oss-sec mailing list archives

CVE Request - Asterisk (AST-2009-008.html)

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 05 Nov 2009 10:56:15 +0100

Hello Steve, vendors,

  Asterisk upstream has recently published two security advisories:

a, SIP responses expose valid usernames
   http://downloads.asterisk.org/pub/security/AST-2009-008.html

   This is similar issue to AST-2009-003.html (CVE-2008-3903)
   http://downloads.asterisk.org/pub/security/AST-2009-003.html

   But according to the patches:

   http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt (AST-2009-003) vs
   http://downloads.asterisk.org/pub/security/AST-2009-008-1.6.1.diff.txt (AST-2009-003)

   it desires a new CVE id. Could you allocate one?

The second issue (b,) already got an CVE id of CVE-2008-7220.

b, Cross-site AJAX request vulnerability (CVE-2008-7220)
   http://downloads.asterisk.org/pub/security/AST-2009-009.html

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request - Asterisk (AST-2009-008.html) Jan Lieskovsky (Nov 05)
- Re: CVE Request - Asterisk (AST-2009-008.html) Josh Bressers (Nov 05)
- Re: CVE Request - Asterisk (AST-2009-008.html) Moritz Muehlenhoff (Nov 07)
  - Re: CVE Request - Asterisk (AST-2009-008.html) Alex Legler (Nov 07)