Debian-LTS has issued an advisory on April 23: https://www.debian.org/lts/security/2021/dla-2636 The issue is fixed upstream in 2.11: https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 2.11CC: (none) => geiger.david68210, jani.valimaaWhiteboard: (none) => MGA8TOO, MGA7TOO
Debian-LTS has issued an advisory for ring-daemon on May 23: https://www.debian.org/lts/security/2021/dla-2665 It had a bundled copy of pjproject. I think this was renamed in Mageia 8?
No current registered maintainer, so assigning globally. I was going to CC Jani as having done all recent updates, but that is already done!
Assignee: bugsquad => pkg-bugs
pjproject-2.11-1.mga9 uploaded for Cauldron by Jani.
Version: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Hi, For Mageia 8, I added an upstream patch for that CVE and pushed pjproject-2.10-5.1.mga8 to the BS. Best regards, Nico.
CC: (none) => nicolas.salguero
We have 2.7.2 in Mageia 7, so Debian's patch for 2.5.5 might work for us. What's the status of ring-daemon? Uploaded packages for Mageia 8: libpjproject2-2.10-5.1.mga8 pjsua-2.10-5.1.mga8 libpjproject-devel-2.10-5.1.mga8 from pjproject-2.10-5.1.mga8.src.rpm
ring-daemon was replaced by jami-daemon in Mageia 8. Both are built against our system pjproject library.
Advisory: ======================== Updated pjproject packages fix security vulnerability: An issue has been found in pjproject. Due to bad handling of two consecutive crafted answers to an INVITE, the attacker is able to crash the server resulting in a denial of service (CVE-2021-21375). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21375 https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp https://www.debian.org/lts/security/2021/dla-2636 ======================== Updated packages in core/updates_testing: ======================== libpjproject2-2.7.2-1.1.mga7 libpjproject-devel-2.7.2-1.1.mga7 pjsua-2.7.2-1.1.mga7 python2-pjsua-2.7.2-1.1.mga7 libpjproject2-2.10-5.1.mga8 pjsua-2.10-5.1.mga8 libpjproject-devel-2.10-5.1.mga8 from SRPMS: pjproject-2.7.2-1.1.mga7.src.rpm pjproject-2.10-5.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 2.11 => (none)
The Debian bug also references another CVE, CVE-2020-15260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986815 I've included the patch for that in the Mageia 8 build. I'm not sure that the Mageia 7 version is vulnerable. The code's different enough, it's not obvious how it would apply. Mageia 8 advisory below (Mageia 7 one can remain as in Comment 7). Advisory (Mageia 8): ======================== Updated pjproject packages fix security vulnerability: Currently, PJSIP transport can be reused if they have the same IP address + port + protocol. However, this is insufficient for secure transport since it lacks remote hostname authentication. The vulnerability allows for an insecure interaction without user awareness. It affects users who need access to connections to different destinations that translate to the same address, and allows man-in-the-middle attack if attacker can route a connection to another destination such as in the case of DNS spoofing (CVE-2020-15260). An issue has been found in pjproject. Due to bad handling of two consecutive crafted answers to an INVITE, the attacker is able to crash the server resulting in a denial of service (CVE-2021-21375). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15260 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21375 https://github.com/pjsip/pjproject/security/advisories/GHSA-8hcp-hm38-mfph https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp https://www.debian.org/lts/security/2021/dla-2636 ======================== Updated packages in core/updates_testing: ======================== libpjproject2-2.10-5.2.mga8 pjsua-2.10-5.2.mga8 libpjproject-devel-2.10-5.2.mga8 from pjproject-2.10-5.2.mga8.src.rpm
MGA7-64 Plasma on Lenovo B50 No installation issues.Installs cleanly Ref bug 21505 for testing. As I have a VOIP connection with my ISP, trying to get to grips with psjua, but running into sound problem. Found www.pjsip.org/psjua.htm#invoking as info $ pjsua sip:<miISPaddress> 11:04:16.190 pjsua_core.c !.pjsua version 2.7.2 for Linux-5.10.45/x86_64/glibc-2.29 initialized 11:04:16.195 main.c Ready: Success 11:04:16.195 pjsua_aud.c ..Error retrieving default audio device parameters: Unable to find default audio device (PJMEDIA_EAUD_NODEFDEV) [status=420006] When I try any command to make a call, all abort on this sound error. other command: dump configuration >>> dc 11:24:05.135 pjsua_app_legacy.c Dumping configuration (393 bytes): # # Logging options: # --log-level 5 --app-log-level 4 # # Network settings: # --local-port 5060 # # Media settings: # --snd-auto-close 1 #using default --clock-rate 16000 #using default --quality 8 #using default --ec-tail 200 #using default --ilbc-mode 30 --rtp-port 4000 # # User agent: # --max-calls 4 # # Buddies: # --add-buddy sip:<myISPaddress> # # SIP extensions: # --use-timer 1 When I do $ pjsua --null-audio sip:<myISPaddress> ...... You have 1 active call Current call id=0 to sip:<myISPaddress> [CALLING] >>> 11:29:54.757 pjsua_app.c !.....Call 0 is DISCONNECTED [reason=407 (Proxy Authentication Required)] That result seems OK since I did not pass user/password in the command.... Trying $ pjsua --null-audio --id sip:<myname>@v<myISPaddress> --registrar sip:<myISPaddress> --realm * --username <myname> --password <secret> I have to male sure the pwd is an empty folder, otherwise the command seems to pickup the first file in it for some config settings. Then I get 11:45:07.616 pjsua_core.c !.pjsua version 2.7.2 for Linux-5.10.45/x86_64/glibc-2.29 initialized 11:45:07.636 pjsua_app.c .Turning sound device -99 -99 ON 11:45:07.636 main.c Ready: Success >>>> Account list: etc .... and at the end>>> 11:45:07.655 pjsua_acc.c !....IP address change detected for account 2 (192.168.2.5:5060 --> 213.219.165.75:62345). Updating registration (using method 4) 11:45:07.672 pjsua_acc.c ....SIP registration failed, status=603 (Decline) which I woud accept a valid result, since I do noet expet the ISP to honour registrations from any outside source. OK unless someone else objects.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => herman.viaene
MGA8-64 Plasma on Lenovo B50 No installation issues.Installs cleanly. Repeated tests as in Comment 9 above with same results. OK then.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisories in Comment 7 and Comment 8.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
2 advisories pushed.
Keywords: (none) => advisoryCC: (none) => ouaurelienStatus comment: (none) => CVE-2020-15260 for Mageia 8Summary: pjproject new security issue CVE-2021-21375 => pjproject new security issues CVE-2020-15260 (mga8) and CVE-2021-21375 (mga7 and mga8)CVE: (none) => CVE-2020-15260, CVE-2021-21375
Status comment: CVE-2020-15260 for Mageia 8 => (none)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0336.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0337.html