Bug 17540

Summary: srtp new security issue CVE-2015-6360
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, davidwhodgins, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/672436/
Whiteboard: advisory MGA5-64-OK
Source RPM: srtp-1.4.5-0.20130723.4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-01-19 19:38:54 CET 
Debian-LTS has issued an advisory on January 18:
http://lwn.net/Alerts/672422/

The issue is fixed upstream in 1.5.3.

Update package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated srtp packages fix security vulnerability:

Srtp before 1.5.3 is vulnerable to a potential DoS attack due to lack of bounds
checking on RTP header CSRC count and extension header length (CVE-2015-6360).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6360
http://lwn.net/Alerts/672422/
========================

Updated packages in core/updates_testing:
========================
srtp-1.4.5-0.20130723.5.mga5

from srtp-1.4.5-0.20130723.5.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Dave Hodgins 2016-01-20 00:32:05 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Lewis Smith 2016-01-23 21:28:16 CET 
Testing M5 x64

The package is described thus: "srtp - Secure Real-time Transport Protocol (SRTP)
SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. It is specified in RFC 3711."
Nothing for RTP itself.

Following advice in Bug 14200 Comment 2 & Comment 3, I simply installed this and updated it.
 # urpmq --whatrequires srtp
 srtp
shows it is not required (used?) by anything else.
BEFORE UPDATE
 srtp-1.4.5-0.20130723.4.mga5
AFTER UPDATE, which happened cleanly:
 srtp-1.4.5-0.20130723.5.mga5
Deemed OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Dave Hodgins 2016-01-28 19:56:13 CET

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2016-01-29 12:03:42 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0037.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED