Package: src:pjproject Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
PJProject calls libsrtp crypto_get_random() twice in transport_srtp.c: https://sources.debian.net/src/pjproject/2.1.0.0.ast20130823-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1077#L1077 https://sources.debian.net/src/pjproject/2.4~dfsg-1/pjmedia/src/pjmedia/transport_srtp.c/?hl=1087#L1087 Libsrtp developers will drop that call in next major release of libsrtp: https://github.com/cisco/libsrtp/commit/339b61d Since the reason is described as that the implementation is mediocre, it would probably be wise - not only for future compatibility but also to improve security - to patch (or discuss with your upstream) to use a different source for randomness. - Jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVuNcNAAoJECx8MUbBoAEhlrgQAJAzCEpQ69Mehk2MQ7wOvZvX JkQqJK15jTuSn1cSDgnh967WHdk8rO/MJTo4uG3tL5w1KvXV2HAdEQEHAkk+n1MF HlOTCQdKZHMt6IfD32XHJ4q17xQifxAj47A/qPH4Q8BqaGYMmZyp6fWg8I4i+HaO Id2oBeZ+XIpKniJcMfn0gYPvVyvB0atqCXfBpsNzXn+cFxha9Gkc6tCXNHBbhjDU HhkZDPpV0cOFjZz6YUoDffaxAGYfwR4Vn7VrwSncOOm/munS4ZGp8HVvabTfiNFp a01Afa2uf5Unkr+bGbkC8G6+UYc9yHqohi5KOZ5UfGqt2G0pLyR5+KxXx3DyO5BD fZVkAZOJ/8wzlxibEmZDyrPTtU2L5QxzygU11M2nW7Zk2I46DxWXC8ASbBmMriqy 5WwMRTQY8fASi/zgMAIxYETdgU74+mKLbM7dgbhINZBR76uvBwipk00RpiUyeeto rscvHGp1ivC+kgo8cZr0temAmfgjR3zrGG2nn0teV8bJJ2v7nHd1hLCQSb8uhVSU B+X4UXUhwsBPrvL/XxwquV0ja+2leeobtvsKVjki/zQp1SeXVbSecnkdFLRw86no iDBwOGnzthSC3/436/1QRXmLD4Ee835C/ZgkOpzPPtn9QdQ7PW6l36krppkZ/Liy tG1RtPPEKezcU2y4uY3h =Tujl -----END PGP SIGNATURE----- _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
