asterisk<1.8.7.2: Possible remote enumeration of SIP endpoints with differing NAT settings (2.3)
It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia.
http://downloads.asterisk.org/pub/security/AST-2011-013.html
(from redmine: issue id 857, created on 2011-12-09, closed on 2011-12-22)