important: libsrtp/net-snmp security update
important
An update for libsrtp/net-snmp is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
libsrtp: This package provides an implementation of the Secure Real-time Transport Protocol (SRTP), the Universal Security Transform (UST), and a supporting cryptographic kernel.
net-snmp: The net-snmp-gui package contains tkmib utility, which is a graphical user interface for browsing the Message Information Bases (MIBs). It is also capable of sending or retrieving the SNMP management information to/from the remote agents interactively. Install the net-snmp-gui package, if you want to use this interactive utility.
Security Fix(es):
libsrtp: The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a denial of service via crafted fields in SRTP packets, aka Bug ID CSCux00686.(CVE-2015-6360)
libsrtp: Buffer overflow in srtp.c in libsrtp in srtp 1.4.5 and earlier allows remote attackers to cause a denial of service (crash) via vectors related to a length inconsistency in the crypto_policy_set_from_profile_for_rtp and srtp_protect functions.(CVE-2013-2139)
libsrtp: bugfix
net-snmp: A flaw was found in Net-SNMP through version 5.73, where an Improper Privilege Management issue occurs due to SNMP WRITE access to the EXTEND MIB allows running arbitrary commands as root. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-15862)
net-snmp: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F11B5.