Debian Bug report logs -
#457063
asterisk: CVE-2007-6430 remote unauthenticated sessions
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 19 Dec 2007 13:45:01 UTC
Severity: grave
Tags: security
Fixed in version asterisk/1:1.4.16.2~dfsg-1
Done: Faidon Liambotis <paravoid@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#457063; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: asterisk
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.
CVE-2007-6430[0]:
| Due to the way database-based registrations ("realtime")
| are processed, IP addresses are not checked when the
| username is correct and there is no password. An
| attacker may impersonate any user using host-based
| authentication without a secret, simply by guessing the
| username of that user. This is limited in scope to
| administrators who have set up the registration database
| ("realtime") for authentication and are using only
| host-based authentication, not passwords. However, both
| the SIP and IAX protocols are affected.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://downloads.digium.com/pub/security/AST-2007-027.html
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#457063; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 457063@bugs.debian.org (full text, mbox, reply):
Nico Golde wrote:
> CVE-2007-6430[0]:
> | Due to the way database-based registrations ("realtime")
> | are processed, IP addresses are not checked when the
> | username is correct and there is no password. An
> | attacker may impersonate any user using host-based
> | authentication without a secret, simply by guessing the
> | username of that user. This is limited in scope to
> | administrators who have set up the registration database
> | ("realtime") for authentication and are using only
> | host-based authentication, not passwords. However, both
> | the SIP and IAX protocols are affected.
This is affecting unstable and stable. oldstable is not affected.
I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
unstable probably tomorrow or the day after that.
For stable, I don't think that the vulnerability is serious enough to
warrant a DSA. Maybe s-p-u is a better candidate?
Regards,
Faidon
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#457063; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #15 received at 457063@bugs.debian.org (full text, mbox, reply):
On Wed, Dec 19, 2007 at 08:52:10PM +0200, Faidon Liambotis wrote:
> Nico Golde wrote:
> > CVE-2007-6430[0]:
> > | Due to the way database-based registrations ("realtime")
> > | are processed, IP addresses are not checked when the
> > | username is correct and there is no password. An
> > | attacker may impersonate any user using host-based
> > | authentication without a secret, simply by guessing the
> > | username of that user. This is limited in scope to
> > | administrators who have set up the registration database
> > | ("realtime") for authentication and are using only
> > | host-based authentication, not passwords. However, both
> > | the SIP and IAX protocols are affected.
> This is affecting unstable and stable. oldstable is not affected.
>
> I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
> unstable probably tomorrow or the day after that.
>
> For stable, I don't think that the vulnerability is serious enough to
> warrant a DSA.
I agree that a DSA is not warranted.
> Maybe s-p-u is a better candidate?
s-p-u handling is sluggish, the next asterisk DSA will likely
appear before it enters the next point release.
A more serious asterisk issue will surely appear, so let's just
postpone it.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#457063; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #20 received at 457063@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Faidon,
* Faidon Liambotis <paravoid@debian.org> [2007-12-19 20:18]:
> Nico Golde wrote:
> > CVE-2007-6430[0]:
> > | Due to the way database-based registrations ("realtime")
> > | are processed, IP addresses are not checked when the
> > | username is correct and there is no password. An
> > | attacker may impersonate any user using host-based
> > | authentication without a secret, simply by guessing the
> > | username of that user. This is limited in scope to
> > | administrators who have set up the registration database
> > | ("realtime") for authentication and are using only
> > | host-based authentication, not passwords. However, both
> > | the SIP and IAX protocols are affected.
> This is affecting unstable and stable. oldstable is not affected.
>
> I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
> unstable probably tomorrow or the day after that.
[...]
Sounds good, thanks for taking care of it.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#457063; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #25 received at 457063@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff wrote:
> On Wed, Dec 19, 2007 at 08:52:10PM +0200, Faidon Liambotis wrote:
>> Nico Golde wrote:
>>> CVE-2007-6430[0]:
>>> | Due to the way database-based registrations ("realtime")
>>> | are processed, IP addresses are not checked when the
>>> | username is correct and there is no password. An
>>> | attacker may impersonate any user using host-based
>>> | authentication without a secret, simply by guessing the
>>> | username of that user. This is limited in scope to
>>> | administrators who have set up the registration database
>>> | ("realtime") for authentication and are using only
>>> | host-based authentication, not passwords. However, both
>>> | the SIP and IAX protocols are affected.
>> This is affecting unstable and stable. oldstable is not affected.
>>
>> I'll upload 1.4.16 (.1 due soon probably, since .16 has a major bug) to
>> unstable probably tomorrow or the day after that.
>>
>> For stable, I don't think that the vulnerability is serious enough to
>> warrant a DSA.
>
> I agree that a DSA is not warranted.
>
>> Maybe s-p-u is a better candidate?
>
> s-p-u handling is sluggish, the next asterisk DSA will likely
> appear before it enters the next point release.
Please don't denigrate SRM.
The next point release is planned to happen before the end of the year
or early next year. It's true that it took a long time, though it's not
because we were sluggish. There were some issues with the teams
internals. When they got solved ries crashed and we had to start from
scratch due to no backup being available which we asked for more than
one year. Apparantly the backup was not planned because of some backup
policy noone knew about. Those three problems are fixed in the meantime,
so without any unforseeable misfortune a release will happen very soon.
Cheers
Luk
Reply sent to Faidon Liambotis <paravoid@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 457063-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.4.16.2~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.4.16.2~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-config_1.4.16.2~dfsg-1_all.deb
asterisk-dbg_1.4.16.2~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-dbg_1.4.16.2~dfsg-1_i386.deb
asterisk-dev_1.4.16.2~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-dev_1.4.16.2~dfsg-1_all.deb
asterisk-doc_1.4.16.2~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-doc_1.4.16.2~dfsg-1_all.deb
asterisk-h423_1.4.16.2~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-h423_1.4.16.2~dfsg-1_i386.deb
asterisk-sounds-main_1.4.16.2~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-sounds-main_1.4.16.2~dfsg-1_all.deb
asterisk_1.4.16.2~dfsg-1.diff.gz
to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg-1.diff.gz
asterisk_1.4.16.2~dfsg-1.dsc
to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg-1.dsc
asterisk_1.4.16.2~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg-1_i386.deb
asterisk_1.4.16.2~dfsg.orig.tar.gz
to pool/main/a/asterisk/asterisk_1.4.16.2~dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 457063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Dec 2007 22:38:03 +0200
Source: asterisk
Binary: asterisk-sounds-main asterisk-h423 asterisk asterisk-config asterisk-dbg asterisk-dev asterisk-doc
Architecture: source all i386
Version: 1:1.4.16.2~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h423 - H.323 protocol support for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 454332 457063
Changes:
asterisk (1:1.4.16.2~dfsg-1) unstable; urgency=low
.
* New upstream release. (Closes: #457063) (Fixes CVE-2007-6430)
- Remove keep-1.4-abi, merged upstream.
- Adapt hack-multiple-app-voicemail, use-libpri-bristuffed, tos-libcap.
- Adapt bristuff patches app-dial-etc, chan-iax2-hangup-cause,
app-dial-priority-202, zapata-bri+euroisdn.
* Silence upstream's build sum warning but generate one on all modules so
that we can enable it at a later point.
* Make the init script's detection of a running daemon to be more precise.
* Bump Standards-Version to 3.7.3, no changes needed.
* Remove modem.conf on upgrades from 1.2 (i.e. etch). (Closes: #454332)
* Ressurect long-forgotten logrotate script.
Files:
d86d9ab49a51e4861d2f61dc0ad52dba 1520 comm optional asterisk_1.4.16.2~dfsg-1.dsc
d560a5c85dc3a8509f226f71ecd68b4d 5210662 comm optional asterisk_1.4.16.2~dfsg.orig.tar.gz
ba8b4c5e51698b644f2ea71009847de7 177498 comm optional asterisk_1.4.16.2~dfsg-1.diff.gz
4fc615082d586f5196c9b6ef18b9154e 29313240 doc extra asterisk-doc_1.4.16.2~dfsg-1_all.deb
40bcd25de3bf10a11a034bba969026e0 368676 devel extra asterisk-dev_1.4.16.2~dfsg-1_all.deb
36608e881b3b2570702a4d8d37f9bd01 1826270 comm optional asterisk-sounds-main_1.4.16.2~dfsg-1_all.deb
45fe43777da2eb4ad84a46cedc1a3604 423532 comm optional asterisk-config_1.4.16.2~dfsg-1_all.deb
6b1ab041a79bb992721eb00834c60d56 2271514 comm optional asterisk_1.4.16.2~dfsg-1_i386.deb
e3f641caf54cb25ab9d02010e27ef1f2 327344 comm optional asterisk-h423_1.4.16.2~dfsg-1_i386.deb
7444a28737722fde82f3c2cb5441445c 12768186 devel extra asterisk-dbg_1.4.16.2~dfsg-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHc820Vty5d8XpUzMRAoyPAJ4mdm3wFFylDoJja3BMezpaknFOgACdEBE2
5rajD4J3Yik10Tpx0AlHcLY=
=GYek
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 25 Jan 2008 07:32:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon