Bug 1185874 - (CVE-2021-28899) VUL-1: CVE-2021-28899: live555: Vulnerability in the Networks LIVE555 Streaming Media before 2021.3.16
(CVE-2021-28899)
VUL-1: CVE-2021-28899: live555: Vulnerability in the Networks LIVE555 Streami...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Sound
Leap 15.2
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Takashi Iwai
Security Team bot
https://smash.suse.de/issue/283184/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-10 15:45 UTC by Gianluca Gabrielli
Modified: 2021-07-08 19:37 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-10 15:45:20 UTC
CVE-2021-28899

Vulnerability in the AC3AudioFileServerMediaSubsession,
ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive
OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media
before 2021.3.16.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28899
http://lists.live555.com/pipermail/live-devel/2021-March/021891.html
Comment 1 Gianluca Gabrielli 2021-05-10 15:47:27 UTC
Please update the following packages to version 2021.03.16:

- openSUSE:Factory/live555
- openSUSE:Leap:15.0:Update/live555
Comment 2 Andreas Stieger 2021-05-10 18:00:40 UTC
(In reply to Gianluca Gabrielli from comment #1)
> - openSUSE:Leap:15.0:Update/live555

No, that's EOL. Did you mean openSUSE:Leap:15.2:Update/live555?
Comment 3 Dave Plater 2021-05-11 05:32:46 UTC
Sorry, I'm busy atm and can't tackle this immediately. A simple update to:
http://www.live555.com/liveMedia/public/live.2021.05.03.tar.gz
is all that's needed.
Comment 4 Gianluca Gabrielli 2021-05-11 07:19:02 UTC
(In reply to Andreas Stieger from comment #2)
> (In reply to Gianluca Gabrielli from comment #1)
> > - openSUSE:Leap:15.0:Update/live555
> 
> No, that's EOL. Did you mean openSUSE:Leap:15.2:Update/live555?

You are correct, I meant openSUSE:Leap:15.2:Update/live555
Comment 5 Gianluca Gabrielli 2021-05-11 07:22:32 UTC
(In reply to Dave Plater from comment #3)
> Sorry, I'm busy atm and can't tackle this immediately. A simple update to:
> http://www.live555.com/liveMedia/public/live.2021.05.03.tar.gz
> is all that's needed.

This is not an urgent update, I reached out to you because you were maintaining this package previously for the community. Please feel free to take this action whenever is better for you. Thanks!
Comment 6 Takashi Iwai 2021-06-17 13:52:03 UTC
OK, now I submitted the upgrade to 2021.05.22 for TW.  Will submit the same for Leap 15.2 and 15.3, too.
Comment 7 OBSbugzilla Bot 2021-06-17 14:30:12 UTC
This is an autogenerated message for OBS integration:
This bug (1185874) was mentioned in
https://build.opensuse.org/request/show/900594 15.2 / live555
https://build.opensuse.org/request/show/900595 Backports:SLE-15-SP3 / live555
Comment 8 Takashi Iwai 2021-06-17 16:46:39 UTC
... and this ended up with the ABI breakage including SO version bumps of library packages.  That means, the binaries that do link with the old libs have to be rebuilt in anyway, and Dominique mentioned that the only such one seems to be in Packman.
Comment 9 Swamp Workflow Management 2021-06-24 19:16:10 UTC
openSUSE-SU-2021:0915-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1146283,1185874
CVE References: CVE-2019-15232,CVE-2021-28899
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    live555-2021.05.22-lp152.3.6.1
Comment 10 Swamp Workflow Management 2021-06-28 01:17:14 UTC
openSUSE-SU-2021:0937-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1146283,1185874
CVE References: CVE-2019-15232,CVE-2021-28899
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    live555-2021.05.22-bp152.4.4.1
Comment 11 Swamp Workflow Management 2021-07-08 19:37:41 UTC
openSUSE-SU-2021:1004-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1146283,1185874
CVE References: CVE-2019-15232,CVE-2021-28899
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    live555-2021.05.22-bp153.2.3.1