From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 14 17:37:07 2021 Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:37:07 +0000 Received: from localhost ([127.0.0.1]:34336 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLYQ6-0002ze-TU for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:37:07 -0400 Received: from lists.gnu.org ([209.51.188.17]:56524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLYQ5-0002zX-Lx for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:37:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55762) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLYQ5-0000sq-Cr for bug-guix@gnu.org; Sun, 14 Mar 2021 17:37:05 -0400 Received: from world.peace.net ([64.112.178.59]:55714) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLYQ3-0003ZY-Lv for bug-guix@gnu.org; Sun, 14 Mar 2021 17:37:05 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lLYQ2-00019v-2h; Sun, 14 Mar 2021 17:37:02 -0400 From: Mark H Weaver To: bug-guix@gnu.org Subject: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260 References: Date: Sun, 14 Mar 2021 17:35:32 -0400 Message-ID: <87a6r5s9j4.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten. Mark -------------------- Start of forwarded message -------------------- Subject: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-152= 60 From: L=C3=A9o Le Bouter To: guix-devel@gnu.org Date: Thu, 11 Mar 2021 03:30:42 +0100 --=-=-= Content-Type: multipart/signed; boundary="==-=-=" --==-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline CVE-2021-21375 00:15 PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This results in a denial of service. CVE-2020-15260 00:15 PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIP transport can be reused if they have the same IP address + port + protocol. However, this is insufficient for secure transport since it lacks remote hostname authentication. Suppose we have created a TLS connection to `sip.foo.com`, which has an IP address `100.1.1.1`. If we want to create a TLS connection to another hostname, say `sip.bar.com`, which has the same IP address, then it will reuse that existing connection, even though `100.1.1.1` does not have certificate to authenticate as `sip.bar.com`. The vulnerability allows for an insecure interaction without user awareness. It affects users who need access to connections to different destinations that translate to the same address, and allows man-in-the-middle attack if attacker can route a connection to another destination such as in the case of DNS spoofing. Upstream has not made a release yet, I advise we wait for a release on their end then upgrade. To be monitored. --==-=-= Content-Type: application/pgp-signature; name=signature.asc Content-Transfer-Encoding: base64 Content-Description: This is a digitally signed message part LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVGSXZMaTlnTCt4 YXgzZzZSUmFpeDZHdk5FS1lGQW1CSmdOSUFDZ2tRUmFpeDZHdk4KRUtZeEZ3LzlILzJCSmZpQ2k2 dHdJQ2YxMVZEN21vdkpXZ3Z0Q1FkVVQ1Q2swd0d5VUdtUzN5L0JaanFSbThSawpUZWdLRlpMRFlT dmE0dW4reUhheWZTVmpOdFVwcXhEN25kcWN5YnlwUG1Fa0JiREh2V3Bvbjc0RVJBVTBBUldGCk1I SVVBaElMSjBVNDc3ZllOSFQ4VmxqdVlWMWxyUUFWZ1AvY2k3WHBwTWtRK24yeFFmMnBtMjFTeURL dC9EZlgKZ1NSZjRnd1U5b2d5U1VXSmg5VTVEbmY3L21zRTRNR1F5WTFXd21pZkJmRGprcWtpbjh0 dWd5RzhrMitJYXRaagpjcjdCVXZWUlFpSXAzaTB6MG9jK01YZjhTaFNrNEZZcVFycitUdVRPNjlX a3lkcHlrZ3hBVUFuZ0RJY0VaeCtXCjJzVmVsU3BYWmZ5OHNmVm9XY1dPaVhvZTVLWmREUFVhMW9R SzYwZ0g5V1kxMTlkQ0YvVlNBbmpCZFhWanJSWWgKMFZOTUx6NzJpVDZ4cFZvME9KNlVCbDFxRWFo