CVE-2009-3727 in Ubuntu

CVE-2009-3727

Priority

Description

Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x
before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x
before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2;
AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error
messages depending on whether a SIP username is valid, which allows remote
attackers to enumerate valid usernames via multiple crafted REGISTER
messages with inconsistent usernames in the URI in the To header and the
Digest in the Authorization header.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3727
http://downloads.asterisk.org/pub/security/AST-2009-008.html

Bugs

https://bugs.launchpad.net/ubuntu/karmic/+source/asterisk/+bug/491637

Notes

Package

Source: asterisk (LP Ubuntu Debian)

Upstream:	released (1.6.0.17)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (1:1.6.2.0~rc2-0ubuntu1)

Patches:

Upstream:	http://downloads.digium.com/pub/asa/AST-2009-008-1.4.diff.txt
Debdiff:	https://bugs.launchpad.net/ubuntu/karmic/+source/asterisk/+bug/491632

More Information

Updated: 2022-02-10 23:39:04 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)