Package: src:linphone Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Linphone uses libsrtp crypto_get_random() call in ortp_srtp.c: https://sources.debian.net/src/linphone/3.6.1-2.4/oRTP/src/ortp_srtp.c/?hl=275#L275 Libsrtp developers will drop that call in next major release of libsrtp: https://github.com/cisco/libsrtp/commit/339b61d Since the reason is described as that the implementation is mediocre, it would probably be wise - not only for future compatibility but also to improve security - to patch (or discuss with your upstream) to use a different source for randomness. ...and also, please consider to actually (build-depend on libsrtp-dev and) enable srtp support in the binary build for Debian ;-) - Jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVuNgOAAoJECx8MUbBoAEhW3kQAIYA4Wm4zou/HvyC0uAerEMN 6PAob+pE1SKQGd1UdJBX643tolfB38/40xGRURSO+0or/pfZGoj+MRDCGh/h6epa DdNbZPSZwEADTVyMSqMr9Zfh1s7aksuytyN/e+sE2eH4LF+4RXmEWXZSjF6pUZDx ZwtcrRJ4R1pOkqSZp6GcY0BcI55Amre0vCTPQQovBx1Bnt/KGpIUU6Dsj0yMZljz TyQO+Zy8CpN4JwW2LUJOdSNugZkFgVfrTW0Zei2qt4uHK9tPclRmhaRd2/LEVYOx wGJjjciw5ztaGmmCJ/zWlxOVssEscefxlodAaillmJPGm1scgoCgkNKgLcmplbn0 Yvx0zpbOTL+oKTXZvJe2RE0PVMz0aOQu/AcoNpGGYkqKxaP8haA3ofh/wescBOuF TXmIaL1RxQRNS7Bfn+4jh/GYLYeIYr4Mz4KcywPBUMzSGuw4Re//yIuNXei/IgZ8 NV9IMfVuDszuy6uxJ5qEUvSrAL17+wHiHaGl8XbDtkvbrR2Z60ujuj1ZhjbTYWAM 5Z73tv25YScHVMVyjrCCoYDvCi5oyJvOavEQ9naXnquCH7KymNlOY6mRC6mE+0te 5eiOs7+RlQKKxS0A4jVRFKOLI/rbtp/NisjG9e3leHO8xpj5HGthZ0P5N4Y6D1mq EJT86HnM8Si6ebQvDP8t =kUAE -----END PGP SIGNATURE----- _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