RC8zUFhxSUIycHlIRWpaNlJPUkNldGpoU0JtUHRIVVZnMDNZcApvdEYvYUJreDZGcXUxSWorSXlY Tk14dHhkM0Vjam5PTXg3QUNpeEdXaDVyRHhXSXJMZ01UMFNYQmNsdy9rSXNvCm4rZlVaNms5MjQ1 UkdEd3pVemVXeXZJLytEMTJ3TmdRbDkxTE9namVZZ2lGaEtyT2l0aDFyMEFxZlV4TU9ydS8KSnli dXh3cVFNa1p2VTdFcjlEUnBEK0U1TlUxSkdIQVdQWGRLOURwNHk4Y2FuZGRpNmUwcHp2R1p5Zzdv S05LRwpMZ0QwQVVwK1VxTlJzVVdHWFdiYVZEaVJzTURMTmZqTFduemlLMDRtSW5xSGJGM1FvZEE9 Cj1STG1OCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --==-=-=-- --=-=-= Content-Type: text/plain -------------------- End of forwarded message -------------------- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 15 09:43:11 2021 Received: (at control) by debbugs.gnu.org; 15 Mar 2021 13:43:11 +0000 Received: from localhost ([127.0.0.1]:35089 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLnV1-0007Cy-1R for submit@debbugs.gnu.org; Mon, 15 Mar 2021 09:43:11 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51358) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLnUz-0007Ce-7P for control@debbugs.gnu.org; Mon, 15 Mar 2021 09:43:09 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40713) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLnUu-00056Y-0q for control@debbugs.gnu.org; Mon, 15 Mar 2021 09:43:04 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=45746 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lLnUs-0001Kk-Ae for control@debbugs.gnu.org; Mon, 15 Mar 2021 09:43:03 -0400 Date: Mon, 15 Mar 2021 14:43:01 +0100 Message-Id: <87pn00h6sa.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #47143 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) tags 47143 + security quit From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 24 00:06:33 2021 Received: (at control) by debbugs.gnu.org; 24 Mar 2021 04:06:33 +0000 Received: from localhost ([127.0.0.1]:33694 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOumu-0005lF-Sj for submit@debbugs.gnu.org; Wed, 24 Mar 2021 00:06:33 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:54559) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOumu-0005l0-0L for control@debbugs.gnu.org; Wed, 24 Mar 2021 00:06:32 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 00DAB5C00A6; Wed, 24 Mar 2021 00:06:27 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Wed, 24 Mar 2021 00:06:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:message-id:mime-version:content-type; s=mesmtp; bh=cUzHWhlGR3wC+bHCNkVYv1pLnZKlAmeM2w5IIOGJO/Q=; b=hYoywwDcb45H +FnMoujfkLjlL2O862lHA5gu19YnLcGkyedy4g2r+8zkuxkV/0wCDl3ZYARsyaoQ gncttRvwfOB0FMOE2wn2BZGKsMDDR2NHFRvDuLmgLVE9W73e+f1eYRNLEHxLS4t2 q5jQWE6lWCJQQtJYSFhL1sFjiC5+NHU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=cUzHWhlGR3wC+bHCNkVYv1pLnZKlAmeM2w5IIOGJO /Q=; b=oBY0abGUV0V94XVxdUGYaDcNx44jbdINXGMiVoENwErL1yEyiGyJbPQDK KgbgNvQpHxuXtUvKddIOXBy+bW7zjdDZ6pCHF1UvgbbVyy7zARHXbgQJjqfnkoCp ZyzdR6eTojVI18aQnLJahMvztuvcnJvvpZ3JTPK5cXLzOGKf87Wa1h8WokpQfozP 1NG4H8Sc6HYjzRVTP+1Q0xA/mhIJKoETs8nKC9USahQ11JAQbaqB1Cpn6Y8s9xG7 U/fZIKBTlgGmSup44lnPYSzJwJd7bhKfPY19kMaWM7TtSioka1WU9C9wWYCuy6Z+ nmVqk+OOVCF+IbVpUS0FVk6RCNd4Q== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegjedgieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucfgmhhpthihuchsuhgsjhgvtghtucdluddtmdenuc fjughrpeffhffvkfggtggusehttdertddttddvnecuhfhrohhmpefnvghoucfhrghmuhhl rghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpe fhjeeigfefvedvfeetheegledtkeevuddtgedtudeiteehteegvdefffduffefffenucfk phepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id C6F7224041D for ; Wed, 24 Mar 2021 00:06:26 -0400 (EDT) Date: Wed, 24 Mar 2021 00:06:25 -0400 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: 2.3 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: block 47297 with 47140 block 47297 with 47141 block 47297 with 47142 block 47297 with 47143 block 47297 with 47144 Content analysis details: (2.