CVE-2022-39269

Name	CVE-2022-39269
Description	PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3335-1, DSA-5358-1
Debian Bugs	1032092

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
asterisk (PTS)	jessie, jessie (lts)	1:11.13.1~dfsg-2+deb8u8	vulnerable
	stretch (security)	1:13.14.1~dfsg-2+deb9u6	fixed
	stretch (lts), stretch	1:13.14.1~dfsg-2+deb9u9	fixed
	buster	1:16.2.1~dfsg-1+deb10u2	vulnerable
	buster (security)	1:16.28.0~dfsg-0+deb10u4	fixed
	bullseye	1:16.28.0~dfsg-0+deb11u3	fixed
	bullseye (security)	1:16.28.0~dfsg-0+deb11u4	fixed
	sid	1:20.6.0~dfsg+~cs6.13.40431414-2	fixed
pjproject (PTS)	jessie, jessie (lts)	2.1.0.0.ast20130823-1+deb8u1	vulnerable
	stretch (security)	2.5.5~dfsg-6+deb9u5	fixed
	stretch (lts), stretch	2.5.5~dfsg-6+deb9u9	fixed
ring (PTS)	stretch (security), stretch (lts), stretch	20161221.2.7bd7d91~dfsg1-1+deb9u1	vulnerable
	buster	20190215.1.f152c98~ds1-1+deb10u1	fixed
	buster (security)	20190215.1.f152c98~ds1-1+deb10u2	fixed
	bullseye	20210112.2.b757bac~ds1-1	fixed
	bookworm	20230206.0~ds2-1.1	fixed
	sid, trixie	20231201.0~ds1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
asterisk	source	jessie	(unfixed)	end-of-life
asterisk	source	stretch	(not affected)
asterisk	source	buster	1:16.28.0~dfsg-0+deb10u2		DLA-3335-1
asterisk	source	bullseye	1:16.28.0~dfsg-0+deb11u2		DSA-5358-1
asterisk	source	(unstable)	1:20.3.0~dfsg+~cs6.13.40431413-1			1032092
pjproject	source	jessie	(unfixed)	end-of-life
pjproject	source	stretch	(not affected)
pjproject	source	(unstable)	(unfixed)
ring	source	stretch	(unfixed)	end-of-life
ring	source	buster	(not affected)
ring	source	bullseye	(not affected)
ring	source	(unstable)	20230206.0~ds1-1

Notes

[bullseye] - ring <not-affected> (Vulnerable code introduced later)
[buster] - ring <not-affected> (Vulnerable code introduced later)
https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg
Introduced by: https://github.com/pjsip/pjproject/commit/db4f8f23b9962b4e567faa0784608174376ead8f (2.11)
Fixed by: https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc (2.13)
[stretch] - asterisk <not-affected> (PJSIP library is not bundled)
[stretch] - pjproject <not-affected> (Vulnerable code was introduced later)