drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Rechteprüfung in coturn
| Name: |
Mangelnde Rechteprüfung in coturn |
|
| ID: |
FEDORA-2021-dee141fc61 |
|
| Distribution: |
Fedora |
|
| Plattformen: |
Fedora 33 |
|
| Datum: |
Mi, 20. Januar 2021, 08:21 |
|
| Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26262 |
|
| Applikationen: |
coturn |
|
Originalnachricht |
-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2021-dee141fc61
2021-01-20 01:31:19.232083
-------------------------------------------------------------------------------
-
Name : coturn
Product : Fedora 33
Version : 4.5.2
Release : 1.fc33
URL : https://github.com/coturn/coturn/
Summary : TURN/STUN & ICE Server
Description :
The Coturn TURN Server is a VoIP media traffic NAT traversal server and
gateway.
It can be used as a general-purpose network traffic TURN server/gateway, too.
This implementation also includes some extra features. Supported RFCs:
TURN specs:
- RFC 5766 - base TURN specs
- RFC 6062 - TCP relaying TURN extension
- RFC 6156 - IPv6 extension for TURN
- Experimental DTLS support as client protocol.
STUN specs:
- RFC 3489 - "classic" STUN
- RFC 5389 - base "new" STUN specs
- RFC 5769 - test vectors for STUN protocol testing
- RFC 5780 - NAT behavior discovery support
The implementation fully supports the following client-to-TURN-server
protocols:
- UDP (per RFC 5766)
- TCP (per RFC 5766 and RFC 6062)
- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
- DTLS (experimental non-standard feature)
Supported relay protocols:
- UDP (per RFC 5766)
- TCP (per RFC 6062)
Supported user databases (for user repository, with passwords or keys, if
authentication is required):
- SQLite
- MySQL
- PostgreSQL
- Redis
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
The load balancing can be implemented with the following tools (either one or a
combination of them):
- network load-balancer server
- DNS-based load balancing
- built-in ALTERNATE-SERVER mechanism.
-------------------------------------------------------------------------------
-
Update Information:
Coturn 4.5.2 ============ - Fix null pointer dereference in case of out of
memory - Add prometheus metrics - Delete trailing whitespace in example
configuration files - Add architecture ppc64le to travis build - Fix
misleading option in doc (prometheus) - Allow RFC6062 TCP relay data to look
like TLS - Add support for proxy protocol V1 - Print full date and time in
logs - Add new options: "new-log-timestamp" and
"new-log-timestamp-format" -
Do not use FIPS and remove hardcode `OPENSSL_VERSION_NUMBER` with LibreSSL -
Add ACME redirect url - Support of `--acme-redirect <URL>` - Fix acme
security, redundancy, consistency - Disable binding request logging to avoid
DoS attacks (Breaking change!) - Add new `--log-binding` option to enable
binding request logging - Fix stale-nonce documentation - Version number is
changed to semver 2.0 - pkg-config, and various cleanups in configure file
-
Add systemd notification for better systemd integration - Fix: Null pointer
dereference on tcp_client_input_handler_rfc6062data function - Fix:
use-after-
free vulnerability on write_to_peerchannel function - Fix: use-after-free
vulnerability on write_client_connection function - Little refactoring
prometheus - Fix c++ support - Simplify - Remove session
id/allocation labels - Remove per session metrics - Fix
CVE-2020-26262
- Fix ipv6 ::1 loopback check - Not allow allocate peer address 0.0.0.0/8
and ::/128 - For more details see the github security advisory:
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
-------------------------------------------------------------------------------
-
ChangeLog:
* Mon Jan 11 2021 Robert Scheck <robert@fedoraproject.org> - 4.5.2-1
- Upgrade to 4.5.2 (#1914861)
* Sun Sep 27 2020 Christian Glombek <lorbus@fedoraproject.org> -
4.5.1.3-3
- Rebuilt for libevent 2.1.12 soname bump
-------------------------------------------------------------------------------
-
References:
[ 1 ] Bug #1915045 - CVE-2020-26262 coturn: Loopback access control bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1915045
-------------------------------------------------------------------------------
-
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-dee141fc61' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
|
|
|
|
