Explore top 10 tips to secure your open-source projects now. Read More
×
Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-dfa8ea5809 2026-05-18 01:23:32.591546+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 42 Version : 4.11.0 Release : 1.fc42 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented withthe following tools (either one or a combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup Pin session origin only after MESSAGE-INTEGRITY validates Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux Drop udp_relay_servers_number config and clean up dead UDP id-space Add Unity-based unit test scaffolding Delete log line per relay thread on start Out of bound HTTP detection in parser Extend STUN client fuzz builder coverage Extend fuzzing coverage and enable local fuzzing in a container Cover all public stun_buffer.c wrappers in FuzzStunClient HTTP parsing fixes Unblock fuzz coverage for is_http and rare STUN attributes Seed address-mapping table in fuzz initializer Add deterministic challenge-response builder to FuzzStun Add fuzz coverage for integrity helpers Hoist turn_server_get_engine() out of per-packet hot path Inline addr_cpy() in the header Trim two redundant checks from per-packet relay hot path Inline get_ioa_addr_len() in the header Cache hot lookups in TURN data-path handlers Load generator mode in turnutils_uclient Filc harness and pointer typedefs -------------------------------------------------------------------------------- ChangeLog: * Sat May 9 2026 Robert Scheck - 4.11.0-1 - Upgrade to 4.11.0 (#2466643) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466643 - coturn-4.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2466643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade --advisory FEDORA-2026-dfa8ea5809' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3b3139882c 2026-05-18 00:40:49.529034+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 44 Version : 4.11.0 Release : 1.fc44 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented withthe following tools (either one or a combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup Pin session origin only after MESSAGE-INTEGRITY validates Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux Drop udp_relay_servers_number config and clean up dead UDP id-space Add Unity-based unit test scaffolding Delete log line per relay thread on start Out of bound HTTP detection in parser Extend STUN client fuzz builder coverage Extend fuzzing coverage and enable local fuzzing in a container Cover all public stun_buffer.c wrappers in FuzzStunClient HTTP parsing fixes Unblock fuzz coverage for is_http and rare STUN attributes Seed address-mapping table in fuzz initializer Add deterministic challenge-response builder to FuzzStun Add fuzz coverage for integrity helpers Hoist turn_server_get_engine() out of per-packet hot path Inline addr_cpy() in the header Trim two redundant checks from per-packet relay hot path Inline get_ioa_addr_len() in the header Cache hot lookups in TURN data-path handlers Load generator mode in turnutils_uclient Filc harness and pointer typedefs -------------------------------------------------------------------------------- ChangeLog: * Sat May 9 2026 Robert Scheck - 4.11.0-1 - Upgrade to 4.11.0 (#2466643) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466643 - coturn-4.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2466643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade --advisory FEDORA-2026-3b3139882c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
fix CVE-2026-6842 and CVE-29026-6843 Resolves: CVE-2026-6842 Resolves: CVE-2026-6843 Resolves: rhbz#2455127 Resolves: rhbz#2455314. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3111ffa11a 2026-05-03 00:48:41.051402+00:00 -------------------------------------------------------------------------------- Name : nano Product : Fedora 44 Version : 8.7.1 Release : 2.fc44 URL : https://www.nano-editor.org Summary : A small text editor Description : GNU nano is a small and friendly text editor. -------------------------------------------------------------------------------- Update Information: fix CVE-2026-6842 and CVE-29026-6843 Resolves: CVE-2026-6842 Resolves: CVE-2026-6843 Resolves: rhbz#2455127 Resolves: rhbz#2455314 -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 30 2026 Luk\u0161 Zaoral - 8.7.1-2 - fix CVE-2026-6842 and CVE-29026-6843 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2455127 - [Security] Format String Vulnerability in nano's statusline() via errormessage Buffer https://bugzilla.redhat.com/show_bug.cgi?id=2455127 [ 2 ] Bug #2460502 - CVE-2026-6842 nano: nano: Local attacker can inject malicious .desktop launcher due to insecure directory permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460502 [ 3 ] Bug #2460503 - CVE-2026-6843 nano: nano: Format string vulnerability leads to Denial of Service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460503 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-3111ffa11a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages aresigned with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update for Fedora 44 addressing CVE-2026-6842 and CVE-2026-6843 vulnerabilities in nano editor available now.. Fedora Update, CVE-2026-6842, CVE-2026-6843, Nano Editor Security, Format String Vulnerability. . Severity: Important. LinuxSecurity.com Team
