-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: libsrtp security and bug fix update Advisory ID: RHSA-2020:3873-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3873 Issue date: 2020-09-29 CVE Names: CVE-2013-2139 CVE-2015-6360 ==================================================================== 1. Summary: An update for libsrtp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The libsrtp package provides an implementation of the Secure Real-time Transport Protocol (SRTP), the Universal Security Transform (UST), and a supporting cryptographic kernel. Security Fix(es): * libsrtp: improper handling of CSRC count and extension header length in RTP header (CVE-2015-6360) * libsrtp: buffer overflow in application of crypto profiles (CVE-2013-2139) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 970697 - CVE-2013-2139 libsrtp: buffer overflow in application of crypto profiles 1301202 - libsrtp global-buffer-overflow 1323702 - CVE-2015-6360 libsrtp: improper handling of CSRC count and extension header length in RTP header 1323705 - CVE-2015-6360 libsrtp: improper handling of CSRC count and extension header length in RTP header [rhel-7] 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libsrtp-1.4.4-11.20101004cvs.el7.src.rpm x86_64: libsrtp-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: libsrtp-1.4.4-11.20101004cvs.el7.src.rpm x86_64: libsrtp-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libsrtp-1.4.4-11.20101004cvs.el7.src.rpm ppc64: libsrtp-1.4.4-11.20101004cvs.el7.ppc.rpm libsrtp-1.4.4-11.20101004cvs.el7.ppc64.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.ppc.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.ppc64.rpm ppc64le: libsrtp-1.4.4-11.20101004cvs.el7.ppc64le.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.ppc64le.rpm s390x: libsrtp-1.4.4-11.20101004cvs.el7.s390.rpm libsrtp-1.4.4-11.20101004cvs.el7.s390x.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.s390.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.s390x.rpm x86_64: libsrtp-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.ppc.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.ppc64.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.ppc.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.ppc64.rpm ppc64le: libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.ppc64le.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.ppc64le.rpm s390x: libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.s390.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.s390x.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.s390.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.s390x.rpm x86_64: libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libsrtp-1.4.4-11.20101004cvs.el7.src.rpm x86_64: libsrtp-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-debuginfo-1.4.4-11.20101004cvs.el7.x86_64.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.i686.rpm libsrtp-devel-1.4.4-11.20101004cvs.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-2139 https://access.redhat.com/security/cve/CVE-2015-6360 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OeoNzjgjWX9erEAQiDzQ/+IXUAdmMRlgeg/t8Z+ApQ4ur4BxO/WRBl 5Nd8anDnQzl3uduHgXz7AcsbON2M/jWq5xUfgdydHT8fEQ7g814QbTeNMsbEQ1zS Cuv1XztiGKy5fY5my3P80+kM+tL5uFfZ22oJqpSfS7sqGFzWEl1j+TldgURSva1G XbNudX77Gp975wMDVPJlA9S9Puf59Cz6DQaoYu5Fqzwka8z1RWOdR1IfFlAcBGrO NODvSxOZB+FDzvwikgoVTNay+e7ct+Yb1Ygg1nsGjyexinkchiuKDX2Mnv1Sc/JP vaHARZmpN6llZ8Vo++hd8WGFhsIzocqF0dposlj/PmtuoFydu7x5zpluEFc2mVaM pNCwzggc8BforUdoo6z27qqpiU0o/eTmVR97Jtbzm5BTs+28IGwg6iz374VdoAeP wy1XTj2WBw0ys+0UVkAxwiSWit6RuPRhRf85B7IPsW1BwkvPm4nAi45+50cTUQ5S PldnrWd9VILcfmj1ThdevaiFjkHrAZE4HFRxd1V3uIdIwZyvtP7w4wrt8ma51CyZ isP53JER/PhJY4du3deCo4qqca5SyecLTj/gbqXoPQFn6ppUbNacWPwadjDRA5Nu qPQVoSW8Z+L91vtqM+SGapuxNN0OuqiPFcWOlMyrM8R8MqKIhTQaTLQZE1vCJx5e AhxrRaOeyWw=X+yJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce