Your message dated Fri, 12 Jun 2020 08:19:35 +0000 with message-id <e1jjeuv-00033x...@fasolo.debian.org> and subject line Bug#962680: fixed in janus 0.10.1-1 has caused the Debian Bug report #962680, regarding janus: CVE-2020-13898 CVE-2020-13899 CVE-2020-13900 CVE-2020-13901 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962680 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: janus Version: 0.10.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/meetecho/janus-gateway/pull/2214 Hi, The following vulnerabilities were published for janus. CVE-2020-13898[0]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_sdp_process in sdp.c has a NULL pointer | dereference. CVE-2020-13899[1]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_process_incoming_request in janus.c discloses | information from uninitialized stack memory. CVE-2020-13900[2]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_sdp_preparse in sdp.c has a NULL pointer | dereference. CVE-2020-13901[3]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_sdp_merge in sdp.c has a stack-based buffer | overflow. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13898 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13898 [1] https://security-tracker.debian.org/tracker/CVE-2020-13899 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13899 [2] https://security-tracker.debian.org/tracker/CVE-2020-13900 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13900 [3] https://security-tracker.debian.org/tracker/CVE-2020-13901 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13901 [4] https://github.com/meetecho/janus-gateway/pull/2214 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: janus Source-Version: 0.10.1-1 Done: Jonas Smedegaard <d...@jones.dk> We believe that the bug you reported is fixed in the latest version of janus, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <d...@jones.dk> (supplier of updated janus package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 12 Jun 2020 10:09:25 +0200 Source: janus Architecture: source Version: 0.10.1-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Jonas Smedegaard <d...@jones.dk> Closes: 962680 Changes: janus (0.10.1-1) unstable; urgency=high . [ upstream ] * new release + fixes security issues in SDP code closes: bug#962680 (CVE-2020-13898, CVE-2020-13899, CVE-2020-13900, CVE-2020-13901), thanks to Salvatore Bonaccorso . [ Jonas Smedegaard ] * unfuzz patches, and extend to cover e2etest * set urgency=high, due to CVE fix Checksums-Sha1: e50a69129f43046a92fd14c46e9c40f4aaee2e5f 2787 janus_0.10.1-1.dsc 622aeadce32f58d7f2b1180a506bb99d779b4edb 6951415 janus_0.10.1.orig.tar.gz 224f8ad18edd7c5a08cf99f07185ea57c6ac28e4 19740 janus_0.10.1-1.debian.tar.xz b7124c7890a93d72e5d65c41dba7df671a56d055 17198 janus_0.10.1-1_amd64.buildinfo Checksums-Sha256: 2df7cf2a33bfec3a0987dbd983b8c6d2dcaca5d2415ca78d9477728aac0cecbb 2787 janus_0.10.1-1.dsc 731760e6911908bc523815809487e51320a738f3533f267d4beb83eaa725de85 6951415 janus_0.10.1.orig.tar.gz e4d32282289eb0259cc6af71ccff41e7da4e7a263f9949c2b1de363a9c3c2594 19740 janus_0.10.1-1.debian.tar.xz 9c111ff5de33b06f6c21ab257520432f43bac9e407210dc17f4e3703359dc676 17198 janus_0.10.1-1_amd64.buildinfo Files: a8e79f19a5343ebfa4fa370e7b4ce750 2787 comm optional janus_0.10.1-1.dsc fe634b824a41dcb2089d8bed73b57853 6951415 comm optional janus_0.10.1.orig.tar.gz 88aa11307ce6ccc4fd96aedc16e898da 19740 comm optional janus_0.10.1-1.debian.tar.xz 7a9ea1eb39eda78b480c1a1383189aa4 17198 comm optional janus_0.10.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl7jOWoACgkQLHwxRsGg ASGjFQ//bu7B/06hi5Ik52sofUNiPQgYvPnQOC4HAkM6kAtVVOSNR4w8IUml9zqL +ETRkxqa5C8ppCVkhlLHs91V5we2bIBox963q00N+VwCP3EvD0/jzslIfskbASyZ ikHKqzXZp09+WEa8cNCcPMbOGovaLSNVEVk7sKNFYcZ6EEWw9N4ZKlWnwMtPIUh5 af24M71NO6eCAprwyia1fS2074p6iIs+5Zl7xrxtVbOSPQXntapr5yNdYHR766Q1 9JplrDJQu9WNHpE9dm6oaoxW6W/QGdmIi1ayxo2OfqrlTvkGZufolaJmtrZFo5TB nyQte2ONbn4CpDS6EahiVWCUXRDA1uxHY4VvX1JcfpbrTB7VLu5+xQkOQEenzJ6T AZgU+l2ShPCcKpZY/lZt+50AjT6N6sqIIsKF9rD/A8S5UQrYSiOOJPlyx1sm4IVK LEGLb4BRuT+WrR9XBmmjacfJwd2hsS29hKhjh9YYbBS5mpMVHBJt4CcXYaxnSyWd Un+e4S9o54fg11OMXAIg+U6GkD+uZ0kLSK6coTccFfAVefSQl3w0iK5OwfYpUvqX L5cnd6rpy+HI04SNMcWKOFAzWM7qEaW8u64is1VxbViELaC7n6DdK1DHtFW8HvPi Fk7863w+mbcWd+/fS8CS6MeVFUSsDFAMRwJGAeBOGpG3V3bUGqk= =6TWA -----END PGP SIGNATURE-----
--- End Message ---
