Bug 30213 - pjproject new security issues CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-4330[0-4], CVE-2021-43845, CVE-2022-2172[23], CVE-2022-23608, CVE-2022-24754, CVE-2022-2476[34], CVE-2022-2479[23]
Summary: pjproject new security issues CVE-2021-37706, CVE-2021-41141, CVE-2021-43299,...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Jani Välimaa
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-29 00:31 CEST by David Walser
Modified: 2024-03-13 14:24 CET (History)
1 user (show)

See Also:
Source RPM: pjproject-2.10-5.3.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 2.12.1

Attachments
Add an attachment (proposed patch, testcase, etc.)

David Walser 2022-03-29 00:31:26 CEST

Status comment: (none) => Fixed upstream in 2.12
CC: (none) => jani.valimaa
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-03-29 20:53:36 CEST 
Although this is not offically with you Jani, you alone have dealt with it for years, so it seems best to assign this to you.

Assignee: bugsquad => jani.valimaa
CC: jani.valimaa => (none)

Comment 2 David Walser 2022-04-04 22:31:39 CEST 
Debian-LTS has issued an advisory on April 3:
https://www.debian.org/lts/security/2022/dla-2962-2

I don't know what else they fixed, because they forgot to fill it out :D
Comment 3 Jani Välimaa 2022-04-06 16:39:21 CEST 
Fixed in cauldron with pjproject-2.12-1.mga9.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 David Walser 2022-04-06 16:51:48 CEST 
Unless it's using system pjproject now, jami-daemon in Cauldron also needs fixed.

Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO

Comment 5 David Walser 2022-04-07 17:05:58 CEST 
The current jami-daemon doesn't build because of issues with dbus-c++, so it may need to be updated or something.
Comment 6 David Walser 2022-06-02 23:49:02 CEST 
Debian-LTS has issued an advisory today (June 2):
https://www.debian.org/lts/security/2022/dla-3036

The issues are fixed upstream in 2.12.1:
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4

Summary: pjproject new security issues CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-4330[0-4], CVE-2021-43845, CVE-2022-2172[23], CVE-2022-23608, CVE-2022-24754, CVE-2022-24764 => pjproject new security issues CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-4330[0-4], CVE-2021-43845, CVE-2022-2172[23], CVE-2022-23608, CVE-2022-24754, CVE-2022-2476[34], CVE-2022-2479[23]
Status comment: Fixed upstream in 2.12 => Fixed upstream in 2.12.1

Comment 7 Nicolas Salguero 2024-03-13 14:24:37 CET 
Mageia 8 EOL.

CC: (none) => nicolas.salguero
Resolution: (none) => OLD
Status: NEW => RESOLVED
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Note You need to log in before you can comment on or make changes to this bug.