Bug 30213

Summary:	pjproject new security issues CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-4330[0-4], CVE-2021-43845, CVE-2022-2172[23], CVE-2022-23608, CVE-2022-24754, CVE-2022-2476[34], CVE-2022-2479[23]
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Jani Välimaa <jani.valimaa>
Status:	RESOLVED OLD	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	nicolas.salguero
Version:	8
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	pjproject-2.10-5.3.mga8.src.rpm	CVE:
Status comment:	Fixed upstream in 2.12.1

Description David Walser 2022-03-29 00:31:10 CEST

Debian-LTS has issued an advisory today (March 28):
https://www.debian.org/lts/security/2022/dla-2962

The issues are fixed upstream in 2.12:
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
https://github.com/pjsip/pjproject/security/advisories/GHSA-8fmx-hqw7-6gmc
https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9
https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh
https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662
https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m

Last time we dealt with this (Bug 29317), pjproject was bundled in the jami-daemon package in Cauldron, so that will need to be fixed too.

Mageia 8 is also affected (not including jami-daemon).

David Walser 2022-03-29 00:31:26 CEST

Status comment: (none) => Fixed upstream in 2.12
CC: (none) => jani.valimaa
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-03-29 20:53:36 CEST

Although this is not offically with you Jani, you alone have dealt with it for years, so it seems best to assign this to you.

Assignee: bugsquad => jani.valimaa
CC: jani.valimaa => (none)

Comment 2 David Walser 2022-04-04 22:31:39 CEST

Debian-LTS has issued an advisory on April 3:
https://www.debian.org/lts/security/2022/dla-2962-2

I don't know what else they fixed, because they forgot to fill it out :D

Comment 3 Jani Välimaa 2022-04-06 16:39:21 CEST

Fixed in cauldron with pjproject-2.12-1.mga9.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 David Walser 2022-04-06 16:51:48 CEST

Unless it's using system pjproject now, jami-daemon in Cauldron also needs fixed.

Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO

Comment 5 David Walser 2022-04-07 17:05:58 CEST

The current jami-daemon doesn't build because of issues with dbus-c++, so it may need to be updated or something.

Comment 6 David Walser 2022-06-02 23:49:02 CEST

Debian-LTS has issued an advisory today (June 2):
https://www.debian.org/lts/security/2022/dla-3036

The issues are fixed upstream in 2.12.1:
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4

Summary: pjproject new security issues CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-4330[0-4], CVE-2021-43845, CVE-2022-2172[23], CVE-2022-23608, CVE-2022-24754, CVE-2022-24764 => pjproject new security issues CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-4330[0-4], CVE-2021-43845, CVE-2022-2172[23], CVE-2022-23608, CVE-2022-24754, CVE-2022-2476[34], CVE-2022-2479[23]
Status comment: Fixed upstream in 2.12 => Fixed upstream in 2.12.1

Comment 7 Nicolas Salguero 2024-03-13 14:24:37 CET

Mageia 8 EOL.

CC: (none) => nicolas.salguero
Resolution: (none) => OLD
Status: NEW => RESOLVED
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8