CVE-2011-4597

NameCVE-2011-4597
DescriptionThe SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2367-1
NVD severitymedium (attack range: remote)
Debian Bugs651552

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)wheezy1:1.8.13.1~dfsg1-3+deb7u3fixed
wheezy (security)1:1.8.13.1~dfsg1-3+deb7u4fixed
jessie1:11.13.1~dfsg-2fixed
sid1:13.10.0~dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:1.8.8.0~dfsg-1medium651552
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny6mediumDSA-2367-1
asterisksourcesqueeze1:1.6.2.9-2+squeeze4mediumDSA-2367-1

Search for package or bug name: Reporting problems