Your message dated Tue, 05 Apr 2016 07:35:53 +0000 with message-id <[email protected]> and subject line Bug#807698: fixed in srtp 1.4.5~20130609~dfsg-1.2 has caused the Debian Bug report #807698, regarding srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 807698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807698 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: srtp Version: 1.4.5~20130609~dfsg-1.1 Severity: grave Tags: security Hi, from what I figured out it seems the 1.4 series is also affected by CVE-2015-6360. While there is no aead mode srtp_unprotect needs the patch nevertheless. See: https://security-tracker.debian.org/tracker/CVE-2015-6360 for a list of patches. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: srtp Source-Version: 1.4.5~20130609~dfsg-1.2 We believe that the bug you reported is fixed in the latest version of srtp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated srtp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 Apr 2016 19:43:20 +0200 Source: srtp Binary: libsrtp0-dev libsrtp0 srtp-docs srtp-utils Architecture: source Version: 1.4.5~20130609~dfsg-1.2 Distribution: unstable Urgency: high Maintainer: Jonas Smedegaard <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 807698 Description: libsrtp0 - Secure RTP (SRTP) and UST Reference Implementations - shared libr libsrtp0-dev - Secure RTP (SRTP) and UST Reference Implementations - development srtp-docs - Secure RTP (SRTP) and UST Reference Implementations - documentati srtp-utils - Secure RTP (SRTP) and UST Reference Implementations - utilities Changes: srtp (1.4.5~20130609~dfsg-1.2) unstable; urgency=high . [ Markus Koschany ] * Non-maintainer upload. * Add CVE-2015-6360.patch. Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. (Closes: #807698) Checksums-Sha1: e452dd2b4d3f0ffaef3285516dcf53bfc84d985b 2253 srtp_1.4.5~20130609~dfsg-1.2.dsc 9662d68a597c1e3bbb5d299aad9549d76205ecf1 14556 srtp_1.4.5~20130609~dfsg-1.2.debian.tar.xz Checksums-Sha256: d96626adda4453572766f7f7efc843fa37c5fb8e31e21842add58dff477057cf 2253 srtp_1.4.5~20130609~dfsg-1.2.dsc 11eaa0c372695d5467c70ed022d688277a90194ef20882094f7d2a367d936dca 14556 srtp_1.4.5~20130609~dfsg-1.2.debian.tar.xz Files: d7a324aaa43cfa1cce1189fffb82b71a 2253 libs optional srtp_1.4.5~20130609~dfsg-1.2.dsc aeb7f67033b37362113ba0bf2d87225f 14556 libs optional srtp_1.4.5~20130609~dfsg-1.2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXAMLTAAoJEAVMuPMTQ89EMBwQAIe/mUjX/yz8tgEUqNh5AZx+ ZnbWdsdIZwIpbA3QoYIB0hqTEi8YIv6toSMkempVUAmzMbusZuhY28C1WSnYU9my q4queUvB4z0BrGsXxQ+up5ZVO3+JCLmCj18TiXBqgHGeldKiEgZwJpIe9KGv7I9A 4b0+E0+UlN4473Qp1xm2L/1r2gYh0frJRfn4HHTfBlaHHcZO0iuVm/4F/MzASUdW dK02tiIVLcQEm04PkyPYji/AZJ66H/v2x2x7A1cPoaBbFFphPkkwCkEQnEQ9jRVQ MqavDbpuOs0PKUC7t4s5AKkuWCYZWsh5VdowwVpTV1UdQ9q2B4OyEMHfGGEvx4xf /IlXBPgL4T4lT6WQYTfoGjzvaxW7yVMlIC0iEgSrB9bKQCBZodk10RtzhQ+6iody PFOpIg0YWgrULsTe+iji6lRT3wETX/n0T9c8tXt3z1IJi9b0kYFtFd6mn8yrcr0c Dz2fwyVVeGnM2rW2vvs4hKhhjSh6v+E1//5P8Be1/AOD5MnH5hR3KEuwrbeYwj8F /8Sd+sHmr6XQFfF8Lic8plnqgfDuPB228gDD9CCJGqIVXDevKytoRYlECVXpwKwS xcnmIijDyy28VttSdj6J1VC8eSbKpSg4LP4iUxL95VWiF/+Yvbjly3l5nXTQ2fyf 8kBykslVyJGWYEOuRweo =+oOR -----END PGP SIGNATURE-----
--- End Message ---
