Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 15 articles for you...
89
security advisoryfedoraformat stringFedora 42 Coturn 4.11.0 Advisory for Fixes on Memory Leak Format-String
Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-dfa8ea5809 2026-05-18 01:23:32.591546+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 42 Version : 4.11.0 Release : 1.fc42 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented withthe following tools (either one or a combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup Pin session origin only after MESSAGE-INTEGRITY validates Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux Drop udp_relay_servers_number config and clean up dead UDP id-space Add Unity-based unit test scaffolding Delete log line per relay thread on start Out of bound HTTP detection in parser Extend STUN client fuzz builder coverage Extend fuzzing coverage and enable local fuzzing in a container Cover all public stun_buffer.c wrappers in FuzzStunClient HTTP parsing fixes Unblock fuzz coverage for is_http and rare STUN attributes Seed address-mapping table in fuzz initializer Add deterministic challenge-response builder to FuzzStun Add fuzz coverage for integrity helpers Hoist turn_server_get_engine() out of per-packet hot path Inline addr_cpy() in the header Trim two redundant checks from per-packet relay hot path Inline get_ioa_addr_len() in the header Cache hot lookups in TURN data-path handlers Load generator mode in turnutils_uclient Filc harness and pointer typedefs -------------------------------------------------------------------------------- ChangeLog: * Sat May 9 2026 Robert Scheck - 4.11.0-1 - Upgrade to 4.11.0 (#2466643) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466643 - coturn-4.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2466643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade --advisory FEDORA-2026-dfa8ea5809' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 18, 2026
•Important
Fedora
89
security advisoryfedoraimportantFedora 43 Coturn Important Memory Leak and Injection Fix 2026-f0fbd93125
Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-f0fbd93125 2026-05-18 00:58:32.597402+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 43 Version : 4.11.0 Release : 1.fc43 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented withthe following tools (either one or a combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup Pin session origin only after MESSAGE-INTEGRITY validates Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux Drop udp_relay_servers_number config and clean up dead UDP id-space Add Unity-based unit test scaffolding Delete log line per relay thread on start Out of bound HTTP detection in parser Extend STUN client fuzz builder coverage Extend fuzzing coverage and enable local fuzzing in a container Cover all public stun_buffer.c wrappers in FuzzStunClient HTTP parsing fixes Unblock fuzz coverage for is_http and rare STUN attributes Seed address-mapping table in fuzz initializer Add deterministic challenge-response builder to FuzzStun Add fuzz coverage for integrity helpers Hoist turn_server_get_engine() out of per-packet hot path Inline addr_cpy() in the header Trim two redundant checks from per-packet relay hot path Inline get_ioa_addr_len() in the header Cache hot lookups in TURN data-path handlers Load generator mode in turnutils_uclient Filc harness and pointer typedefs -------------------------------------------------------------------------------- ChangeLog: * Sat May 9 2026 Robert Scheck - 4.11.0-1 - Upgrade to 4.11.0 (#2466643) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466643 - coturn-4.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2466643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade --advisory FEDORA-2026-f0fbd93125' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 18, 2026
•Important
Fedora
89
security advisorydenial of servicefedoraFedora 44 Coturn 4.10.0 Moderate STUN Memory Access Issue 2026-1c11dc3e37
Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-1c11dc3e37 2026-04-25 01:21:36.173379+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 44 Version : 4.10.0 Release : 1.fc44 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented with the following tools (either one ora combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator Eliminate mutex and reduce copies on auth message dispatch Replace mutex_bps with lock-free atomics for bandwidth tracking Remove unused mutex from ur_map structure WebRTC Auth optimization path Improve worst case scenario - avoid memory allocation Memory issues Fix null pointer dereferences in post_parse() Fix stack buffer overflow in OAuth token decoding Fix uint16_t truncation overflow in stun_get_message_len_str() Initialize variables before use Security CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser General Improvements Disable reason string in response messages to reduce amplification factor Keep only NEV_UDP_SOCKET_PER_THREAD network engine Replace perror with logging Extend seed corpus and add more fuzzing scenarios Update config and Readme files about deprecated TLSv1/1.1 Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0 Change port identifiers to use uint16_t Fixes: run_tests.sh and no db Improve PostgreSQL.md clarity Add session usage reporting callback to TURN database driver CLI interface is disabled by default -------------------------------------------------------------------------------- ChangeLog: * Fri Apr 17 2026 Robert Scheck - 4.10.0-1 - Upgrade to 4.10.0 (#2458094) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages https://bugzilla.redhat.com/show_bug.cgi?id=2460213 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1c11dc3e37' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 25, 2026
•Important
Fedora
89
security advisorydenial of servicefedoraFedora 43 Coturn 4.10.0 Security Update CVE-2026-40613 Denial of Service
Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-1adc5f1ef8 2026-04-25 01:42:21.312856+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 43 Version : 4.10.0 Release : 1.fc43 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented with the following tools (either one ora combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator Eliminate mutex and reduce copies on auth message dispatch Replace mutex_bps with lock-free atomics for bandwidth tracking Remove unused mutex from ur_map structure WebRTC Auth optimization path Improve worst case scenario - avoid memory allocation Memory issues Fix null pointer dereferences in post_parse() Fix stack buffer overflow in OAuth token decoding Fix uint16_t truncation overflow in stun_get_message_len_str() Initialize variables before use Security CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser General Improvements Disable reason string in response messages to reduce amplification factor Keep only NEV_UDP_SOCKET_PER_THREAD network engine Replace perror with logging Extend seed corpus and add more fuzzing scenarios Update config and Readme files about deprecated TLSv1/1.1 Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0 Change port identifiers to use uint16_t Fixes: run_tests.sh and no db Improve PostgreSQL.md clarity Add session usage reporting callback to TURN database driver CLI interface is disabled by default -------------------------------------------------------------------------------- ChangeLog: * Fri Apr 17 2026 Robert Scheck - 4.10.0-1 - Upgrade to 4.10.0 (#2458094) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages https://bugzilla.redhat.com/show_bug.cgi?id=2460213 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1adc5f1ef8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 25, 2026
•Important
Fedora
89
security advisorydenial of servicefedoraFedora 42 Coturn Faces Severe Memory Problems with CVE-2026-40613
Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-e673311164 2026-04-25 00:52:53.710799+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 42 Version : 4.10.0 Release : 1.fc42 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented with the following tools (either one ora combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator Eliminate mutex and reduce copies on auth message dispatch Replace mutex_bps with lock-free atomics for bandwidth tracking Remove unused mutex from ur_map structure WebRTC Auth optimization path Improve worst case scenario - avoid memory allocation Memory issues Fix null pointer dereferences in post_parse() Fix stack buffer overflow in OAuth token decoding Fix uint16_t truncation overflow in stun_get_message_len_str() Initialize variables before use Security CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser General Improvements Disable reason string in response messages to reduce amplification factor Keep only NEV_UDP_SOCKET_PER_THREAD network engine Replace perror with logging Extend seed corpus and add more fuzzing scenarios Update config and Readme files about deprecated TLSv1/1.1 Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0 Change port identifiers to use uint16_t Fixes: run_tests.sh and no db Improve PostgreSQL.md clarity Add session usage reporting callback to TURN database driver CLI interface is disabled by default -------------------------------------------------------------------------------- ChangeLog: * Fri Apr 17 2026 Robert Scheck - 4.10.0-1 - Upgrade to 4.10.0 (#2458094) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages https://bugzilla.redhat.com/show_bug.cgi?id=2460213 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-e673311164' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 25, 2026
•Critical
Fedora
202
security advisorymoderatesecurity issueopenSUSE Tumbleweed coturn Vulnerability Warning OpenSUSE-SU-2026-10376-2
An update that solves 2 vulnerabilities can now be installed.. # coturn-4.9.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:10375-1 Rating: moderate Cross-References: * CVE-2025-69217 * CVE-2026-27624 CVSS scores: * CVE-2025-69217 ( SUSE ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Affected Products: * openSUSE Tumbleweed An update that solves 2 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the coturn-4.9.0-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * coturn 4.9.0-1.1 * coturn-devel 4.9.0-1.1 * coturn-utils 4.9.0-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-69217.html * https://www.suse.com/security/cve/CVE-2026-27624.html . Update for openSUSE Tumbleweed addresses two security issues in coturn application. Recommended updates for users.. openSUSE,Tumbleweed,coturn,security updates,application vulnerabilities. . LinuxSecurity.com Team
Mar 19, 2026
OpenSUSE
203
security advisorysecurity issueimportantMageia 9 Coturn Important ACL Bypass Vulnerability Fix MGASA-2026-0051
MGASA-2026-0051 - Updated coturn packages fix security vulnerability. MGASA-2026-0051 - Updated coturn packages fix security vulnerability Publication date: 09 Mar 2026 URL: https://advisories.mageia.org/MGASA-2026-0051.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-27624 Description: IPv4-mapped IPv6 (::ffff:0:0/96) bypasses denied-peer-ip ACL. (CVE-2026-27624) References: - https://bugs.mageia.org/show_bug.cgi?id=35179 - https://lists.fedoraproject.org/archives/list/
Mar 09, 2026
•Important
Mageia
89
security advisoryfedoraimportantFedora 42 Coturn Important Security Bypass Fix CVE-2026-27624
Coturn 4.9.0 Multiple security fixes Fix to Web Admin password check Cleanup of deprecated OpenSSL APIs Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2a1aa1f57f 2026-03-05 01:12:27.918887+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 42 Version : 4.9.0 Release : 1.fc42 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented with the following tools (either one or a combinationof them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.9.0 Multiple security fixes Fix to Web Admin password check Cleanup of deprecated OpenSSL APIs Fix for CVE-2026-27624: Bypass localhost and IP range block using IPv4-mapped IPv6 -------------------------------------------------------------------------------- ChangeLog: * Wed Feb 25 2026 Robert Scheck - 4.9.0-1 - Upgrade to 4.9.0 (#2442144) - Add patch to build successfully using OpenSSL 1.1.1 on RHEL 8 * Fri Jan 16 2026 Fedora Release Engineering - 4.8.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jan 16 2026 Fedora Release Engineering - 4.8.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2442550 - CVE-2026-27624 coturn: IPv4-mapped IPv6 bypasses denied-peer-ip ACL https://bugzilla.redhat.com/show_bug.cgi?id=2442550 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2a1aa1f57f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Mar 05, 2026
•Important
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!