Impact
The vulnerability affects applications that uses PJSIP DNS resolver, e.g: in PJSUA/PJSUA2 configured via pjsua_config.nameserver or UaConfig.nameserver.
It doesn't affect PJSIP users that does not utilises PJSIP DNS resolver, i.e: one of the following:
- not configuring
nameserver in PJSUA/PJSUA2 (as described above), so the library will use the OS resolver such as via getaddrinfo(), or
- using an external resolver implementation, i.e: configured using
pjsip_resolver_set_ext_resolver().
Patches
The patch is available as commit 9fae8f4 in the master branch.
Workarounds
A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.
For more information
If you have any questions or comments about this advisory:
Email us at security@pjsip.org
Impact
The vulnerability affects applications that uses PJSIP DNS resolver, e.g: in PJSUA/PJSUA2 configured via
pjsua_config.nameserverorUaConfig.nameserver.It doesn't affect PJSIP users that does not utilises PJSIP DNS resolver, i.e: one of the following:
nameserverin PJSUA/PJSUA2 (as described above), so the library will use the OS resolver such as viagetaddrinfo(), orpjsip_resolver_set_ext_resolver().Patches
The patch is available as commit 9fae8f4 in the master branch.
Workarounds
A workaround is to disable DNS resolution in PJSIP config (by setting
nameserver_countto zero) or use an external resolver implementation instead.For more information
If you have any questions or comments about this advisory:
Email us at security@pjsip.org