Fernando Russ from Groundworks Technologies reported a buffer overflow flaw in srtp, Cisco's reference implementation of the Secure Real-time Transport Protocol (SRTP), in how the crypto_policy_set_from_profile_for_rtp() function applies cryptographic profiles to an srtp_policy. A remote attacker could exploit this vulnerability to crash an application linked against libsrtp, resulting in a denial of service.
For the oldstable distribution (squeeze), this problem has been fixed in version 1.4.4~dfsg-6+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 1.4.4+20100615~dfsg-2+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.4.5~20130609~dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1.4.5~20130609~dfsg-1. We recommend that you upgrade your srtp packages.
srtp on Debian Linux
This check tests the installed software version using the apt package manager.
Updated on 2015-03-25
- Debian Security Advisory DSA 043-1 (zope)
- Debian Security Advisory DSA 2309-1 (openssl)
- Debian Security Advisory DSA 2650-2 (libvirt - files and device nodes ownership change to kvm group)
- Debian Security Advisory DSA 2649-1 (lighttpd - fixed socket name in world-writable directory)
- Debian Security Advisory DSA 2063-1 (pmount)