Your message dated Tue, 07 Feb 2023 08:39:24 +0000
with message-id <[email protected]>
and subject line Bug#1014998: fixed in ring 20230206.0~ds1-1
has caused the Debian Bug report #1014998,
regarding ring: CVE-2021-32686 CVE-2021-37706 CVE-2022-21723 CVE-2022-23608
CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303
CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-24754 CVE-2022-24763
CVE-2022-24764 CVE-2022-24793
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014998
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ring
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ring.
CVE-2021-32686[0]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1,
| there are a couple of issues found in the SSL socket. First, a race
| condition between callback and destroy, due to the accepted socket
| having no group lock. Second, the SSL socket parent/listener may get
| destroyed during handshake. Both issues were reported to happen
| intermittently in heavy load TLS connections. They cause a crash,
| resulting in a denial of service. These are fixed in version 2.11.1.
https://downloads.asterisk.org/pub/security/AST-2021-009.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
https://github.com/pjsip/pjproject/pull/2716
CVE-2021-37706[1]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the
| incoming STUN message contains an ERROR-CODE attribute, the header
| length is not checked before performing a subtraction operation,
| potentially resulting in an integer underflow scenario. This issue
| affects all users that use STUN. A malicious actor located within the
| victim&#8217;s network may forge and send a specially crafted UDP
| (STUN) message that could remotely execute arbitrary code on the
| victim&#8217;s machine. Users are advised to upgrade as soon as
| possible. There are no known workarounds.
https://issues.asterisk.org/jira/browse/ASTERISK-29945
https://downloads.asterisk.org/pub/security/AST-2022-004.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865
CVE-2022-21723[2]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior,
| parsing an incoming SIP message that contains a malformed multipart
| can potentially cause out-of-bound read access. This issue affects all
| PJSIP users that accept SIP multipart. The patch is available as
| commit in the `master` branch. There are no known workarounds.
https://issues.asterisk.org/jira/browse/ASTERISK-29945
https://downloads.asterisk.org/pub/security/AST-2022-006.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896
CVE-2022-23608[3]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including
| 2.11.1 when in a dialog set (or forking) scenario, a hash key shared
| by multiple UAC dialogs can potentially be prematurely freed when one
| of the dialogs is destroyed . The issue may cause a dialog set to be
| registered in the hash table multiple times (with different hash keys)
| leading to undefined behavior such as dialog list collision which
| eventually leading to endless loop. A patch is available in commit
| db3235953baa56d2fb0e276ca510fefca751643f which will be included in the
| next release. There are no known workarounds for this issue.
https://issues.asterisk.org/jira/browse/ASTERISK-29945
https://downloads.asterisk.org/pub/security/AST-2022-005.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
CVE-2021-43299[4]:
| Stack overflow in PJSUA API when calling pjsua_player_create. An
| attacker-controlled 'filename' argument may cause a buffer overflow
| since it is copied to a fixed-size stack buffer without any size
| validation.
https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43300[5]:
| Stack overflow in PJSUA API when calling pjsua_recorder_create. An
| attacker-controlled 'filename' argument may cause a buffer overflow
| since it is copied to a fixed-size stack buffer without any size
| validation.
https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43301[6]:
| Stack overflow in PJSUA API when calling pjsua_playlist_create. An
| attacker-controlled 'file_names' argument may cause a buffer overflow
| since it is copied to a fixed-size stack buffer without any size
| validation.
https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43302[7]:
| Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An
| attacker-controlled 'filename' argument may cause an out-of-bounds
| read when the filename is shorter than 4 characters.
https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43303[8]:
| Buffer overflow in PJSUA API when calling pjsua_call_dump. An
| attacker-controlled 'buffer' argument may cause a buffer overflow,
| since supplying an output buffer smaller than 128 characters may
| overflow the output buffer, regardless of the 'maxlen' argument
| supplied
https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43804[9]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the
| incoming RTCP BYE message contains a reason's length, this declared
| length is not checked against the actual received packet size,
| potentially resulting in an out-of-bound read access. This issue
| affects all users that use PJMEDIA and RTCP. A malicious actor can
| send a RTCP BYE message with an invalid reason length. Users are
| advised to upgrade as soon as possible. There are no known
| workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9
https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e
CVE-2021-43845[10]:
| PJSIP is a free and open source multimedia communication library. In
| version 2.11.1 and prior, if incoming RTCP XR message contain block,
| the data field is not checked against the received packet size,
| potentially resulting in an out-of-bound read access. This affects all
| users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP
| XR message with an invalid packet size.
