An information disclosure flaw was found in the way SIP channel driver of Asterisk, an open-source telephony toolkit, handled user authentication when: * alwaysauthreject option was enabled, * allowguest was disabled, and * autocreatepeer option was disabled. A remote attacker could use this flaw to obtain information if particular user account exists by issuing certain INVITE, SUBSCRIBE and / or REGISTER transactions. Upstream advisory: [1] http://downloads.asterisk.org/pub/security/AST-2013-003.html Relevant upstream patches: [2] http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff [3] http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff [4] http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff
This issue affects the versions of the asterisk package, as shipped with Fedora release of 18, 17, and Fedora EPEL-6. Please schedule an update.
Created asterisk tracking bugs for this issue Affects: fedora-18 [bug 928552]
Created asterisk tracking bugs for this issue Affects: fedora-17 [bug 928779] Affects: epel-6 [bug 928780]
asterisk-10.12.2-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.