(address . email@example.com)(name . Léo Le Bouter)(address . firstname.lastname@example.org)
I'm forwarding this to email@example.com so that it won't be forgotten. Mark -------------------- Start of forwarded message --------------------Subject: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260From: Léo Le Bouter <firstname.lastname@example.org>To: email@example.comDate: Thu, 11 Mar 2021 03:30:42 +0100
CVE-2021-21375 00:15PJSIP is a free and open source multimedia communication librarywritten in C language implementing standard based protocols such asSIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier,after an initial INVITE has been sent, when two 183 responses arereceived, with the first one causing negotiation failure, a crash willoccur. This results in a denial of service. CVE-2020-15260 00:15PJSIP is a free and open source multimedia communication librarywritten in C language implementing standard based protocols such asSIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIPtransport can be reused if they have the same IP address + port +protocol. However, this is insufficient for secure transport since itlacks remote hostname authentication. Suppose we have created a TLSconnection to `sip.foo.com`, which has an IP address `220.127.116.11`. If wewant to create a TLS connection to another hostname, say `sip.bar.com`,which has the same IP address, then it will reuse that existingconnection, even though `18.104.22.168` does not have certificate toauthenticate as `sip.bar.com`. The vulnerability allows for an insecureinteraction without user awareness. It affects users who need access toconnections to different destinations that translate to the sameaddress, and allows man-in-the-middle attack if attacker can route aconnection to another destination such as in the case of DNS spoofing. Upstream has not made a release yet, I advise we wait for a release ontheir end then upgrade. To be monitored.