https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh
https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859
https://github.com/pjsip/pjproject/pull/2924
CVE-2022-21722[11]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there
| are various cases where it is possible that certain incoming RTP/RTCP
| packets can potentially cause out-of-bound read access. This issue
| affects all users that use PJMEDIA and accept incoming RTP/RTCP. A
| patch is available as a commit in the `master` branch. There are no
| known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a
CVE-2022-24754[12]:
| PJSIP is a free and open source multimedia communication library
| written in C language. In versions prior to and including 2.12 PJSIP
| there is a stack-buffer overflow vulnerability which only impacts
| PJSIP users who accept hashed digest credentials (credentials with
| data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in
| the master branch of the PJSIP repository and will be included with
| the next release. Users unable to upgrade need to check that the
| hashed digest data length must be equal to `PJSIP_MD5STRLEN` before
| passing to PJSIP.
https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662
https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47
CVE-2022-24763[13]:
| PJSIP is a free and open source multimedia communication library
| written in the C language. Versions 2.12 and prior contain a denial-
| of-service vulnerability that affects PJSIP users that consume PJSIP's
| XML parsing in their apps. Users are advised to update. There are no
| known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21
CVE-2022-24764[14]:
| PJSIP is a free and open source multimedia communication library
| written in C. Versions 2.12 and prior contain a stack buffer overflow
| vulnerability that affects PJSUA2 users or users that call the API
| `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do
| not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or
| `pjmedia_sdp_media_print()` should not be affected. A patch is
| available on the `master` branch of the `pjsip/pjproject` GitHub
| repository. There are currently no known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m
https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00
CVE-2022-24793[15]:
| PJSIP is a free and open source multimedia communication library
| written in C. A buffer overflow vulnerability in versions 2.12 and
| prior affects applications that uses PJSIP DNS resolution. It doesn't
| affect PJSIP users who utilize an external resolver. A patch is
| available in the `master` branch of the `pjsip/pjproject` GitHub
| repository. A workaround is to disable DNS resolution in PJSIP config
| (by setting `nameserver_count` to zero) or use an external resolver
| instead.
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32686
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32686
[1] https://security-tracker.debian.org/tracker/CVE-2021-37706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37706
[2] https://security-tracker.debian.org/tracker/CVE-2022-21723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21723
[3] https://security-tracker.debian.org/tracker/CVE-2022-23608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23608
[4] https://security-tracker.debian.org/tracker/CVE-2021-43299
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43299
[5] https://security-tracker.debian.org/tracker/CVE-2021-43300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43300
[6] https://security-tracker.debian.org/tracker/CVE-2021-43301
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43301
[7] https://security-tracker.debian.org/tracker/CVE-2021-43302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43302
[8] https://security-tracker.debian.org/tracker/CVE-2021-43303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43303
[9] https://security-tracker.debian.org/tracker/CVE-2021-43804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43804
[10] https://security-tracker.debian.org/tracker/CVE-2021-43845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43845
[11] https://security-tracker.debian.org/tracker/CVE-2022-21722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21722
[12] https://security-tracker.debian.org/tracker/CVE-2022-24754
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24754
[13] https://security-tracker.debian.org/tracker/CVE-2022-24763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763
[14] https://security-tracker.debian.org/tracker/CVE-2022-24764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764
[15] https://security-tracker.debian.org/tracker/CVE-2022-24793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: ring
Source-Version: 20230206.0~ds1-1
Done: Amin Bandali <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ring, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Amin Bandali <[email protected]> (supplier of updated ring package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 Feb 2023 02:31:49 -0500
Source: ring
Architecture: source
Version: 20230206.0~ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Amin Bandali <[email protected]>
Closes: 984321 1005702 1008728 1014998 1017005 1018129 1019112
Changes:
ring (20230206.0~ds1-1) unstable; urgency=medium
.
[ Amin Bandali ]
* New upstream version 20230206.0.
(Closes: #984321, #1014998, #1008728, #1017005, #1018129)
* The 'jami' package now offers the Jami Qt client, as it has been
the main and only actively developed Jami client on GNU/Linux.
The C++ sources for the Qt client are in src/app/, libjamiclient
(formerly libringclient or LRC) sources are in src/libclient/,
and Jami daemon/library sources are under daemon/.
* debian/control: Change libargon2-0-dev to libargon2-dev in
Builds-Depends (Closes: #1005702). Change libmsgpack-dev to
libmsgpack-cxx-dev (Closes: #1019112). Add new build dependency
qml6-module-qtquick3d-spatialaudio to Build-Depends. Also, drop
remnants of old 'ring' transitional packages in 'Replaces' and
'Breaks'. Lastly, require opendht >= 2.4.12-4, because the recent
versions with the static library are currently unusable by Jami
due to an unforeseen side-effect of one of the dropped patches.
