Bug#807698: marked as done (srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length)

Debian Bug Tracking System Fri, 08 Apr 2016 02:51:50 -0700

Your message dated Fri, 08 Apr 2016 09:48:18 +0000
with message-id <e1aot1w-0004ad...@franck.debian.org>
and subject line Bug#807698: fixed in srtp 1.4.5~20130609~dfsg-1.1+deb8u1
has caused the Debian Bug report #807698,
regarding srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of 
bounds checking on RTP header CSRC count and extension header length
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807698
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: srtp
Version: 1.4.5~20130609~dfsg-1.1
Severity: grave
Tags: security

Hi,
from what I figured out it seems the 1.4 series is also affected by
CVE-2015-6360. While there is no aead mode srtp_unprotect needs the
patch nevertheless. See:

    https://security-tracker.debian.org/tracker/CVE-2015-6360

for a list of patches.
Cheers,
 -- Guido


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: srtp
Source-Version: 1.4.5~20130609~dfsg-1.1+deb8u1

We believe that the bug you reported is fixed in the latest version of
srtp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated srtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Apr 2016 18:59:17 +0200
Source: srtp
Binary: libsrtp0-dev libsrtp0 srtp-docs srtp-utils
Architecture: source all amd64
Version: 1.4.5~20130609~dfsg-1.1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 libsrtp0   - Secure RTP (SRTP) and UST Reference Implementations - shared libr
 libsrtp0-dev - Secure RTP (SRTP) and UST Reference Implementations - 
development
 srtp-docs  - Secure RTP (SRTP) and UST Reference Implementations - documentati
 srtp-utils - Secure RTP (SRTP) and UST Reference Implementations - utilities
Closes: 807698
Changes:
 srtp (1.4.5~20130609~dfsg-1.1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2015-6360.patch.
     Prevent potential DoS attack due to lack of bounds checking on RTP header
     CSRC count and extension header length. (Closes: #807698)
Checksums-Sha1:
 5d15f647dda178828c786560c814caf06acb1cde 2411 
srtp_1.4.5~20130609~dfsg-1.1+deb8u1.dsc
 1276b78ad6d6c8d16a1c4cee0bf29b7fba41d72c 251824 
srtp_1.4.5~20130609~dfsg.orig.tar.gz
 d8ec48cd5337cca30a20db04a48a0fe7482ef736 14520 
srtp_1.4.5~20130609~dfsg-1.1+deb8u1.debian.tar.xz
 e919fdead3c6ff64dd2204116c832447f3b97797 237976 
srtp-docs_1.4.5~20130609~dfsg-1.1+deb8u1_all.deb
 e77cc49c24067d45be2a2da6e9891bbc81d0e513 93474 
libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
 a9e0e83b85e0d02d79e07c568918332a5eeae03c 65154 
libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
 c065753813f5ce32b3879400fbf11222cf541c18 101224 
srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
Checksums-Sha256:
 07a5889fdd719369e7b1953f3c1ba1cd4de14c564a1257aa5516756c92ae4319 2411 
srtp_1.4.5~20130609~dfsg-1.1+deb8u1.dsc
 32083ced5621613a0190e4f0d5e7486aa0deb7d3a8f02d7d8bb45c57d0920584 251824 
srtp_1.4.5~20130609~dfsg.orig.tar.gz
 64566be5e36141bc42637434733c17de3ee9c6cb56ec8e822c4825e1f0dc058f 14520 
srtp_1.4.5~20130609~dfsg-1.1+deb8u1.debian.tar.xz
 e85c369a98cfa29187d8184c5d4d1adef250decaebee68917a9ac8fc03bd78f1 237976 
srtp-docs_1.4.5~20130609~dfsg-1.1+deb8u1_all.deb
 be4bed57687c6ebf363b0b1236605c3c8dfdbb1403039946354b906ec6ec2f3b 93474 
libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
 f093edf30ed905e316c64727ff9ccac38946c1185fafa74f8ed6741338e0b5ef 65154 
libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
 dff65254de5f051a962f61922234e646c87e158bda4a2a7e857992961a9bdbce 101224 
srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
Files:
 5811f569563aecb0862269589ca188cc 2411 libs optional 
srtp_1.4.5~20130609~dfsg-1.1+deb8u1.dsc
 ed80a9530f8d12d8332897b246f27151 251824 libs optional 
srtp_1.4.5~20130609~dfsg.orig.tar.gz
 3ff1bf14fc81280f00604a274c58aa95 14520 libs optional 
srtp_1.4.5~20130609~dfsg-1.1+deb8u1.debian.tar.xz
 ecaf9e10abd61a3b08498a9965739db3 237976 doc optional 
srtp-docs_1.4.5~20130609~dfsg-1.1+deb8u1_all.deb
 47de898233bc36527093ab7fad764609 93474 libdevel optional 
libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
 9f945d68c3ef40dfffd3846d7504ba23 65154 libs optional 
libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb
 979fa4536a7794c173d7f296de3970ec 101224 libs optional 
srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJW/qp/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkiskQAMlmNz7XmmB1QjdDQvEEa11F
wyLQWUI1U+qBYWYi/RNVT0Xs0EMOx9EQXmCW1SjLHJOR8lbFC/GA9lXWAoeDG0WS
V9q+EnrnQ3AkIhpHWboEY/YxN76Avl+/R/13W5hbM23zJvuyGd/JJnVGaRh5JWdY
IW0947UkbWqrbdpD7cKMe5AcMC+xdjloRK8dbRcdX/4dkD+05325g1qNYRm+dztn
ax4mxYawxlXy865r6HRB4mpDwQo2mlRmj3W50yideb0oak9v3PLkMO39aLbUpndq
1qddIF/71jT2ClWYQlc1mfKuG4OmBBpVv9rTm9XHJkzO2/8qEqCbi51fBetAb95l
nG2aiMrS+6BpzOjEKINwTuiXL1+Z9kh4VKMUbSmKMGEHgYKhOWH1L4kqEC1CQavB
sBz2QkJnHS+q0aJ+XQiqQAkPycmrv0z3QGnRlhhn/sasxuqTT8S+yNQxryR4LWnd
Nur1d2CaRs6/hhqgP8QcQlwRbSMJSJVnK3ry4EjsH7hZE3DhrRaEyMV7h0kIqoFi
uuh/DlidSFHPcvrrPqMBOS+iBCT9StQtPHjVFfbJ/xu6DGffgbxbr8ZXymCM2FJq
PT0tY+qTCzzNX9rT9m7PxL6A8S4oWngURYI0Ny7yR1YGQCBRhqzRIGj6iqnS/kGd
yzMM4QEytaqBO4wAXRAk
=iXqH
-----END PGP SIGNATURE-----

--- End Message ---

Bug#807698: marked as done (srtp: CVE-2015-6360: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length)

Reply via email to