Fedora 31: FEDORA-2020-305c173af8 Critical: DoS & Heap Overflow in Coturn

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway.

It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:

- RFC 5766 - base TURN specs

- RFC 6062 - TCP relaying TURN extension

- RFC 6156 - IPv6 extension for TURN

- Experimental DTLS support as client protocol.

STUN specs:

- RFC 3489 - "classic" STUN

- RFC 5389 - base "new" STUN specs

- RFC 5769 - test vectors for STUN protocol testing

- RFC 5780 - NAT behavior discovery support

The implementation fully supports the following client-to-TURN-server protocols:

- UDP (per RFC 5766)

- TCP (per RFC 5766 and RFC 6062)

- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2

- DTLS (experimental non-standard feature)

Supported relay protocols:

- UDP (per RFC 5766)

- TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if

authentication is required):

- SQLite

- MySQL

- PostgreSQL

- Redis

Redis can also be used for status and statistics storage and notification.

Supported TURN authentication mechanisms:

- long-term

- TURN REST API (a modification of the long-term mechanism, for time-limited

secret-based authentication, for WebRTC applications)

The load balancing can be implemented with the following tools (either one or a

combination of them):

- network load-balancer server

- DNS-based load balancing

- built-in ALTERNATE-SERVER mechanism.

* An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1

web server parses POST requests. A specially crafted HTTP POST request can lead

to information leaks and other misbehavior. * An exploitable denial-of-service

vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests.

A specially crafted HTTP POST request can lead to server crash and denial of

service.

* Mon Mar 23 2020 Robert Scheck - 4.5.1.1-3

- Added upstream patch for CVE-2020-6061 (#1816159)

- Backported upstream patch for CVE-2020-6062 (#1816163)

* Tue Jan 28 2020 Fedora Release Engineering - 4.5.1.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

[ 1 ] Bug #1816159 - CVE-2020-6061 coturn: specially crafted HTTP POST request can lead to heap overflow which can result in information leak

https://bugzilla.redhat.com/show_bug.cgi?id=1816159

[ 2 ] Bug #1816163 - CVE-2020-6062 coturn: specially crafted HTTP POST request can lead to server crash and denial of service

https://bugzilla.redhat.com/show_bug.cgi?id=1816163

su -c 'dnf upgrade --advisory FEDORA-2020-305c173af8' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/