This is remedied and no longer relevant with opendht >= 2.4.12-4
which ships a shared library instead.
* debian/copyright: Update Files-Excluded to correspond to what is
currently included in upstream release tarballs, and sort them
alphabetically. Further, update all Files fields to reflect the
directory structure change, namely Jami Qt client now being the
top-level of the repository.
* debian/rules: Reflect and adapt to the change of upstream release
tarballs' root directory name and structure.
* debian/watch: Use 'dversionmangle=auto' instead of hard-coding
the Debian version pattern (see uscan(1)) and update the release
tarball filename prefix from 'jami_' to 'jami-'.
[ Petter Reinholdtsen ]
* Switched to consistent debhelper 12 dependency.
.
* Upload sponsored by Petter Reinholdtsen.
Checksums-Sha1:
ea72739d40d0a825023fd24594c413ee3f5358e3 3558 ring_20230206.0~ds1-1.dsc
f4ad9aa43e11a7b0b9ce4e7754c79f57d5b8e384 29935331
ring_20230206.0~ds1.orig.tar.gz
cefc297e676517b5cb7b889a7ed730ec9989f8c3 19724
ring_20230206.0~ds1-1.debian.tar.xz
0e840ee4a1f9da8d2ee88d82f6aa32e9f4d63600 23089
ring_20230206.0~ds1-1_source.buildinfo
Checksums-Sha256:
0616f81ea51c15509f6511281c3f6b82b65cd493b1e54cc225c596ac65eee107 3558
ring_20230206.0~ds1-1.dsc
ddbb12813b2a075b7d67fa5680ac67878b89cc8324755e9874e589c75511a1b7 29935331
ring_20230206.0~ds1.orig.tar.gz
786140baee4695a3794f808b5976b164e169effcbd5a9e872a4a4b6f857b0cae 19724
ring_20230206.0~ds1-1.debian.tar.xz
c78246d5c3483932c7160f979bebb01232f985cc11196aa1c553cfebe2958792 23089
ring_20230206.0~ds1-1_source.buildinfo
Files:
49638801756c44e893122aeb5765d079 3558 comm optional ring_20230206.0~ds1-1.dsc
0a4d223fc0585b5cec1da3fc69d38fb0 29935331 comm optional
ring_20230206.0~ds1.orig.tar.gz
d6879488d00de044f1659ee4d173b187 19724 comm optional
ring_20230206.0~ds1-1.debian.tar.xz
30af660d78112e70fc45cb58ddd8202c 23089 comm optional
ring_20230206.0~ds1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmPiAx8ACgkQgSgKoIe6
+w7PJBAAgOo/llLFsFkig3K/Zua5vl5R48qtVnp4CGbTGxqlo4rz5rwyKNpuh9Vn
DQOYrNUNEp/ikYBQsm1J2ek0AEW/l+Z4oJeWDQuzqfMFUDEoMYjULlhZamW3kQGC
yOeGEmrltkIUzT7OgYNNt7zvK15lomHo8m3d2s3kCtrWdT1zUZDKVF4iRD17XbMG
axcO/mwxejz8gjIE9GJ6U9IG2b7ld5p2Rs9DtcM+s2C2Z3SgHBR4R9iqfGcFL8Lz
/i1OilmKTvVkFEJQMAy5LM1YC5Z7f9tz+rkdMEt3z42WxM1nvkTBc/pxv1/9XGsP
eofauUzs8xxNz1LETa/ssFcPJ3QjSA+S9lPwqpf+awfsHeMzwqeB+DqO143DqWLZ
IY7SLiA2ECloFxc5g6bMXdr8jDIcZfwTXO4deuHFhIE8cbcBFQSHRobaIUkUKFLD
+5CRKnhaApwLF9FA4g/tezKQrWCriSPtzuOsnspluhTJTHhXYX3ATonx0yho6Xso
mpgxz+bKBdJEk/ehQnW3wS4sBiceSJAL5ELIll3y59RuXj8H7TQPFrErkHLKh3E0
ZUuTvat6yfVab31AjYq9s5icgYohB3O4XAyha1RmpbgM/bU7FvBkdfkSfu08tip1
B5sJCqnkkZS0yTA+uW36psjiLRuopq8lwEH3Bux0gHd1RYknrtA=
=ekHv
-----END PGP SIGNATURE-----
--- End Message ---