Debian 10267 Published by

A pjproject security update has been released for Debian GNU/Linux 9 LTS to address multiple security issues.



DLA 3036-1: pjproject security update



- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3036-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Abhijith PA
May 31, 2022   https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : pjproject
Version : 2.5.5~dfsg-6+deb9u5
CVE ID : CVE-2022-24763 CVE-2022-24792 CVE-2022-24793

Multiple security issues were discovered in pjproject, is a free and
open source multimedia communication library

CVE-2022-24763

a denial-of-service vulnerability that affects PJSIP users that
consume PJSIP's XML parsing in their apps.

CVE-2022-24792

A denial-of-service vulnerability affects applications on a 32-bit
systems to play/read invalid WAV files. The vulnerability occurs
when reading WAV file data chunks with length greater than 31-bit
integers. The vulnerability does not affect 64-bit apps and should
not affect apps that only plays trusted WAV files

CVE-2022-24793

A buffer overflow vulnerability affects applications that uses
PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an
external resolver.

For Debian 9 stretch, these problems have been fixed in version
2.5.5~dfsg-6+deb9u5.

We recommend that you upgrade your pjproject packages.

For the detailed security status of pjproject please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/pjproject

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS