Bug#807698: marked as done (srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length)

Debian Bug Tracking System Tue, 05 Apr 2016 00:46:43 -0700

Your message dated Tue, 05 Apr 2016 07:35:53 +0000
with message-id <e1anlwj-0004xh...@franck.debian.org>
and subject line Bug#807698: fixed in srtp 1.4.5~20130609~dfsg-1.2
has caused the Debian Bug report #807698,
regarding srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of 
bounds checking on RTP header CSRC count and extension header length
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807698
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: srtp
Version: 1.4.5~20130609~dfsg-1.1
Severity: grave
Tags: security

Hi,
from what I figured out it seems the 1.4 series is also affected by
CVE-2015-6360. While there is no aead mode srtp_unprotect needs the
patch nevertheless. See:

    https://security-tracker.debian.org/tracker/CVE-2015-6360

for a list of patches.
Cheers,
 -- Guido


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: srtp
Source-Version: 1.4.5~20130609~dfsg-1.2

We believe that the bug you reported is fixed in the latest version of
srtp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated srtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 Apr 2016 19:43:20 +0200
Source: srtp
Binary: libsrtp0-dev libsrtp0 srtp-docs srtp-utils
Architecture: source
Version: 1.4.5~20130609~dfsg-1.2
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 807698
Description: 
 libsrtp0   - Secure RTP (SRTP) and UST Reference Implementations - shared libr
 libsrtp0-dev - Secure RTP (SRTP) and UST Reference Implementations - 
development
 srtp-docs  - Secure RTP (SRTP) and UST Reference Implementations - documentati
 srtp-utils - Secure RTP (SRTP) and UST Reference Implementations - utilities
Changes:
 srtp (1.4.5~20130609~dfsg-1.2) unstable; urgency=high
 .
   [ Markus Koschany ]
   * Non-maintainer upload.
   * Add CVE-2015-6360.patch.
     Prevent potential DoS attack due to lack of bounds checking on RTP header
     CSRC count and extension header length. (Closes: #807698)
Checksums-Sha1: 
 e452dd2b4d3f0ffaef3285516dcf53bfc84d985b 2253 srtp_1.4.5~20130609~dfsg-1.2.dsc
 9662d68a597c1e3bbb5d299aad9549d76205ecf1 14556 
srtp_1.4.5~20130609~dfsg-1.2.debian.tar.xz
Checksums-Sha256: 
 d96626adda4453572766f7f7efc843fa37c5fb8e31e21842add58dff477057cf 2253 
srtp_1.4.5~20130609~dfsg-1.2.dsc
 11eaa0c372695d5467c70ed022d688277a90194ef20882094f7d2a367d936dca 14556 
srtp_1.4.5~20130609~dfsg-1.2.debian.tar.xz
Files: 
 d7a324aaa43cfa1cce1189fffb82b71a 2253 libs optional 
srtp_1.4.5~20130609~dfsg-1.2.dsc
 aeb7f67033b37362113ba0bf2d87225f 14556 libs optional 
srtp_1.4.5~20130609~dfsg-1.2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXAMLTAAoJEAVMuPMTQ89EMBwQAIe/mUjX/yz8tgEUqNh5AZx+
ZnbWdsdIZwIpbA3QoYIB0hqTEi8YIv6toSMkempVUAmzMbusZuhY28C1WSnYU9my
q4queUvB4z0BrGsXxQ+up5ZVO3+JCLmCj18TiXBqgHGeldKiEgZwJpIe9KGv7I9A
4b0+E0+UlN4473Qp1xm2L/1r2gYh0frJRfn4HHTfBlaHHcZO0iuVm/4F/MzASUdW
dK02tiIVLcQEm04PkyPYji/AZJ66H/v2x2x7A1cPoaBbFFphPkkwCkEQnEQ9jRVQ
MqavDbpuOs0PKUC7t4s5AKkuWCYZWsh5VdowwVpTV1UdQ9q2B4OyEMHfGGEvx4xf
/IlXBPgL4T4lT6WQYTfoGjzvaxW7yVMlIC0iEgSrB9bKQCBZodk10RtzhQ+6iody
PFOpIg0YWgrULsTe+iji6lRT3wETX/n0T9c8tXt3z1IJi9b0kYFtFd6mn8yrcr0c
Dz2fwyVVeGnM2rW2vvs4hKhhjSh6v+E1//5P8Be1/AOD5MnH5hR3KEuwrbeYwj8F
/8Sd+sHmr6XQFfF8Lic8plnqgfDuPB228gDD9CCJGqIVXDevKytoRYlECVXpwKwS
xcnmIijDyy28VttSdj6J1VC8eSbKpSg4LP4iUxL95VWiF/+Yvbjly3l5nXTQ2fyf
8kBykslVyJGWYEOuRweo
=+oOR
-----END PGP SIGNATURE-----

--- End Message ---

Bug#807698: marked as done (srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length)

Reply via email to