Source: janus Version: 0.10.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/meetecho/janus-gateway/pull/2214
Hi, The following vulnerabilities were published for janus. CVE-2020-13898[0]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_sdp_process in sdp.c has a NULL pointer | dereference. CVE-2020-13899[1]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_process_incoming_request in janus.c discloses | information from uninitialized stack memory. CVE-2020-13900[2]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_sdp_preparse in sdp.c has a NULL pointer | dereference. CVE-2020-13901[3]: | An issue was discovered in janus-gateway (aka Janus WebRTC Server) | through 0.10.0. janus_sdp_merge in sdp.c has a stack-based buffer | overflow. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13898 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13898 [1] https://security-tracker.debian.org/tracker/CVE-2020-13899 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13899 [2] https://security-tracker.debian.org/tracker/CVE-2020-13900 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13900 [3] https://security-tracker.debian.org/tracker/CVE-2020-13901 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13901 [4] https://github.com/meetecho/janus-gateway/pull/2214 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