This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-8c07fcde49 2026-03-27 01:16:52.247657+00:00 -------------------------------------------------------------------------------- Name : rubygem-json Product : Fedora 43 Version : 2.13.2 Release : 2.fc43 URL : https://github.com/ruby/json Summary : A JSON implementation in Ruby Description : This is a implementation of the JSON specification according to RFC 4627 in Ruby. You can think of it as a low fat alternative to XML, if you want to store data to disk or transmit it over a network rather than use a verbose markup language. -------------------------------------------------------------------------------- Update Information: This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210 -------------------------------------------------------------------------------- ChangeLog: * Fri Mar 20 2026 Mamoru TASAKA - 2.13.2-2 - Backport upstream fix for format string injection vulnerability in JSON.parse (CVE-2026-33210) -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-8c07fcde49' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list
In versions of the PHP 3 packages before version 3.0.17, several formatstring bugs could allow properly crafted requests to execute code as theuser running PHP scripts on the web server, particularly if error loggingwas enabled. . - ---------------------------------------------------------------------------- Debian Security Advisory
A vulnerability has been discovered in libinput where an attacker may run malicous code by exploiting a format string vulnerability.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libinput: format string vulnerability when using xf86-input-libinput Date: October 26, 2023 Bugs: #839729 ID: 202310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in libinput where an attacker may run malicous code by exploiting a format string vulnerability. Background ========== A library to handle input devices in Wayland and, via xf86-input- libinput, in X.org. Affected packages ================= Package Vulnerable Unaffected ----------------- ------------ ------------ dev-libs/libinput < 1.20.1 > = 1.20.1 Description =========== An attacker may be able to run malicious code by exploiting a format string vulnerability. Please review the CVE identifier referenced below for details. Impact ====== When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root. The device name ends up as part of the format string and a kernel device with printf-style format string placeholders in the device name can enable an attacker to run malicious code. An exploit is possible through any device where the attacker controls the device name, e.g. /dev/uinput or Bluetooth devices. Workaround ========== There is no known workaround at this time. Resolution ========== All libinputusers should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/libinput-1.20.1" References ========== [ 1 ] CVE-2022-1215 https://nvd.nist.gov/vuln/detail/CVE-2022-1215 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202310-14 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2022-5257 https://linux.oracle.com/errata/ELSA-2022-5257.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: libinput-1.19.3-2.el9_0.i686.rpm libinput-1.19.3-2.el9_0.x86_64.rpm libinput-utils-1.19.3-2.el9_0.x86_64.rpm libinput-devel-1.19.3-2.el9_0.i686.rpm libinput-devel-1.19.3-2.el9_0.x86_64.rpm aarch64: libinput-1.19.3-2.el9_0.aarch64.rpm libinput-utils-1.19.3-2.el9_0.aarch64.rpm libinput-devel-1.19.3-2.el9_0.aarch64.rpm SRPMS: https://oss.oracle.com:443/ol9/SRPMS-updates/libinput-1.19.3-2.el9_0.src.rpm Related CVEs: CVE-2022-1215 Description of changes: [1.19.3-2] - CVE-2022-1215: fix a format string vulnerability (#2076816) _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2022-5331 https://linux.oracle.com/errata/ELSA-2022-5331.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: libinput-1.16.3-3.el8_6.i686.rpm libinput-1.16.3-3.el8_6.x86_64.rpm libinput-utils-1.16.3-3.el8_6.x86_64.rpm libinput-devel-1.16.3-3.el8_6.i686.rpm libinput-devel-1.16.3-3.el8_6.x86_64.rpm aarch64: libinput-1.16.3-3.el8_6.aarch64.rpm libinput-utils-1.16.3-3.el8_6.aarch64.rpm libinput-devel-1.16.3-3.el8_6.aarch64.rpm SRPMS: https://oss.oracle.com:443/ol8/SRPMS-updates/libinput-1.16.3-3.el8_6.src.rpm Related CVEs: CVE-2022-1215 Description of changes: [1.16.3-3] - Fix a format string vulnerability in the device name logging (#2076815) CVE-2022-1215 _______________________________________________ El-errata mailing list
Get the latest Linux and open source security news straight to your inbox.