Bug#869404: resiprocate: CVE-2017-11521: Adding too many media connections may lead to memory exhaustion

Moritz Muehlenhoff jmm at debian.org
Sat Sep 30 22:34:05 UTC 2017


On Sun, Jul 23, 2017 at 07:55:20AM +0200, Salvatore Bonaccorso wrote:
> Source: resiprocate
> Version: 1:1.9.7-5
> Severity: grave
> Tags: upstream security
> Forwarded: https://github.com/resiprocate/resiprocate/pull/88
> 
> Hi,
> 
> the following vulnerability was published for resiprocate.
> 
> CVE-2017-11521[0]:
> | The SdpContents::Session::Medium::parse function in
> | resip/stack/SdpContents.cxx in reSIProcate 1.10.2 allows remote
> | attackers to cause a denial of service (memory consumption) by
> | triggering many media connections.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-11521
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11521
> [1] https://github.com/resiprocate/resiprocate/pull/88

What's the status, this is unfixed for many months now?

Cheers,
        Moritz



More information about the Pkg-voip-maintainers mailing list