Red Hat Bugzilla – Bug 480132
CVE-2009-0041 asterisk: Replies to failed login attempts differently based on whether the user account exists (information disclosure)
Last modified: 2009-10-27 14:19:58 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0041 to
the following vulnerability:
IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before
1.4.23-rc4, and 1.6.x before 220.127.116.11-rc2; Business Edition A.x.x,
B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before
C.18.104.22.168; and s800i 1.2.x before 1.3.0 responds differently to a
failed login attempt depending on whether the user account exists,
which allows remote attackers to enumerate valid usernames.
Patch against Asterisk 1.6:
This issue affects all versions of the Asterisk package, as shipped
with Fedora releases of 9, 10 and devel.
Updates to 22.214.171.124 are already built and pushed to testing:
Fixed asterisk packages are now in all current Fedora versions.