Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0041 to the following vulnerability: IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x, B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0041 http://www.securityfocus.com/bid/33174 http://www.securityfocus.com/archive/1/archive/1/499884/100/0/threaded http://www.securityfocus.com/bid/33174/solution Patch against Asterisk 1.6: http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff
This issue affects all versions of the Asterisk package, as shipped with Fedora releases of 9, 10 and devel. Please fix.
Updates to 1.6.0.3 are already built and pushed to testing: https://admin.fedoraproject.org/updates/F9/FEDORA-2009-0536 https://admin.fedoraproject.org/updates/F10/FEDORA-2009-0448
Fixed asterisk packages are now in all current Fedora versions.