Debian Security Advisory

DLA-393-1 srtp -- LTS security update

Date Reported:

18 Jan 2016

Affected Packages:

srtp

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-6360.

More information:

Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. Credit goes to Randell Jesup and the Firefox team for reporting this issue.

(As there is no aead mode available in the Squeeze version, only srtp_unprotect() needed to be patched)