CVE-2011-2536

NameCVE-2011-2536
Descriptionchan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2276-1, DSA-2276-2
NVD severitymedium
Debian Bugs632029

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)stretch (security), stretch1:13.14.1~dfsg-2+deb9u4fixed
buster1:16.2.1~dfsg-1+deb10u2fixed
bullseye1:16.15.1~dfsg-1fixed
sid1:16.16.1~dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny3DSA-2276-2
asterisksourcesqueeze1:1.6.2.9-2+squeeze3DSA-2276-2
asterisksource(unstable)1:1.8.4.4~dfsg-1632029

Search for package or bug name: Reporting problems