[SECURITY] [DLA 393-1] srtp security update

2016-01-1818:26:25

lists.debian.org

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.026 Low

EPSS

Percentile

90.3%

JSON

Package : srtp
Version : 1.4.4~dfsg-6+deb6u2
CVE ID : CVE-2015-6360

Prevent potential DoS attack due to lack of bounds checking on RTP header
CSRC count and extension header length. Credit goes to Randell Jesup and
the Firefox team for reporting this issue.

(As there is no aead mode available in the Squeeze version,
only srtp_unprotect() needed to be patched)

OSVersionArchitecturePackageVersionFilename
Debian8i386srtp-utils< 1.4.5~20130609~dfsg-1.1+deb8u1srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_i386.deb
Debian6allsrtp-docs< 1.4.4~dfsg-6+deb6u2srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb
Debian8kfreebsd-amd64libsrtp0-dev< 1.4.5~20130609~dfsg-1.1+deb8u1libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_kfreebsd-amd64.deb
Debian7mipsellibsrtp0< 1.4.4+20100615~dfsg-2+deb7u2libsrtp0_1.4.4+20100615~dfsg-2+deb7u2_mipsel.deb
Debian8mipsellibsrtp0-dev< 1.4.5~20130609~dfsg-1.1+deb8u1libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_mipsel.deb
Debian8armhflibsrtp0-dev< 1.4.5~20130609~dfsg-1.1+deb8u1libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_armhf.deb
Debian7kfreebsd-amd64libsrtp0-dev< 1.4.4+20100615~dfsg-2+deb7u2libsrtp0-dev_1.4.4+20100615~dfsg-2+deb7u2_kfreebsd-amd64.deb
Debian8armhflibsrtp0< 1.4.5~20130609~dfsg-1.1+deb8u1libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_armhf.deb
Debian7kfreebsd-i386srtp-utils< 1.4.4+20100615~dfsg-2+deb7u2srtp-utils_1.4.4+20100615~dfsg-2+deb7u2_kfreebsd-i386.deb
Debian8i386libsrtp0< 1.4.5~20130609~dfsg-1.1+deb8u1libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	i386	srtp-utils	< 1.4.5~20130609~dfsg-1.1+deb8u1	srtp-utils_1.4.5~20130609~dfsg-1.1+deb8u1_i386.deb
Debian	6	all	srtp-docs	< 1.4.4~dfsg-6+deb6u2	srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb
Debian	8	kfreebsd-amd64	libsrtp0-dev	< 1.4.5~20130609~dfsg-1.1+deb8u1	libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_kfreebsd-amd64.deb
Debian	7	mipsel	libsrtp0	< 1.4.4+20100615~dfsg-2+deb7u2	libsrtp0_1.4.4+20100615~dfsg-2+deb7u2_mipsel.deb
Debian	8	mipsel	libsrtp0-dev	< 1.4.5~20130609~dfsg-1.1+deb8u1	libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_mipsel.deb
Debian	8	armhf	libsrtp0-dev	< 1.4.5~20130609~dfsg-1.1+deb8u1	libsrtp0-dev_1.4.5~20130609~dfsg-1.1+deb8u1_armhf.deb
Debian	7	kfreebsd-amd64	libsrtp0-dev	< 1.4.4+20100615~dfsg-2+deb7u2	libsrtp0-dev_1.4.4+20100615~dfsg-2+deb7u2_kfreebsd-amd64.deb
Debian	8	armhf	libsrtp0	< 1.4.5~20130609~dfsg-1.1+deb8u1	libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_armhf.deb
Debian	7	kfreebsd-i386	srtp-utils	< 1.4.4+20100615~dfsg-2+deb7u2	srtp-utils_1.4.4+20100615~dfsg-2+deb7u2_kfreebsd-i386.deb
Debian	8	i386	libsrtp0	< 1.4.5~20130609~dfsg-1.1+deb8u1	libsrtp0_1.4.5~20130609~dfsg-1.1+deb8u1_i386.deb