CVE-2011-4597

NameCVE-2011-4597
DescriptionThe SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2367-1
NVD severitymedium (attack range: remote)
Debian Bugs651552
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)squeeze, squeeze (security)1:1.6.2.9-2+squeeze12fixed
wheezy (security), wheezy1:1.8.13.1~dfsg1-3+deb7u3fixed
jessie1:11.13.1~dfsg-2fixed
stretch, sid1:13.1.0~dfsg-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:1.8.8.0~dfsg-1medium651552
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny6mediumDSA-2367-1
asterisksourcesqueeze1:1.6.2.9-2+squeeze4mediumDSA-2367-1

Search for package or bug name: Reporting problems