On Wed, Jul 29, 2015 at 03:37:17PM +0200, Jonas Smedegaard wrote: > Package: src:pjproject > Severity: important > Tags: security > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > PJProject calls libsrtp crypto_get_random() twice in transport_srtp.c: > https://sources.debian.net/src/pjproject/2.1.0.0.ast20130823-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1077#L1077 > https://sources.debian.net/src/pjproject/2.4~dfsg-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1087#L1087 > > Libsrtp developers will drop that call in next major release of libsrtp: > https://github.com/cisco/libsrtp/commit/339b61d > > Since the reason is described as that the implementation is mediocre, it > would probably be wise - not only for future compatibility but also to > improve security - to patch (or discuss with your upstream) to use a > different source for randomness.
Thanks for your report. Upstream SVN seems to have a fix: OpenSSL's RNG is used and the SRTP one is only used as a fallback (in the single, SRTP-related place it was used before). It is fixed in upstream SVN rev. 5079. I'll see about backporting it. -- Tzafrir Cohen | [email protected] | VIM is http://tzafrir.org.il | | a Mutt's [email protected] | | best [email protected] | | friend -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

