Debian-LTS has issued an advisory on January 18: http://lwn.net/Alerts/672422/ The issue is fixed upstream in 1.5.3. Update package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated srtp packages fix security vulnerability: Srtp before 1.5.3 is vulnerable to a potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length (CVE-2015-6360). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6360 http://lwn.net/Alerts/672422/ ======================== Updated packages in core/updates_testing: ======================== srtp-1.4.5-0.20130723.5.mga5 from srtp-1.4.5-0.20130723.5.mga5.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing M5 x64 The package is described thus: "srtp - Secure Real-time Transport Protocol (SRTP) SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. It is specified in RFC 3711." Nothing for RTP itself. Following advice in Bug 14200 Comment 2 & Comment 3, I simply installed this and updated it. # urpmq --whatrequires srtp srtp shows it is not required (used?) by anything else. BEFORE UPDATE srtp-1.4.5-0.20130723.4.mga5 AFTER UPDATE, which happened cleanly: srtp-1.4.5-0.20130723.5.mga5 Deemed OK.
CC: (none) => lewyssmithWhiteboard: advisory => advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0037.html
Status: NEW => RESOLVEDResolution: (none) => FIXED