Package: asterisk Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Asterisk uses libsrtp crypto_get_random() call in res_srtp.c: https://sources.debian.net/src/asterisk/1:13.1.0~dfsg-1.1/res/res_srtp.c/?hl=308#L308 Libsrtp developers will drop that call in next major release of libsrtp: https://github.com/cisco/libsrtp/commit/339b61d Since the reason is described as that the implementation is mediocre, it would probably be wise - not only for future compatibility but also to improve security - to patch (or discuss with your upstream) to use a different source for randomness. - Jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVuNZfAAoJECx8MUbBoAEhA4IP/j1QD2GAMIJWDb7xCnPVn0T+ 0+/pEWniBu2vtt0ITgIH3+NB4lz5CmE/wE7DAUQ1NJaRtn4TgBM3Rt98iUz0RAqs PD3/3ZYf4cFFhssXBG3SVfNSIWET8hSZq19o8mB+XlaR5uGcdYtC9IaccZBflRmJ nFRkSnuKFdrub7VwosE5GsRG+Pq8N8T1OwkeMVPR4yq+GhvfKAcyJTi1sZaXLxKD 1QXilZTrISBVr5a72ZufaVQWWpe2ZS5PtfUt9CthKIiIyg46De0zoVs+mQb/TWD3 nNC/yHIEJJ7cekG2CJuWdM9vLUaBEaIVG5DdZp4bNYYycgF1S/IemlBAlXVvm1xP e6qYFyHs0PLYVjyOIh82MKnNwb5KGfFQ1oSoNxN699905VWamPICppuStyGhYkNz XaxmFe0sS50zEvmjN9+UQm8C7mkKLp/x3epc8ncu71+DEqfcneOHQEfdPT0NOGwu I3y+PEcLDsJ00fR7tZU6n9PulUXyVMTooy5JaNYojDyIQPuntOwkGPVPckhFUClP zUVvztRt1uoKPVHQPsAFoYcHc245S5eOhVbZ6x6ObgZY7c4FOOUBrywOQHpVwq7z 3udSkg3YwIPlqZcdfl7VaOwLRqwSqUuqqUzsgiaWOHCohs3ilDoj/UhoDwDrXG/1 QlVkR4qJU//B7N02G+// =KA64 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