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.25 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [66.111.4.25 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 1.0 BODY_EMPTY No body text in message X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: block 47297 with 47140 block 47297 with 47141 block 47297 with 47142 block 47297 with 47143 block 47297 with 47144 Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.25 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [66.111.4.25 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 1.0 BODY_EMPTY No body text in message block 47297 with 47140 block 47297 with 47141 block 47297 with 47142 block 47297 with 47143 block 47297 with 47144 From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 05 17:01:32 2021 Received: (at 47143-done) by debbugs.gnu.org; 5 Apr 2021 21:01:32 +0000 Received: from localhost ([127.0.0.1]:38749 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTWLk-0006dX-AA for submit@debbugs.gnu.org; Mon, 05 Apr 2021 17:01:32 -0400 Received: from mail.zaclys.net ([178.33.93.72]:46947) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTWLh-0006WS-VG for 47143-done@debbugs.gnu.org; Mon, 05 Apr 2021 17:01:31 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 135L1MA2058139 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47143-done@debbugs.gnu.org>; Mon, 5 Apr 2021 23:01:23 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 135L1MA2058139 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617656483; bh=kNCXV36YJXUx3CjI+4vqec4HwiHl46o8uDmcx9eZ18c=; h=Subject:From:To:Date:From; b=EvJy0+a56K1x4dn8Cy804cH0pEn/BMHiEVZrItERIPpSbk/ZbTJQ5MSxkWUJlIu0Q F31z/eLbGRQT0nBMo2562zsEki3uaqaaDLbdNQEJwFNvFyvbowzisCV90R8Bc9zcZO vSpZ9TJdYtxy+nzQh/a6NLQNFL7P7ydemIFfQ2Wo= Message-ID: Subject: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: 47143-done@debbugs.gnu.org Date: Mon, 05 Apr 2021 23:01:17 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-kus4oXKRVDKXDMUmH1AZ" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47143-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-kus4oXKRVDKXDMUmH1AZ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable upstream released 2.11 which fixed the issue. Update to 2.11 pushed as 45136b3673bcdba21fa0d1fd6edb3d388a645fcc --=-kus4oXKRVDKXDMUmH1AZ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBrep0ACgkQRaix6GvN EKbpQg//fqm0XezwpgoijePIlCPt5bLJCJhdtskIGjwHLKJ4qUpLkCp4olz4e+k0 MgFpamaN14MscMClGA3z296L7rLxbxb6ZwccOephiYbA/7JHMwu01WJ7n0Hqxe8y aMRuk4qBiKoccrXO04/76sCAzaZJzsV4lXMIWApxd5JGWh1DY2LBA0sHA9qjdnw8 aoG1QVCHdy3Vgs4CJCNEvvbOQukO8V5KVKhTa5IdKfCQwNm1IYmX5+RmJ12E1Ce1 Vs83jWFSl1yfUTThlTBCLiHBE7l4EYE/3bnlLxEd55p6952NIDNRNRwuQbpE/2Yk nd/aQPPVgREVeBxEydvRxU1jHJWuORqjKfUeb0IXcDPBpETpVU8X8FwIeoVXhu4a dS9tXumKJ3BG7JXfcCsSgiSENsxIeKcrATDV/HMYTLm4ouQEm7L6BzEz2201xDzq T9+7ioJY9vuy/bTJQx//zzoFUpJXYm1aa5OT0m8/zG59ONMM0OnltIcOLMluf7Rw d89pCNfYuq+Up9mAl9cssdvfXiRtf7XyPobaL+XLNX6lnDH7ys1zPf3dmQticze8 2LgdEFmNmC+jmtH39og23wQSi55jYNbeElkghfVkbVJtR7tf2yKHAl2NIMI1CJVK kkb9rBkJJVBM17CVGYpLW9kSTiOBcZ/z4HgvfAwRw5y7IGyLmXs= =YXjl -----END PGP SIGNATURE----- --=-kus4oXKRVDKXDMUmH1AZ-- From unknown Sat Jun 21 03:16:45 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 04 May 2021 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator