Bug#962680: janus: CVE-2020-13898 CVE-2020-13899 CVE-2020-13900 CVE-2020-13901
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 11 21:50:50 BST 2020
Source: janus
Version: 0.10.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/meetecho/janus-gateway/pull/2214
Hi,
The following vulnerabilities were published for janus.
CVE-2020-13898[0]:
| An issue was discovered in janus-gateway (aka Janus WebRTC Server)
| through 0.10.0. janus_sdp_process in sdp.c has a NULL pointer
| dereference.
CVE-2020-13899[1]:
| An issue was discovered in janus-gateway (aka Janus WebRTC Server)
| through 0.10.0. janus_process_incoming_request in janus.c discloses
| information from uninitialized stack memory.
CVE-2020-13900[2]:
| An issue was discovered in janus-gateway (aka Janus WebRTC Server)
| through 0.10.0. janus_sdp_preparse in sdp.c has a NULL pointer
| dereference.
CVE-2020-13901[3]:
| An issue was discovered in janus-gateway (aka Janus WebRTC Server)
| through 0.10.0. janus_sdp_merge in sdp.c has a stack-based buffer
| overflow.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13898
[1] https://security-tracker.debian.org/tracker/CVE-2020-13899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13899
[2] https://security-tracker.debian.org/tracker/CVE-2020-13900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13900
[3] https://security-tracker.debian.org/tracker/CVE-2020-13901
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13901
[4] https://github.com/meetecho/janus-gateway/pull/2214
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list