Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3903 to the following vulnerability: Asterisk PBX 1.2 through 1.6 and Trixbox PBX 2.6.1, when running with Digest authentication and authalwaysreject enabled, generates different responses depending on whether or not a SIP username is valid, which allows remote attackers to enumerate valid usernames. References: http://misel.com/?p=52
Referenced advisory contains proposed patch, but there does not seem to be an official upstream advisory for this issue yet.
Upstream advisory with patches: http://downloads.asterisk.org/pub/security/AST-2009-003.html CVE-2008-3903 entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3903
I believe that this can be closed as 1.6.0.15 is the current version in F-10 and F-11+ are running 1.6.1.x.
Right, thanks!