Your message dated Thu, 25 Jan 2024 20:05:14 -0500
with message-id <87zfwsewfp....@gnu.org>
and subject line Re: Bug#1059307: ring: CVE-2023-38703
has caused the Debian Bug report #1059307,
regarding ring: CVE-2023-38703
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059307: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059307
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ring
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for pjsig, which is
bundled in ring:
CVE-2023-38703[0]:
| PJSIP is a free and open source multimedia communication library
| written in C with high level API in C, C++, Java, C#, and Python
| languages. SRTP is a higher level media transport which is stacked
| upon a lower level media transport such as UDP and ICE. Currently a
| higher level transport is not synchronized with its lower level
| transport that may introduce use-after-free issue. This
| vulnerability affects applications that have SRTP capability
| (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
| than UDP. This vulnerability’s impact may range from unexpected
| application termination to control flow hijack/memory corruption.
| The patch is available as a commit in the master branch.
https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d
(2.14)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38703
https://www.cve.org/CVERecord?id=CVE-2023-38703
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Hi Moritz,
Thank you for the bug report. I brought this up with some Jami core
devs, and one of them investigated and told me that Jami's use of
pjsip is not affected by this bug. As such, I believe we don't have
to do anything for this at this stage, and can close this bug.
Thanks again,
-a
--- End Message ---
