Sicherheit: Denial of Service in coturn
Aktuelle Meldungen Distributionen
Name: Denial of Service in coturn
ID: FEDORA-2020-93379267e3
Distribution: Fedora
Plattformen: Fedora 32
Datum: Mo, 25. Mai 2020, 08:40
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6061
Applikationen: coturn


Fedora Update Notification
2020-05-25 02:45:28.060622

Name : coturn
Product : Fedora 32
Version :
Release : 1.fc32
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and
It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.

STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)

Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- PostgreSQL
- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.

Update Information:

Coturn ============== - merge regression fix: * Do not display
empty CLI passwd alert if CLI is not enabled - merge PR #359: * Remove
`turn_free_simple()` * Remove `turn_malloc()` * Remove `turn_realloc()`
* Remove `turn_free()` * Remove `turn_calloc()` * Remove
* Remove `SSL_NEW()` and `SSL_FREE()` * Remove pointer debugging machinery
* Remove `ns_bzero()`, `ns_bcopy()`, and `ns_bcmp()` * Remove
`[su]{08,16,32,64}bits` type defines - merge PR #327 * Strip white-spaces
from config file lines end - merge PR #386 * fix the webadmin ip
permission add/delete sql injection - merge PR #390 * fix mongo driver
crash when invalid connection string is used - merge PR #392 enhanced fread
return length check - merge PR #367 disconnect database gracefully - merge
PR #382 * Using `SSL_get_version` method for BoringSSL compatibility *
Now we put in `turn_session_info->tls_method` the real TLS version. Earlier
put UNKNOWN in this field if it was a TLS protocol that was not defined
supportel TLS protocol during compile time. - merge PR #276 Add systemd
service example - merge PR #284 Add bandwidth usage reporting
usage by peers - merge PR #381 Modifying configure to enable compile with
private libraries - merge PR #455 Typo corrected - merge PR #417 Append
to log files rather to override them - merge PR #442 Updated incorrect string
length check for 'ssh' - merge PR #449 Fix Dockerfile for latest
Debian -
http server NULL dereference * Reported (by quarkslab.com, cisco/talos)
* CVE-2020-6061 / TALOS-2020-0984 - http server out of bound read *
Reported (by quarkslab.com, cisco/talos) * CVE-2020-6061 / TALOS-2020-0984
- merge PR #472 STUN input validation - merge PR #398 FIPS - merge PR #478
prod - merge PR #463 fix typos and grammar - update travis config
images - merge PR #466 added null check for second char - merge PR #470
compiler warning fixes - merge PR #475 Update `README.docker` - merge PR
#471 Fix a memory leak when an SHATYPE isn't supported - merge PR #488
typos about `INSTALL` filenames - fix compiler warning comparison between
signed and unsigned integer expressions - fix compiler warning string
truncation - change Diffie Hellman default key length from 1066 to 2066 -
merge PR #522 drop of supplementary group IDs - merge PR #514 Unify spelling
of Coturn - merge PR#506 Rename "prod" config option to
attribute" - merge PR #519 fix config extension in `README.docker` -
PR #516 change sql data dir in `docker-compose-all.yml` - merge PR #513
trailing spaces from `README`s - merge PR #525 add flags to disable periodic
use of dynamic tables

* Sat May 16 2020 Robert Scheck <robert@fedoraproject.org> -
- Update to

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-93379267e3' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux @Facebook
Neue Nachrichten