Fedora has issued an advisory on December 31: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125885.html More recently, OpenSuSE has issued an advisory for this on September 29: http://lists.opensuse.org/opensuse-updates/2014-09/msg00059.html Fedora's patch doesn't apply, but I haven't checked OpenSuSE's or Debian's. It's also fixed in 1.4.5 (in Mageia 4 and Cauldron), so maybe we could update it. Reproducible: Steps to Reproduce:
Debian's patch applies cleanly. Patched package uploaded for Mageia 3. Advisory: ======================== Updated srtp package fixes security vulnerability: Fernando Russ from Groundworks Technologies reported a buffer overflow flaw in srtp, Cisco's reference implementation of the Secure Real-time Transport Protocol (SRTP), in how the crypto_policy_set_from_profile_for_rtp() function applies cryptographic profiles to an srtp_policy. A remote attacker could exploit this vulnerability to crash an application linked against libsrtp, resulting in a denial of service (CVE-2013-2139). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2139 https://www.debian.org/security/2014/dsa-2840 ======================== Updated packages in core/updates_testing: ======================== srtp-1.4.4-3.1.mga3 from srtp-1.4.4-3.1.mga3.src.rpm
Assignee: fundawang => qa-bugs
This package only contains a static library, and is not BuildRequire'd by anything in Mageia 3 (it is BR'd by kopete in Mageia 4 and Cauldron). I'm not sure why this package even existed in Mageia 3. Anyway, for Mageia 3, there's nothing that can be tested, other than that it installs fine. Adding the OK for Mageia 3 i586.
Whiteboard: (none) => has_procedure MGA3-32-OK
An easy one then : Before update testing : # rpm -q srtp srtp-1.4.4-3.mga3 After update testing : # rpm -q srtp srtp-1.4.4-3.1.mga3
CC: (none) => olchalWhiteboard: has_procedure MGA3-32-OK => has_procedure MGA3-32-OK MGA3-64-OK
Sorry, in comment 3, that was Mageia3-64 real HW testing.
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0465.html
Status: NEW => RESOLVEDResolution: (none) => FIXED