
valid SIP usernames by implementing an option called
"alwaysauthreject", which should return a 401 error on all replies
which are generated for users which do not exist. While this was
sufficient at the time, due to ever increasing compliance with RFC
3261, the SIP specification, that is no longer sufficient as a means
towards preventing attackers from checking responses to verify whether
a SIP account exists on a machine.
What we have done is to carefully emulate exactly the same responses
throughout possible dialogs, which should prevent attackers from
gleaning this information. All invalid users, if this option is turned
on, will receive the same response throughout the dialog, as if a
username was valid, but the password was incorrect.
It is important to note several things. First, this vulnerability is
derived directly from the SIP specification, and it is a technical
violation of RFC 3261 (and subsequent RFCs, as of this date), for us
to return these responses. Second, this attack is made much more
difficult if administrators avoided creating all-numeric usernames and
especially all-numeric passwords. This combination is extremely
vulnerable for servers connected to the public Internet, even with
this patch in place. While it may make configuring SIP telephones
easier in the short term, it has the potential to cause grief over the
long term.
Patches are linked from the advisory and are now being tested.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.co...@xorcom.com
+972-50-7952406 mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:1.6.1.0~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.6.1.0~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-config_1.6.1.0~dfsg-1_all.deb
asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
asterisk-dev_1.6.1.0~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-dev_1.6.1.0~dfsg-1_all.deb
asterisk-doc_1.6.1.0~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-doc_1.6.1.0~dfsg-1_all.deb
asterisk-h323_1.6.1.0~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-h323_1.6.1.0~dfsg-1_i386.deb
asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
asterisk_1.6.1.0~dfsg-1.diff.gz
to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg-1.diff.gz
asterisk_1.6.1.0~dfsg-1.dsc
to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg-1.dsc
asterisk_1.6.1.0~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg-1_i386.deb
asterisk_1.6.1.0~dfsg.orig.tar.gz
to pool/main/a/asterisk/asterisk_1.6.1.0~dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 522...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <m...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 20 May 2009 08:00:23 +1000
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-progdoc asterisk-dev
asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.1.0~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Mark Purcell <m...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h323 - H.323 protocol support for Asterisk
asterisk-progdoc - Source code documentation for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 522528 528497
Changes:
asterisk (1:1.6.1.0~dfsg-1) unstable; urgency=low
.
* New upstream release (Closes: #522528).
.
[ Tzafrir Cohen ]
* Depend explicitly on dahdi.
* Patch apptest_sleep dropped: merged upstream.
* Patch libtonezone_libm dropped: merged upstream.
* Patch h323-make-fix dropped: merged upstream.
* Use upstream's asterisk.conf rather than our bogus one.
* Also add the version-specific release summary.
* Patch dahdi_ptmp_nt: (not really) chan_dahdi PtMP NT support
(Kristijan Vrban).
* Patch dahdi_pri_debug_spannums: add span number in PRI trace.
* Patch astcanary_startup: Avoid a false death of the canary
(Closes: #528497).
* Patch hardware_dtmf_mute_fix: Fix muting of DAHDI channels with hardware
DTMF detection.
