Debian: DLA-2962-1 Critical pjproject Denial Of Service Issues
debian lts
March 28, 2022
Multiple security issues were discovered in pjproject, is a free and open source multimedia communication library
Summary
CVE-2021-32686
A race condition between callback and destroy, due to the accepted
socket having no group lock. Second, the SSL socket
parent/listener may get destroyed during handshake. s. They cause
crash, resulting in a denial of service.
CVE-2021-37706
An incoming STUN message contains an ERROR-CODE attribute, the
header length is not checked before performing a subtraction
operation, potentially resulting in an integer underflow scenario.
This issue affects all users that use STUN. A malicious actor
located within the victim’s network may forge and send a specially
crafted UDP (STUN) message that could remotely execute arbitrary
code on the victim’s machine
CVE-2021-41141
In various parts of PJSIP, when error/failure occurs, it is found
that the function returns without releasing the currently held
locks. This could result in a system deadlock, which cause a
denial of service for the users.
CVE-2021-43299
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: pjproject
Version: 2.5.5~dfsg-6+deb9u3
CVE ID: CVE-2021-32686 CVE-2021-37706 CVE-2021-41141 CVE-2021-43299
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!