You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa coturn

Sigurnosni nedostaci programskog paketa coturn

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2020-f3fcb1608a
2020-04-01 02:35:47.694890
——————————————————————————–

Name : coturn
Product : Fedora 30
Version : 4.5.1.1
Release : 3.fc30
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
– RFC 5766 – base TURN specs
– RFC 6062 – TCP relaying TURN extension
– RFC 6156 – IPv6 extension for TURN
– Experimental DTLS support as client protocol.

STUN specs:
– RFC 3489 – “classic” STUN
– RFC 5389 – base “new” STUN specs
– RFC 5769 – test vectors for STUN protocol testing
– RFC 5780 – NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
– UDP (per RFC 5766)
– TCP (per RFC 5766 and RFC 6062)
– TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
– DTLS (experimental non-standard feature)

Supported relay protocols:
– UDP (per RFC 5766)
– TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
– SQLite
– MySQL
– PostgreSQL
– Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
– long-term
– TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
– network load-balancer server
– DNS-based load balancing
– built-in ALTERNATE-SERVER mechanism.

——————————————————————————–
Update Information:

* An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1
web server parses POST requests. A specially crafted HTTP POST request can lead
to information leaks and other misbehavior. * An exploitable denial-of-service
vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests.
A specially crafted HTTP POST request can lead to server crash and denial of
service.
——————————————————————————–
ChangeLog:

* Mon Mar 23 2020 Robert Scheck <robert@fedoraproject.org> – 4.5.1.1-3
– Added upstream patch for CVE-2020-6061 (#1816159)
– Backported upstream patch for CVE-2020-6062 (#1816163)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> – 4.5.1.1-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
——————————————————————————–
References:

[ 1 ] Bug #1816159 – CVE-2020-6061 coturn: specially crafted HTTP POST request can lead to heap overflow which can result in information leak
https://bugzilla.redhat.com/show_bug.cgi?id=1816159
[ 2 ] Bug #1816163 – CVE-2020-6062 coturn: specially crafted HTTP POST request can lead to server crash and denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1816163
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-f3fcb1608a’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-305c173af8
2020-04-01 01:54:46.133239
——————————————————————————–

Name : coturn
Product : Fedora 31
Version : 4.5.1.1
Release : 3.fc31
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
– RFC 5766 – base TURN specs
– RFC 6062 – TCP relaying TURN extension
– RFC 6156 – IPv6 extension for TURN
– Experimental DTLS support as client protocol.

STUN specs:
– RFC 3489 – “classic” STUN
– RFC 5389 – base “new” STUN specs
– RFC 5769 – test vectors for STUN protocol testing
– RFC 5780 – NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:
– UDP (per RFC 5766)
– TCP (per RFC 5766 and RFC 6062)
– TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
– DTLS (experimental non-standard feature)

Supported relay protocols:
– UDP (per RFC 5766)
– TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
– SQLite
– MySQL
– PostgreSQL
– Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
– long-term
– TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
– network load-balancer server
– DNS-based load balancing
– built-in ALTERNATE-SERVER mechanism.

——————————————————————————–
Update Information:

* An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1
web server parses POST requests. A specially crafted HTTP POST request can lead
to information leaks and other misbehavior. * An exploitable denial-of-service
vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests.
A specially crafted HTTP POST request can lead to server crash and denial of
service.
——————————————————————————–
ChangeLog:

* Mon Mar 23 2020 Robert Scheck <robert@fedoraproject.org> – 4.5.1.1-3
– Added upstream patch for CVE-2020-6061 (#1816159)
– Backported upstream patch for CVE-2020-6062 (#1816163)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> – 4.5.1.1-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
——————————————————————————–
References:

[ 1 ] Bug #1816159 – CVE-2020-6061 coturn: specially crafted HTTP POST request can lead to heap overflow which can result in information leak
https://bugzilla.redhat.com/show_bug.cgi?id=1816159
[ 2 ] Bug #1816163 – CVE-2020-6062 coturn: specially crafted HTTP POST request can lead to server crash and denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1816163
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-305c173af8’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

AutorToni Vugdelija
Cert idNCERT-REF-2020-04-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa phpMyAdmin

Otkriveni su sigurnosni nedostaci u programskom paketu phpMyAdmin za operacijski sustav Fedora. Otkriveni nedostaci potencijalnim udaljenim napadačima omogućuju stjecanje uvećanih...

Close