Checksums-Sha1:
a6837967792126e7fb174395eb0ba738a480863d 2055 asterisk_1.6.1.0~dfsg-1.dsc
b9ac25f0d72f1ce1c0a0f7971e4f259fb2b0f8bd 7640519
asterisk_1.6.1.0~dfsg.orig.tar.gz
fe2fb8477ec0696774a16caf6df70368f86270ca 56638 asterisk_1.6.1.0~dfsg-1.diff.gz
acb9c3e6930a05cdf9c60c21516011760fed77e9 1979636
asterisk-doc_1.6.1.0~dfsg-1_all.deb
f3e1b8ac3afdf9d141dab871713a5a08c9e08bcd 148535056
asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
19cdf1497e4b7d845adbc6078f835de695f9d2f6 975846
asterisk-dev_1.6.1.0~dfsg-1_all.deb
6fbe24114d373ed2d28ef013ec3481a3327dd32c 2509442
asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
fa55b549a935d8d1f17dffa94f7013e3c351be6c 1045426
asterisk-config_1.6.1.0~dfsg-1_all.deb
ad6ac47f7a3214f60a724a7b561c4acf0f369fa9 3813778
asterisk_1.6.1.0~dfsg-1_i386.deb
d1126b2d0a00b290599545bcb246b11277488509 892358
asterisk-h323_1.6.1.0~dfsg-1_i386.deb
c713f1a8ef6d1e9d5c72dd9711e2ab0a23d4e8a1 20219384
asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
Checksums-Sha256:
44d2a0cc52bccc3a64cc99c9fe71168839bdda1065ae6a841bae98f1d6d3a633 2055
asterisk_1.6.1.0~dfsg-1.dsc
da63bb2f2c97e750e00253aa45f326f9a8e4a13d315fa315f0cfaf9812132f99 7640519
asterisk_1.6.1.0~dfsg.orig.tar.gz
db70144cb6784c6641c43461ed164643eda8011bdf7d8c18e71e04d77ffc4850 56638
asterisk_1.6.1.0~dfsg-1.diff.gz
391bb7994020398a69ea4442f16ff08bc160258d5bc45e0eff1cc2448c139582 1979636
asterisk-doc_1.6.1.0~dfsg-1_all.deb
90523650f9b814f87298b472c3783a1d231dd28055ae904ecf7fa15ddd267f13 148535056
asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
788345a2aee3f4ac96de72cc6d947ac4a7778b860837b0d79a28d1a15f8a8254 975846
asterisk-dev_1.6.1.0~dfsg-1_all.deb
f3246199e599f2857f84d4ec74cbfd65d6272d173ff11377c31739dbc73222fc 2509442
asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
82a70785cf7ff8c75dbde893403da5b19fa10e2d0564ad08fd22f3d4f045f462 1045426
asterisk-config_1.6.1.0~dfsg-1_all.deb
c349c160a5ad07b9eab6172f222bb4183d051358afb6b0d36b9dd672a6c84cb7 3813778
asterisk_1.6.1.0~dfsg-1_i386.deb
1274ed7841ac026e637c08517fddebfbc686883ce43d58214dae4f6fb96189bc 892358
asterisk-h323_1.6.1.0~dfsg-1_i386.deb
a8a1a4d3f27de742e484184b3a0227d57c3e717b9c7815e9b0708e1bd6501be3 20219384
asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
Files:
d8d1c2e1ac2b78f2cbae42070d6f192d 2055 comm optional asterisk_1.6.1.0~dfsg-1.dsc
9f6573edcf537f30690b8f8d5cf22786 7640519 comm optional
asterisk_1.6.1.0~dfsg.orig.tar.gz
6e75964823d653af27cb0788769923a1 56638 comm optional
asterisk_1.6.1.0~dfsg-1.diff.gz
3a68d4c51e120fab9cddfbc84f870f66 1979636 doc extra
asterisk-doc_1.6.1.0~dfsg-1_all.deb
8eec056d357371021092bc4e28f7bde9 148535056 doc extra
asterisk-progdoc_1.6.1.0~dfsg-1_all.deb
15dbdeda43d1b7a45d824cd98333a400 975846 devel extra
asterisk-dev_1.6.1.0~dfsg-1_all.deb
f2b4f37a34af33428ab76b2f187f5160 2509442 comm optional
asterisk-sounds-main_1.6.1.0~dfsg-1_all.deb
1a4301224195f7e9cd3b9d8b6d9e0dbc 1045426 comm optional
asterisk-config_1.6.1.0~dfsg-1_all.deb
826fe89fd24d62e2101e888c133ef890 3813778 comm optional
asterisk_1.6.1.0~dfsg-1_i386.deb
a583525a751fcf7faa9c4396c0925f4c 892358 comm optional
asterisk-h323_1.6.1.0~dfsg-1_i386.deb
a35c9d18a580139984e94910c2eaa4fe 20219384 debug extra
asterisk-dbg_1.6.1.0~dfsg-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoTMAEACgkQoCzanz0IthLTDgCdGGqb582DPbvdQJftJZ1otM93
a8oAoJKU5DcMbecJ1hqaQa98UW6mdhSJ
=P2v7
-----END PGP SIGNATURE-----
--- End Message ---
