search

strukturag / spreed-webrtc

WebRTC audio/video call and conferencing server.
GNU Affero General Public License v3.0
1.1k stars 259 forks source link

Security Vulnerabilities #481

Open Lewiscowles1986 opened 4 years ago

Lewiscowles1986 commented 4 years ago

According to AWS ECR these vulnerabilities are present within the :latest tag you are directing users to download

Details of Vulnerabilities | CVE | Component | Severity | | -- | -- | -- | | CVE-2016-6301 | busybox:1.24.1-r7 | HIGH |   | CVE-2016-8859 | musl:1.1.12-r5 | HIGH |   | CVE-2016-6304 | openssl:1.0.2h-r1 | HIGH |   | CVE-2016-2182 | openssl:1.0.2h-r1 | HIGH |   | CVE-2016-6303 | openssl:1.0.2h-r1 | HIGH |   | CVE-2016-9843 | zlib:1.2.8-r2 | HIGH |   | CVE-2016-9841 | zlib:1.2.8-r2 | HIGH |   | CVE-2017-15873 | busybox:1.24.1-r7 | MEDIUM |   | CVE-2017-16544 | busybox:1.24.1-r7 | MEDIUM |   | CVE-2017-15650 | musl:1.1.12-r5 | MEDIUM |   | CVE-2017-3736 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-2183 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-6302 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-2181 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-6306 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-2179 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2017-3731 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2017-3732 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-2180 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2017-3735 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-7052 | openssl:1.0.2h-r1 | MEDIUM |   | CVE-2016-9840 | zlib:1.2.8-r2 | MEDIUM |   | CVE-2016-9842 | zlib:1.2.8-r2 | MEDIUM |   | CVE-2016-7055 | openssl:1.0.2h-r1 | LOW |
hbrunn commented 4 years ago

I think it's safe to assume that this project is unsupported, and everyone should look for alternatives, like the nextcloud addon by the same developers or their commercial solution.

For the record I feel okay by now running this docker file until our alternative is as stable as this:

FROM ubuntu:16.04

RUN apt-get update &&\
apt-get install -y software-properties-common &&\
apt-add-repository ppa:strukturag/spreed-webrtc-unstable &&\
apt-get update &&\
apt-get install -y spreed-webrtc &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(listen = \).*/\1:8080/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(sessionSecret = \).*/\1secret/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(encryptionSecret = \).*/\1secret/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(serverToken = \).*/\1secret/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^;\(title = \).*/\1title/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^;\(turnURIs = \).*/\1turn:host:port?transport=udp turn:host:port?transport=tcp/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^;\(turnSecret = \).*/\1secret/'

CMD spreed-webrtc-server

but of course I suffer a lot of sweat when rebuilding this and hoping that no update breaks the software.

Lewiscowles1986 commented 4 years ago

Interesting. I took a different approach running the rebuild here and publishing on 18.04 to make all the notices go away. I feel like the issue should live as it's not fixed though. There is a wontfix label which perfectly describes the situation as an unresolved issue, which can explicitly signal to users the state.

hbrunn commented 4 years ago

and none of us has the permission to set that, so I think this point is quite moot.

Tokarak commented 2 years ago

I was looking for alternatives, and I think this may be the best: holtwick/briefing which also has a public instance at https://brie.fi/ng. The plusses are a good UI and good encryption; all the components are lightweight and can easily be self-hosted; there are native mobile clients, too. The negatives: the developer is under-funded and unmotivated; no client-side configuration that I can see; the connection to the signalling server isn't quite E2EE; it took me ages to find the documentation (in the Github wiki).

I found it using alternativeto.net.