[test-results] [Bamboo] Asterisk Testing > Asterisk 10 Branch > #535 has FAILED (1 tests failed, no failures were new). Change made by Matthew Jordan.

Bamboo bamboo at asterisk.org
Wed Mar 27 21:48:08 CDT 2013


-----------------------------------------------------------------------
Asterisk Testing > Asterisk 10 Branch > #535 failed.
-----------------------------------------------------------------------
Code has been updated by Matthew Jordan.
1/2 jobs failed, with 1 failing test, no failures were new.

http://bamboo.asterisk.org/browse/TESTING-ASTERISK10BRANCH-535/


--------------
Failing Jobs
--------------
  - Asterisk CentOS 6 32-Bit (CentOS 6): 1 of 248 tests failed.



--------------
Code Changes
--------------
Matthew Jordan (383982):

>AST-2013-003: Prevent username disclosure in SIP channel driver
>
>When authenticating a SIP request with alwaysauthreject enabled, allowguest
>disabled, and autocreatepeer disabled, Asterisk discloses whether a user
>exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways. The
>information is disclosed when:
> * A "407 Proxy Authentication Required" response is sent instead of a
>   "401 Unauthorized" response
> * The presence or absence of additional tags occurs at the end of "403
>   Forbidden" (such as "(Bad Auth)")
> * A "401 Unauthorized" response is sent instead of "403 Forbidden" response
>   after a retransmission
> * Retransmission are sent when a matching peer did not exist, but not when a
>   matching peer did exist.
>
>This patch resolves these various vectors by ensuring that the responses sent
>in all scenarios is the same, regardless of the presence of a matching peer.
>
>This issue was reported by Walter Doekes, OSSO B.V. A substantial portion of
>the testing and the solution to this problem was done by Walter as well - a
>huge thanks to his tireless efforts in finding all the ways in which this
>setting didn't work, providing automated tests, and working with Kinsey on
>getting this fixed.
>
>(closes issue ASTERISK-21013)
>Reported by: wdoekes
>Tested by: wdoekes, kmoore
>patches:
>  AST-2013-003-1.8 uploaded by kmoore, wdoekes (License 6273, 5674)
>  AST-2013-003-10 uploaded by kmoore, wdoekes (License 6273, 5674)
>  AST-2013-003-11 uploaded by kmoore, wdoekes (License 6273, 5674)
>



--------------
Tests
--------------
Existing Test Failures (1)
   - AsteriskTestSuite: S/channels/ s i p/session timers/uas originate/large minse no se

--
This message is automatically generated by Atlassian Bamboo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/test-results/attachments/20130327/f430df96/attachment-0001.htm>


More information about the Test-results mailing list