Red Hat Bugzilla – Bug 461271
CVE-2008-3903 asterisk: SIP valid account enumeration flaw
Last modified: 2009-11-02 14:32:11 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3903 to the following vulnerability:
Asterisk PBX 1.2 through 1.6 and Trixbox PBX 2.6.1, when running with
Digest authentication and authalwaysreject enabled, generates
different responses depending on whether or not a SIP username is
valid, which allows remote attackers to enumerate valid usernames.
Referenced advisory contains proposed patch, but there does not seem to be an official upstream advisory for this issue yet.
Upstream advisory with patches:
I believe that this can be closed as 126.96.36.199 is the current version in F-10 and F-11+ are running 1.6.1.x.