Your message dated Fri, 08 Apr 2016 09:48:18 +0000 with message-id <[email protected]> and subject line Bug#807698: fixed in srtp 1.4.5~20130609~dfsg-1.1+deb8u1 has caused the Debian Bug report #807698, regarding srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 807698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807698 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: srtp Version: 1.4.5~20130609~dfsg-1.1 Severity: grave Tags: security Hi, from what I figured out it seems the 1.4 series is also affected by CVE-2015-6360. While there is no aead mode srtp_unprotect needs the patch nevertheless. See: https://security-tracker.debian.org/tracker/CVE-2015-6360 for a list of patches. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: srtp Source-Version: 1.4.5~20130609~dfsg-1.1+deb8u1 We believe that the bug you reported is fixed in the latest version of srtp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <[email protected]> (supplier of updated srtp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 01 Apr 2016 18:59:17 +0200 Source: srtp Binary: libsrtp0-dev libsrtp0 srtp-docs srtp-utils Architecture: source all amd64 Version: 1.4.5~20130609~dfsg-1.1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Jonas Smedegaard <[email protected]> Changed-By: Markus Koschany <[email protected]> Description: libsrtp0 - Secure RTP (SRTP) and UST Reference Implementations - shared libr libsrtp0-dev - Secure RTP (SRTP) and UST Reference Implementations - development srtp-docs - Secure RTP (SRTP) and UST Reference Implementations - documentati srtp-utils - Secure RTP (SRTP) and UST Reference Implementations - utilities Closes: 807698 Changes: srtp (1.4.5~20130609~dfsg-1.1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload. * Add CVE-2015-6360.patch. Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. (Closes: #807698) Checksums-Sha1: 5d15f647dda178828c786560c814caf06acb1cde 2411 srtp_1.4.5~20130609~dfsg-1.1+deb8u1.dsc 1276b78ad6d6c8d16a1c4cee0bf29b7fba41d72c 251824 srtp_1.4.5~20130609~dfsg.orig.tar.gz d8ec48cd5337cca30a20db04a48a0fe7482ef736 14520 srtp_1.4.5~20130609~dfsg-1.1+deb8u1.debian.tar.xz e919fdead3c6ff64dd2204116c832447f3b97797 237976 srtp-docs_1.4.5~20130609~dfsg-1.1+deb8u1_all.deb e77cc49c24067d45be2a2da6e9891bbc81d0e513 93474 libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb a9e0e83b85e0d02d79e07c568918332a5eeae03c 65154 libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb c065753813f5ce32b3879400fbf11222cf541c18 101224 srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb Checksums-Sha256: 07a5889fdd719369e7b1953f3c1ba1cd4de14c564a1257aa5516756c92ae4319 2411 srtp_1.4.5~20130609~dfsg-1.1+deb8u1.dsc 32083ced5621613a0190e4f0d5e7486aa0deb7d3a8f02d7d8bb45c57d0920584 251824 srtp_1.4.5~20130609~dfsg.orig.tar.gz 64566be5e36141bc42637434733c17de3ee9c6cb56ec8e822c4825e1f0dc058f 14520 srtp_1.4.5~20130609~dfsg-1.1+deb8u1.debian.tar.xz e85c369a98cfa29187d8184c5d4d1adef250decaebee68917a9ac8fc03bd78f1 237976 srtp-docs_1.4.5~20130609~dfsg-1.1+deb8u1_all.deb be4bed57687c6ebf363b0b1236605c3c8dfdbb1403039946354b906ec6ec2f3b 93474 libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb f093edf30ed905e316c64727ff9ccac38946c1185fafa74f8ed6741338e0b5ef 65154 libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb dff65254de5f051a962f61922234e646c87e158bda4a2a7e857992961a9bdbce 101224 srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb Files: 5811f569563aecb0862269589ca188cc 2411 libs optional srtp_1.4.5~20130609~dfsg-1.1+deb8u1.dsc ed80a9530f8d12d8332897b246f27151 251824 libs optional srtp_1.4.5~20130609~dfsg.orig.tar.gz 3ff1bf14fc81280f00604a274c58aa95 14520 libs optional srtp_1.4.5~20130609~dfsg-1.1+deb8u1.debian.tar.xz ecaf9e10abd61a3b08498a9965739db3 237976 doc optional srtp-docs_1.4.5~20130609~dfsg-1.1+deb8u1_all.deb 47de898233bc36527093ab7fad764609 93474 libdevel optional libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb 9f945d68c3ef40dfffd3846d7504ba23 65154 libs optional libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb 979fa4536a7794c173d7f296de3970ec 101224 libs optional srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJW/qp/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkiskQAMlmNz7XmmB1QjdDQvEEa11F wyLQWUI1U+qBYWYi/RNVT0Xs0EMOx9EQXmCW1SjLHJOR8lbFC/GA9lXWAoeDG0WS V9q+EnrnQ3AkIhpHWboEY/YxN76Avl+/R/13W5hbM23zJvuyGd/JJnVGaRh5JWdY IW0947UkbWqrbdpD7cKMe5AcMC+xdjloRK8dbRcdX/4dkD+05325g1qNYRm+dztn ax4mxYawxlXy865r6HRB4mpDwQo2mlRmj3W50yideb0oak9v3PLkMO39aLbUpndq 1qddIF/71jT2ClWYQlc1mfKuG4OmBBpVv9rTm9XHJkzO2/8qEqCbi51fBetAb95l nG2aiMrS+6BpzOjEKINwTuiXL1+Z9kh4VKMUbSmKMGEHgYKhOWH1L4kqEC1CQavB sBz2QkJnHS+q0aJ+XQiqQAkPycmrv0z3QGnRlhhn/sasxuqTT8S+yNQxryR4LWnd Nur1d2CaRs6/hhqgP8QcQlwRbSMJSJVnK3ry4EjsH7hZE3DhrRaEyMV7h0kIqoFi uuh/DlidSFHPcvrrPqMBOS+iBCT9StQtPHjVFfbJ/xu6DGffgbxbr8ZXymCM2FJq PT0tY+qTCzzNX9rT9m7PxL6A8S4oWngURYI0Ny7yR1YGQCBRhqzRIGj6iqnS/kGd yzMM4QEytaqBO4wAXRAk =iXqH -----END PGP SIGNATURE-----
--- End Message ---
