Debian Bug report logs -
#1000831
janus: CVE-2021-4020
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 29 Nov 2021 21:09:01 UTC
Severity: normal
Tags: security, upstream
Found in version janus/0.11.5-3
Fixed in version janus/0.11.5-4
Done: Jonas Smedegaard <dr@jones.dk>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#1000831; Package src:janus.
(Mon, 29 Nov 2021 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Mon, 29 Nov 2021 21:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: janus
Version: 0.11.5-3
Severity: normal
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for janus.
CVE-2021-4020[0]:
| janus-gateway is vulnerable to Improper Neutralization of Input During
| Web Page Generation ('Cross-site Scripting')
AFAICS the issues are only in files packaged as janus-demo. So still
tracking to properly mark it as fixed once the fix is included/applied
in unstable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-4020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4020
[1] https://github.com/meetecho/janus-gateway/commit/ba166e9adebfe5343f826c6a9e02299d35414ffd
[2] https://huntr.dev/bounties/9814baa8-7bdd-4e31-a132-d9d15653409e/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Tue, 30 Nov 2021 08:36:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 30 Nov 2021 08:36:06 GMT) (full text, mbox, link).
Message #10 received at 1000831-close@bugs.debian.org (full text, mbox, reply):
Source: janus
Source-Version: 0.11.5-4
Done: Jonas Smedegaard <dr@jones.dk>
We believe that the bug you reported is fixed in the latest version of
janus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1000831@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated janus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 Nov 2021 11:16:19 +0100
Source: janus
Architecture: source
Version: 0.11.5-4
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 1000831
Changes:
janus (0.11.5-4) unstable; urgency=high
.
* add patch cherry-picked upstream
to fix potential Cross-site Scripting (XSS) exploits in demos;
closes: bug#1000831, thanks to Salvatore Bonaccorso;
CVE-2021-4020
* set urgency=high due to security fix
Checksums-Sha1:
95e4cc8121c5a07f2e4facc29c37116551817215 2843 janus_0.11.5-4.dsc
f860724e2f36e66a4a4a41c6c506926827015eac 23332 janus_0.11.5-4.debian.tar.xz
03cc3d227a06afac369e381481d72a1791df7075 18185 janus_0.11.5-4_amd64.buildinfo
Checksums-Sha256:
a3b7d3b0a423327153e4ea8b9667fdfc7c69a0932eca029ec3ccf2f69a3d5ee0 2843 janus_0.11.5-4.dsc
2249fab2b8fe00147fbe8cd48c6a682e7fc09addfa6d28438897c572cc50b2fc 23332 janus_0.11.5-4.debian.tar.xz
33385a71aa19074144b31c76208afc19fa01074fb0dbf8118a14f69c51692688 18185 janus_0.11.5-4_amd64.buildinfo
Files:
ada4212284912a287283bd6092d2c8a5 2843 comm optional janus_0.11.5-4.dsc
a9f17b6d001ef9d3f5247453874d6f6e 23332 comm optional janus_0.11.5-4.debian.tar.xz
756db0bc817c6b0d675664b0674ffe67 18185 comm optional janus_0.11.5-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmGl++oACgkQLHwxRsGg
ASE1hg//QrVSHzFqyMFC3TgojO1ZYEgaMKvg6KbM7e/zDVzLVCiyu6gOeAf0dfCU
tNKHmPBkusVwfE+vvqtk26RvCzMYBIlF2SyuKlYWKed8MKWa53g2iZdjxpN3bB+Z
HNj9y08fhh5einGxIcPo2t7of40xopc6jySvCZNW3pmaPV7F3JJxl/Lslx96FRBr
8veF462TzsjKP8kjMICp7XTlYtPWfmVYsQjXRPwZ56tOYQ5+GjouznZIWG15bOrH
5Gs8aScmxServGIlX9fX4ku0zcw7Yx4ZcsfD91cdTiNG9KMFBqpNzcBbtE6uBX1z
TDJU36VxmIxl3R/JubbSkVuMUUlJfsoAvGO7iZj08IIOK3NqN3idNNS6tAYxeVlt
qsQ46oOMezG8M+HomvF19GjzPbYZBZrAuhBkgl8na+QNB9+38u4875iky+HlJzLq
NKlEJkH7tU1DFyaiWzbocF8UMyBoupVr/hG4VE/TkkzuIxNaoZHy5Sn3IVfaOdQX
N8Ab7GrlsPmbjN4oqMZafroZ6MGKGPSp9zWCZfMDvcLSe57/BNvC8zAa9vE1b/bj
h7UWrvpafVWpAOAngurDb6pkSSijdNuquxdWkwv8Co/2qbMw9pM/v3QUQaMZORjO
tkVMjSRtWMmW7g5RdVTW1+ltylA8zZ8tR5nkAMsHc0oQFk/N8Xo=
=4tp+
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Nov 30 14:39:13 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon