Last week Mark Dowd found a few vulnerabilities in the libzrtpcpp implementation and reported it. Based on Mark's report and feedback I fixed these vulnerabilities and pushed the changes back to the Github repository. The fixes do not affect external API but I advise any developer/user of the ZRTP4PJ transport to check and get the latest updates from Github and recompile/rebuild their applications: https://github.com/wernerd/ZRTPCPP Thank you. Some info about a ZRTPCPP/ZRTP4PJ copycat: I got some information about an 'open-zrtp' implementation that was licensed under LGPL. I checked this implementation and found that it contains most of the original zrtpcpp and the PJSIP zrtp transport code, often copied verbatim, including comments (and the typos in the comments :-) ). The author did not attribute the original zrtpcpp implementation and even copied/used sources without attribution that I got from others and where I use the correct attribution. The author of open-zrtp claims copyrights to sources which do not belong to him. It seems that the open-zrtp code is not longer maintained and thus does not contain enhancements and fixes that I did during the last months and of course this code does not contain the fixes for the vulnerabilities that Mark found. Please check if your PJSIP application uses this code and maybe change the code base. Werner -- ---------------------------------------------- Werner Dittmann Werner.Dittmann at t-online.de Tel +49 173 44 37 659 PGP key: 82EF5E8B
