openSUSE has issued an advisory on April 28: https://lists.opensuse.org/opensuse-updates/2017-04/msg00109.html Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
updated in cauldron
CC: (none) => mageiaWhiteboard: MGA5TOO => (none)CVE: (none) => CVE-2016-10324, CVE-2016-10325, CVE-2016-10326, CVE-2017-7853Version: Cauldron => 5
(In reply to Nicolas Lécureuil from comment #1) > updated in cauldron Thanks :-) Assigning to all packagers collectively for the Mga5, because it has no registered maintainer.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
updated in mga5: srpms: libosip2-5.0.0-2.mga5 siproxd-0.8.1-14.3.mga5 exosip-4.0.0-4.2.mga5
Assignee: pkg-bugs => qa-bugs
Full package list: libosip2_12-5.0.0-2.mga5 libosip2-devel-5.0.0-2.mga5 siproxd-0.8.1-14.3.mga5 exosip-4.0.0-4.2.mga5 libexosip2_10-4.0.0-4.2.mga5 libexosip2-devel-4.0.0-4.2.mga5 from SRPMS: libosip2-5.0.0-2.mga5.src.rpm siproxd-0.8.1-14.3.mga5.src.rpm exosip-4.0.0-4.2.mga5.src.rpm
MGA5-32 on Asus A6000VM Xfce No installation issues Not sure how to test. Info in MCC mentions support for linphone, but "urpmq --whatrequires" does not give any info. Took my chances, installed linphone and used my IP's VOIP settings in it and was able to make a call. However the strace of linphone did not show anything I could recognize as part of these update packages.
CC: (none) => herman.viaene
Trying to find out what reqires what (64-bt): $ urpmq --whatrequires-recursive exosip [nothing] $ urpmq --whatrequires-recursive siproxd [nothing] $ urpmq --whatrequires-recursive lib64exosip2_10 [stays _10] exosip $ urpmq --whatrequires-recursive lib64osip2_10 [-> _12] exosip, lib64exosip2_10, siproxd exosip - Extended osip library [+ /usr/bin/sip_reg] Exosip is a library that hides the complexity of using the SIP protocol for mutlimedia session establishement. siproxd - A SIP masquerading proxy with RTP support [/usr/sbin/siproxd] Siprox is an proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections possible via a masquerading firewall. So now we know. I am just going to try for a clean update.
CC: (none) => lewyssmith
BTW I can find no previous bugs or updates for these things. BEFORE the update, installed: - exosip-4.0.0-4.mga5.x86_64 - lib64exosip2_10-4.0.0-4.mga5.x86_64 - lib64osip2_10-4.0.0-4.mga5.x86_64 - siproxd-0.8.1-14.mga5.x86_64 UPDATE to: - exosip-4.0.0-4.2.mga5.x86_64 - lib64exosip2_10-4.0.0-4.2.mga5.x86_64 *** was NOT auto-required by exosip *** - lib64osip2_12-5.0.0-2.mga5.x86_64 - siproxd-0.8.1-14.3.mga5.x86_64 Problem: both exosip & siproxd correctly required automatically lib64osip2_12-5.0.0-2; but selecting exosip did *not* automatically require lib64exosip2_10-4.0.0-4.2, although this was in the Updates Testing list. I selected it manually, but it should be auto-selected 'required' by exosip. Hence querying the update. Despite which, after the update: $ urpmq --whatrequires lib64exosip2_10 exosip shows the correct dependancy.
Whiteboard: (none) => feedback
We don't hard code library dependencies, they're automatically generated. When the packages are available in updates, they'll all be updated. When doing QA, you always might have to manually select the appropriate packages.
Whiteboard: feedback => (none)
Thanks David for your observation. In which case I shall risk the 64 OK. If somebody can suggest an application which might use some of this, please do. (I decline getting bogged down in Linphone). It looks as if lib[64]osip2_12 is the main thing.
Whiteboard: (none) => MGA5-64-OK
Can this have its advisory, please. Comment 4 has the SRPMs. I can invent one if desired.
Advisory: ======================== Updated libosip2 packages fix security vulnerabilities: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_clrncpy() function defined in osipparser2/osip_port.c (CVE-2016-10324). In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the _osip_message_to_str() function defined in osipparser2/osip_message_to_str.c, resulting in a remote DoS (CVE-2016-10325). In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_body_to_str() function defined in osipparser2/osip_body.c, resulting in a remote DoS (CVE-2016-10326). In libosip2 in GNU 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS (CVE-2017-7853). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10326 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7853 https://lists.opensuse.org/opensuse-updates/2017-04/msg00109.html
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
This has hung around too long. I am validating it on the basis of a clean 64-bit update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0170.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 27760 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu