Bug 207003

Summary: net/libsrtp: Update to 1.5.4 (Fixes security vulnerability CVE-2015-6360)
Product: Ports & Packages Reporter: Kurt Jaeger <pi>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Only Me CC: alexander, junovitch, pi, ports-secteam
Priority: --- Keywords: patch, patch-ready, security
Version: LatestFlags: koobs: maintainer-feedback-
pi: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch koobs: maintainer-approval+

Description Kurt Jaeger freebsd_committer 2016-02-07 16:27:22 UTC
Created attachment 166711 [details]
patch

Testbuilds all fine, portlint all OK

Changes:
- Use BE byte ordering of RTCP trailer.
- Allow zero length payload on unprotect.
- Fix for CVE-2015-6360.
- Pull request 103 - Makefile.in: Don't hard-code ar.
- Pull request 99 - Various fixes for compiling with Visual Studio.
- Pull request 98 - Do not duplicate shared library when installing.

Please note that 2.0.0 was released recently.
Comment 1 commit-hook freebsd_committer 2016-02-21 08:27:17 UTC
A commit references this bug:

Author: pi
Date: Sun Feb 21 07:47:58 UTC 2016
New revision: 409268
URL: https://svnweb.freebsd.org/changeset/ports/409268

Log:
  net/libsrtp: 1.5.2 -> 1.5.4

  Changes:
  - Fix for CVE-2015-6360.
  - Use BE byte ordering of RTCP trailer.
  - Allow zero length payload on unprotect.

  PR:		207003
  MFH:		2016Q1
  Approved by:	alexander@brovikov.ru (maintainer timeout)

Changes:
  head/net/libsrtp/Makefile
  head/net/libsrtp/distinfo
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-02-21 08:32:26 UTC
Apologies, I missed the creation date of this issue
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2016-02-21 08:32:44 UTC
Comment on attachment 166711 [details]
patch

Maintainer timeout (2+ weeks), implicit approval
Comment 4 Kurt Jaeger freebsd_committer 2016-02-21 08:42:12 UTC
MFH pending ports-secteam approval
Comment 5 commit-hook freebsd_committer 2016-02-21 10:18:27 UTC
A commit references this bug:

Author: pi
Date: Sun Feb 21 10:17:55 UTC 2016
New revision: 409276
URL: https://svnweb.freebsd.org/changeset/ports/409276

Log:
  net/libsrtp: 1.5.2 -> 1.5.4, fixes CVE-2015-6360

  PR:		207003
  MFH:		r409268
  Approved by:	portmgr (miwi)

Changes:
  branches/2016Q1/net/libsrtp/Makefile
  branches/2016Q1/net/libsrtp/distinfo
Comment 6 commit-hook freebsd_committer 2016-02-21 14:56:48 UTC
A commit references this bug:

Author: junovitch
Date: Sun Feb 21 14:55:48 UTC 2016
New revision: 409293
URL: https://svnweb.freebsd.org/changeset/ports/409293

Log:
  Document libsrtp DoS via crafted RTP header vulnerability

  PR:		207003
  Reported by:	pi
  Security:	CVE-2015-6360
  Security:	https://vuxml.FreeBSD.org/freebsd/6171eb07-d8a9-11e5-b2bd-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml