Your message dated Sat, 13 Aug 2022 12:19:12 +0000 with message-id <e1omq6i-004ckf...@fasolo.debian.org> and subject line Bug#1016974: fixed in sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-3 has caused the Debian Bug report #1016974, regarding sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1016974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016974 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: sofia-sip X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sofia-sip. CVE-2022-31001[0]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, an attacker can send a message | with evil sdp to FreeSWITCH, which may cause crash. This type of crash | may be caused by `#define MATCH(s, m) (strncmp(s, m, n = sizeof(m) - | 1) == 0)`, which will make `n` bigger and trigger out-of-bound access | when `IS_NON_WS(s[n])`. Version 1.13.8 contains a patch for this | issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-79jq-hh82-cv9g https://github.com/freeswitch/sofia-sip/commit/a99804b336d0e16d26ab7119d56184d2d7110a36 (v1.13.8) CVE-2022-31002[1]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, an attacker can send a message | with evil sdp to FreeSWITCH, which may cause a crash. This type of | crash may be caused by a URL ending with `%`. Version 1.13.8 contains | a patch for this issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-g3x6-p824-x6hm https://github.com/freeswitch/sofia-sip/commit/51841eb53679434a386fb2dcbca925dcc48d58ba (v1.13.8) CVE-2022-31003[2]: | Sofia-SIP is an open-source Session Initiation Protocol (SIP) User- | Agent library. Prior to version 1.13.8, when parsing each line of a | sdp message, `rest = record + 2` will access the memory behind `\0` | and cause an out-of-bounds write. An attacker can send a message with | evil sdp to FreeSWITCH, causing a crash or more serious consequence, | such as remote code execution. Version 1.13.8 contains a patch for | this issue. https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9 (v1.13.8) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: sofia-sip Source-Version: 1.12.11+20110422.1+1e14eea~dfsg-3 Done: Evangelos Ribeiro Tzaras <devrtz-deb...@fortysixandtwo.eu> We believe that the bug you reported is fixed in the latest version of sofia-sip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1016...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Evangelos Ribeiro Tzaras <devrtz-deb...@fortysixandtwo.eu> (supplier of updated sofia-sip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 13 Aug 2022 04:34:27 +0200 Source: sofia-sip Architecture: source Version: 1.12.11+20110422.1+1e14eea~dfsg-3 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Evangelos Ribeiro Tzaras <devrtz-deb...@fortysixandtwo.eu> Closes: 1016974 Changes: sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-3) unstable; urgency=medium . * Add patches to fix reported CVEs. For further information see: - CVE-2022-31001[0]: - CVE-2022-31002[1]: - CVE-2022-31003[2]: [0] https://security-tracker.debian.org/tracker/CVE-2022-31001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001 [1] https://security-tracker.debian.org/tracker/CVE-2022-31002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002 [2] https://security-tracker.debian.org/tracker/CVE-2022-31003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003 closes: bug#1016974, thanks to Moritz Mühlenhoff Checksums-Sha1: 29e258d3f1978339e562569663a1da8e6966118e 2675 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3.dsc 38a98525619ecc53fef59dc48347b0e5afe1dd47 1172172 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz 1313ff26bc5fbabd44c43314617d5cca1f99f306 30672 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3.debian.tar.xz d8dc2494d7969b01322c0ed9949b8ae497bd2113 8297 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3_source.buildinfo Checksums-Sha256: b49a1922507c866cc89606f635c96c053fc9cdbadd6cd1b0ebed6ac08d513052 2675 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3.dsc 9aedd1f013d705488a77fcdf19b949906f542cdd9830a7847da8075b3164db09 1172172 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz 170859c39f3bf59224a97dcf2e6904d25b776cb379933fd608359b3ea9f89d47 30672 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3.debian.tar.xz ce018030882139b4c626562c9ebd23a1b7aadda53644341b85022f72bd71a899 8297 sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3_source.buildinfo Files: bd5ee595593ed67dbb04355f3bede481 2675 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3.dsc 4c6e371ce4b1acb195d0a5069f90dfd3 1172172 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg.orig.tar.xz 2d1cedc1210262659607acb0995a81b6 30672 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3.debian.tar.xz 0d078d79ecf2a4e2995053cabec76bb3 8297 net optional sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJUBAEBCgA+FiEEuThlVLfdJmvLjimpkPDJsYprShkFAmL3kWEgHGRldnJ0ei1k ZWJpYW5AZm9ydHlzaXhhbmR0d28uZXUACgkQkPDJsYprShnHGRAAk8Guls4eHMOJ Qzi//1qdCAA/bs8EcYcRFHvXzBb8rpqFXNMY8u7mYBAM14h4uIzW6Elf/httV+Nk k8FeAaljy4mTPrmqX4E6ehJep9H8mTadcJM7Fxq547cpTBuMsWRDpSkxeGPxHpCx lcdJYI3xOKVOGQ1ERmxURZOc7XGxfMO8975YWoMsEEl69Y5zu9xfndGYjSJxdkBK uv9xm4m1CSx2UQNzLvig7LPts++9dWC46V7c0jR7rhorXnU8NkIG8B1aq/63IthX kSKVUvRsXDwLuVEhScvB2XvUWdWb0oFQ6cQXLKE3QIRXVlmmuZsetIWTzs32pkpg uMncEmH8H1QoZDPuVt3pP6FqQpDu/QLBMGKqsFRzHYYMh0dGO+1KNbA82lMMI0jr c2DlH7IVXjKzX2BohHp9nXHmf5TlPL+auG3L5Hl1ICW5/0sr9kQd5tJZTZwsSalN 30YFXZLuxorAbrhy9Z9nHzHdFKqP3QisuNcTSIOXPBgcfB2UGw1mxzeVkbYXm5bW V+1QrENS1aVNYIASxCzUEVwPm/tzWM2ZZParoM4lNpIdOHxOMseX4vY8Zyn/Jc5l o8jl4Bjk+Q5t7q3GailjKj0FqZI0qlpxRCDmTPj/KOd/YriKHceS3tiPGIJiBMMA 2JyoJj72LcCCWcIlollZLEXwu/d7JQg= =mgsU -----END PGP SIGNATURE-----
--- End Message ---
