Before commenting I waited to hear back from Digium’s John Todd who explained that there were some methodology and editorial process issues in this alert – basically no one checked with Digium before going public. As it turns out, after checking with Digium, the FBI quickly revised their statement and everything is fine.
The details are that there was a bug which Digium found in March of 2008 and subsequently patched in version 1.2 and 1.4. Version 1.6 is not affected. Besides, according to Todd, the security issue would arise if system administrators basically disregarded logical security measures like using numerals in passwords.
I am sure by the time Asterisk World rolls around in a few months in Miami, we will all be laughing about this incident and marveling at the opportunity that is open source communications.