Launchpad.net

CVE 2008-1390

The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.

Related bugs and status

CVE-2008-1390 (Candidate) is related to these bugs:

Bug #345217: Fix vulnerabilities in channels/chan_ia2x.c

		In	Importance	Status
345217	Fix vulnerabilities in channels/chan_ia2x.c	asterisk (Ubuntu)	Undecided	Invalid
345217	Fix vulnerabilities in channels/chan_ia2x.c	asterisk (Ubuntu Hardy)	Undecided	Fix Released
345217	Fix vulnerabilities in channels/chan_ia2x.c	asterisk (Ubuntu Intrepid)	Undecided	Fix Released
345217	Fix vulnerabilities in channels/chan_ia2x.c	asterisk (Ubuntu Jaunty)	Undecided	Fix Released
345217	Fix vulnerabilities in channels/chan_ia2x.c	asterisk (Ubuntu Karmic)	Undecided	Invalid

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://downloads.digiu...
BID: 28316
SECUNIA: 29449
FEDORA: FEDORA-2008-2554
FEDORA: FEDORA-2008-2620
SECTRACK: 1019679
SECUNIA: 29470
SREASON: 3764
XF: asterisk-httpmanagerid...
BUGTRAQ: 20080318 AST-2008-005:...