[SECURITY] [DSA 2840-1] srtp security update

2014-01-1017:48:09

lists.debian.org

2.6 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

7.5 High

AI Score

Confidence

High

0.016 Low

EPSS

Percentile

87.3%

JSON

Debian Security Advisory DSA-2840-1 [email protected]
http://www.debian.org/security/ Salvatore Bonaccorso
January 10, 2014 http://www.debian.org/security/faq

Package : srtp
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-2139
Debian Bug : 711163

Fernando Russ from Groundworks Technologies reported a buffer overflow
flaw in srtp, Cisco's reference implementation of the Secure Real-time
Transport Protocol (SRTP), in how the
crypto_policy_set_from_profile_for_rtp() function applies
cryptographic profiles to an srtp_policy. A remote attacker could
exploit this vulnerability to crash an application linked against
libsrtp, resulting in a denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.4.4~dfsg-6+deb6u1.

For the stable distribution (wheezy), this problem has been fixed in
version 1.4.4+20100615~dfsg-2+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 1.4.5~20130609~dfsg-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.5~20130609~dfsg-1.

We recommend that you upgrade your srtp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7mipsellibsrtp0-dev< 1.4.4+20100615~dfsg-2+deb7u1libsrtp0-dev_1.4.4+20100615~dfsg-2+deb7u1_mipsel.deb
Debian7mipslibsrtp0< 1.4.4+20100615~dfsg-2+deb7u1libsrtp0_1.4.4+20100615~dfsg-2+deb7u1_mips.deb
Debian7allsrtp-docs< 1.4.4+20100615~dfsg-2+deb7u1srtp-docs_1.4.4+20100615~dfsg-2+deb7u1_all.deb
Debian6i386libsrtp0-dev< 1.4.4~dfsg-6+deb6u1libsrtp0-dev_1.4.4~dfsg-6+deb6u1_i386.deb
Debian6armellibsrtp0< 1.4.4~dfsg-6+deb6u1libsrtp0_1.4.4~dfsg-6+deb6u1_armel.deb
Debian7armhfsrtp-utils< 1.4.4+20100615~dfsg-2+deb7u1srtp-utils_1.4.4+20100615~dfsg-2+deb7u1_armhf.deb
Debian6kfreebsd-i386libsrtp0< 1.4.4~dfsg-6+deb6u1libsrtp0_1.4.4~dfsg-6+deb6u1_kfreebsd-i386.deb
Debian6mipslibsrtp0< 1.4.4~dfsg-6+deb6u1libsrtp0_1.4.4~dfsg-6+deb6u1_mips.deb
Debian7armellibsrtp0< 1.4.4+20100615~dfsg-2+deb7u1libsrtp0_1.4.4+20100615~dfsg-2+deb7u1_armel.deb
Debian7s390xlibsrtp0< 1.4.4+20100615~dfsg-2+deb7u1libsrtp0_1.4.4+20100615~dfsg-2+deb7u1_s390x.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	mipsel	libsrtp0-dev	< 1.4.4+20100615~dfsg-2+deb7u1	libsrtp0-dev_1.4.4+20100615~dfsg-2+deb7u1_mipsel.deb
Debian	7	mips	libsrtp0	< 1.4.4+20100615~dfsg-2+deb7u1	libsrtp0_1.4.4+20100615~dfsg-2+deb7u1_mips.deb
Debian	7	all	srtp-docs	< 1.4.4+20100615~dfsg-2+deb7u1	srtp-docs_1.4.4+20100615~dfsg-2+deb7u1_all.deb
Debian	6	i386	libsrtp0-dev	< 1.4.4~dfsg-6+deb6u1	libsrtp0-dev_1.4.4~dfsg-6+deb6u1_i386.deb
Debian	6	armel	libsrtp0	< 1.4.4~dfsg-6+deb6u1	libsrtp0_1.4.4~dfsg-6+deb6u1_armel.deb
Debian	7	armhf	srtp-utils	< 1.4.4+20100615~dfsg-2+deb7u1	srtp-utils_1.4.4+20100615~dfsg-2+deb7u1_armhf.deb
Debian	6	kfreebsd-i386	libsrtp0	< 1.4.4~dfsg-6+deb6u1	libsrtp0_1.4.4~dfsg-6+deb6u1_kfreebsd-i386.deb
Debian	6	mips	libsrtp0	< 1.4.4~dfsg-6+deb6u1	libsrtp0_1.4.4~dfsg-6+deb6u1_mips.deb
Debian	7	armel	libsrtp0	< 1.4.4+20100615~dfsg-2+deb7u1	libsrtp0_1.4.4+20100615~dfsg-2+deb7u1_armel.deb
Debian	7	s390x	libsrtp0	< 1.4.4+20100615~dfsg-2+deb7u1	libsrtp0_1.4.4+20100615~dfsg-2+deb7u1_s390x.deb