[Buildroot] [PATCH 1/1] package/libpjsip: security bump to version 2.14

[Buildroot] [PATCH 1/1] package/libpjsip: security bump to version 2.14

[Fabrice Fontaine]

Fix CVE-2023-38703: PJSIP is a free and open source multimedia
communication library written in C with high level API in C, C++, Java,
C#, and Python languages. SRTP is a higher level media transport which
is stacked upon a lower level media transport such as UDP and ICE.
Currently a higher level transport is not synchronized with its lower
level transport that may introduce use-after-free issue. This
vulnerability affects applications that have SRTP capability
(`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
than UDP. This vulnerability’s impact may range from unexpected
application termination to control flow hijack/memory corruption. The
patch is available as a commit in the master branch.

https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
https://github.com/pjsip/pjproject/releases/tag/2.14

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/libpjsip/libpjsip.hash | 2 +-
 package/libpjsip/libpjsip.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libpjsip/libpjsip.hash b/package/libpjsip/libpjsip.hash
index 2edd97bed4..d72e1090e3 100644
--- a/package/libpjsip/libpjsip.hash
+++ b/package/libpjsip/libpjsip.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  32a5ab5bfbb9752cb6a46627e4c410e61939c8dbbd833ac858473cfbd9fb9d7d  pjproject-2.13.1.tar.gz
+sha256  5805c1171acab4af9684d7ad096dcb92f71fc42809852144e97e1413468c9981  pjproject-2.14.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/libpjsip/libpjsip.mk b/package/libpjsip/libpjsip.mk
index f97d547fd7..8169e0dcee 100644
--- a/package/libpjsip/libpjsip.mk
+++ b/package/libpjsip/libpjsip.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBPJSIP_VERSION = 2.13.1
+LIBPJSIP_VERSION = 2.14
 LIBPJSIP_SOURCE = pjproject-$(LIBPJSIP_VERSION).tar.gz
 LIBPJSIP_SITE = $(call github,pjsip,pjproject,$(LIBPJSIP_VERSION))
 
-- 
2.42.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libpjsip: security bump to version 2.14

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-38703: PJSIP is a free and open source multimedia
 > communication library written in C with high level API in C, C++, Java,
 > C#, and Python languages. SRTP is a higher level media transport which
 > is stacked upon a lower level media transport such as UDP and ICE.
 > Currently a higher level transport is not synchronized with its lower
 > level transport that may introduce use-after-free issue. This
 > vulnerability affects applications that have SRTP capability
 > (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
 > than UDP. This vulnerability’s impact may range from unexpected
 > application termination to control flow hijack/memory corruption. The
 > patch is available as a commit in the master branch.

 > https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
 > https://github.com/pjsip/pjproject/releases/tag/2.14

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libpjsip: security bump to version 2.14

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-38703: PJSIP is a free and open source multimedia
 > communication library written in C with high level API in C, C++, Java,
 > C#, and Python languages. SRTP is a higher level media transport which
 > is stacked upon a lower level media transport such as UDP and ICE.
 > Currently a higher level transport is not synchronized with its lower
 > level transport that may introduce use-after-free issue. This
 > vulnerability affects applications that have SRTP capability
 > (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
 > than UDP. This vulnerability’s impact may range from unexpected
 > application termination to control flow hijack/memory corruption. The
 > patch is available as a commit in the master branch.

 > https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
 > https://github.com/pjsip/pjproject/releases/tag/2.14

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot