CVE-2021-32686: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1. Please bump.
Package list is empty or all packages have requested keywords.
Seems that the patch was backported to 2.10-r2 here: commit 93f6d97e4bd66daa168e1790f8cb3b8086854bd1 Author: Jaco Kroon <jaco@uls.co.za> Date: Fri Jul 23 07:10:18 2021 +0200 net-libs/pjproject: sec bump Upstream not releasing new version, so just bring in the patch to -r2. This addresses AST-2021-009 for Closes: https://bugs.gentoo.org/803440 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/21752 Signed-off-by: Joonas Niilola <juippis@gentoo.org> Please cleanup.
It was indeed back-ported and asterisk will not (currently) work with 2.11.1 due to library name changes. Not been able to figure out why yet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74bc4476b50218718af7c43038176f1d69c50e61 commit 74bc4476b50218718af7c43038176f1d69c50e61 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2021-07-24 08:36:57 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-06-15 13:32:11 +0000 net-libs/pjproject: Version 2.12.1. Upstream release. Remove the need for custom patches (which is still required but no longer applies, instead, rely on ./configure detecting openssl, we do depend on it, and only --disable-ssl works, passing --enable-ssl also effectively disables ssl). Compile tested asterisk 13, 16 and 18 (in-tree versions) against this. Would appreciate a double-check on this one. One version from each is sufficient. Since the two libraries that were the target of parallel build failures are now one, I believe the parallel build issue is fixed too. Included patch for CVE-2022-31031 Closes: https://bugs.gentoo.org/833765 Closes: https://bugs.gentoo.org/817803 Closes: https://bugs.gentoo.org/808099 Closes: https://bugs.gentoo.org/834491 Bug: https://bugs.gentoo.org/803614 Bug: https://bugs.gentoo.org/765799 Bug: https://bugs.gentoo.org/829894 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/21761 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-libs/pjproject/Manifest | 1 + .../files/pjproject-2.12.1-CVE-2022-31031.patch | 41 +++++++ net-libs/pjproject/pjproject-2.12.1.ebuild | 125 +++++++++++++++++++++ 3 files changed, 167 insertions(+)
https://bugs.gentoo.org/829894
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=5cbf3d86fb2bca0fdeb9214550c2f68d0bcb7467 commit 5cbf3d86fb2bca0fdeb9214550c2f68d0bcb7467 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 20:22:18 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 20:25:50 +0000 [ GLSA 202210-37 ] PJSIP: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803614 Bug: https://bugs.gentoo.org/829894 Bug: https://bugs.gentoo.org/875863 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-37.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+)
GLSA released, all done!
