UbuntuUpdates.org

Package "coturn"

Name: coturn

Description:

TURN and STUN server for VoIP

Latest version: 4.5.0.7-1ubuntu2.18.04.2
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://github.com/coturn/coturn/

Links


Download "coturn"


Other versions of "coturn" in Bionic

Repository Area Version
base universe 4.5.0.7-1ubuntu2
updates universe 4.5.0.7-1ubuntu2.18.04.2

Changelog

Version: 4.5.0.7-1ubuntu2.18.04.2 2020-07-06 19:06:50 UTC

  coturn (4.5.0.7-1ubuntu2.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Heap-buffer overflow in HTTP POST request
    - debian/patches/CVE-2020-6061.patch: Fix overflow
    - CVE-2020-6061
  * SECURITY UPDATE: DoS when parsing certain HTTP POST request
    - debian/patches/CVE-2020-6062.patch: Fix parsing of POST requests
    - CVE-2020-6062
  * SECURITY UPDATE: Information leak between different client connections
    - debian/patches/CVE-2020-4067.patch: initialize with zero any new or
      reused stun buffers
    - CVE-2020-4067

 -- Eduardo Barretto <email address hidden> Thu, 02 Jul 2020 12:49:53 -0300

Source diff to previous version
CVE-2020-6061 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request ca
CVE-2020-6062 An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST reques
CVE-2020-4067 In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information bet

Version: 4.5.0.7-1ubuntu2.18.04.1 2019-02-14 22:06:29 UTC

  coturn (4.5.0.7-1ubuntu2.18.04.1) bionic-security; urgency=medium

  * [1328ae1] HotFix: for 3 Vulnerability.
    For more details see:
    - CVE-2018-4056 - coTURN Administrator Web Portal SQL injection vulnerability
    - CVE-2018-4058 - coTURN TURN server unsafe loopback forwarding default configuration vulnerability
    - CVE-2018-4059 - coTURN server unsafe telnet admin portal default configuration vulnerability
    These patches address hotfix the 3 CVE above.
    * Disable-Web-admin-interface-due-Security-Vulnerability.patch
    It disables hardcocded web admin interface until 4.5.1.0 where it will be fixed correctly.
    * Disable-loopback-peers-due-Vulnerability.patch
    Disable by default loopback-peer functionality.
    * empty-cli-password-not-allowed-disable-telnet-cli.patch
    Disable telnet cli if the cli-password is empty.

 -- Mészáros Mihály <email address hidden> Wed, 06 Feb 2019 14:56:38 +0100

CVE-2018-4056 An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a



About   -   Send Feedback to @ubuntu_updates