* CVE-2020-15260 Description: "PJSIP transport can be reused if they have the same IP address + port + protocol. However, this is insufficient for secure transport since it lacks remote hostname authentication. Suppose we have created a TLS connection to `sip.foo.com`, which has an IP address `100.1.1.1`. If we want to create a TLS connection to another hostname, say `sip.bar.com`, which has the same IP address, then it will reuse that existing connection, even though `100.1.1.1` does not have certificate to authenticate as `sip.bar.com`. The vulnerability allows for an insecure interaction without user awareness. It affects users who need access to connections to different destinations that translate to the same address, and allows man-in-the-middle attack if attacker can route a connection to another destination such as in the case of DNS spoofing." Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-8hcp-hm38-mfph * CVE-2021-21375 Description: "In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This results in a denial of service." Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69e63f7c831f2a585cd34cb74a3f8bbff901f798 commit 69e63f7c831f2a585cd34cb74a3f8bbff901f798 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2021-03-11 07:34:54 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-11 08:19:44 +0000 net-libs/pjproject: security rev bump to 2.10-r1 Upstream didn't release a new version as one would expect. Instead patches are applied locally. Also add subslot because they are equally good at maintaining ABI compatibility, and SONAME is never updated, thus we need to be able to depend on subslots to rebuild (preserved-rebuild is no good). Bug: https://bugs.gentoo.org/775359 Bug: https://bugs.gentoo.org/775353 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/19876 Signed-off-by: Sam James <sam@gentoo.org> ...ct-2.10-CVE-2020-15260-tls-hostname-check.patch | 125 +++++++++++++++++++++ ...-CVE-2021-21375-negotiation-failure-crash.patch | 45 ++++++++ ...ion-between-transport-destroy-and-acquire.patch | 108 ++++++++++++++++++ net-libs/pjproject/pjproject-2.10-r1.ebuild | 125 +++++++++++++++++++++ 4 files changed, 403 insertions(+)
Please stable when ready.
amd64 done
x86 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=627a5846c40c46660578365824ff1c3fedd161d0 commit 627a5846c40c46660578365824ff1c3fedd161d0 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2021-03-15 19:20:05 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-03-15 19:20:05 +0000 net-libs/pjproject: security cleanup Bug: https://bugs.gentoo.org/775359 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/19939 Signed-off-by: John Helmert III <ajak@gentoo.org> net-libs/pjproject/Manifest | 2 - net-libs/pjproject/metadata.xml | 4 +- net-libs/pjproject/pjproject-2.10.ebuild | 123 --------------------------- net-libs/pjproject/pjproject-2.7.2-r2.ebuild | 117 ------------------------- net-libs/pjproject/pjproject-2.9-r2.ebuild | 123 --------------------------- 5 files changed, 2 insertions(+), 367 deletions(-)
Thanks!
Request filed
This issue was resolved and addressed in GLSA 202107-42 at https://security.gentoo.org/glsa/202107-42 by GLSA coordinator John Helmert III (ajak).