Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -7 articles for you...
89
security advisorydenial of servicefedoraFedora 44 Coturn 4.10.0 Moderate STUN Memory Access Issue 2026-1c11dc3e37
Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-1c11dc3e37 2026-04-25 01:21:36.173379+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 44 Version : 4.10.0 Release : 1.fc44 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented with the following tools (either one ora combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator Eliminate mutex and reduce copies on auth message dispatch Replace mutex_bps with lock-free atomics for bandwidth tracking Remove unused mutex from ur_map structure WebRTC Auth optimization path Improve worst case scenario - avoid memory allocation Memory issues Fix null pointer dereferences in post_parse() Fix stack buffer overflow in OAuth token decoding Fix uint16_t truncation overflow in stun_get_message_len_str() Initialize variables before use Security CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser General Improvements Disable reason string in response messages to reduce amplification factor Keep only NEV_UDP_SOCKET_PER_THREAD network engine Replace perror with logging Extend seed corpus and add more fuzzing scenarios Update config and Readme files about deprecated TLSv1/1.1 Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0 Change port identifiers to use uint16_t Fixes: run_tests.sh and no db Improve PostgreSQL.md clarity Add session usage reporting callback to TURN database driver CLI interface is disabled by default -------------------------------------------------------------------------------- ChangeLog: * Fri Apr 17 2026 Robert Scheck - 4.10.0-1 - Upgrade to 4.10.0 (#2458094) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages https://bugzilla.redhat.com/show_bug.cgi?id=2460213 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1c11dc3e37' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 25, 2026
•Important
Fedora
89
security advisorydenial of servicefedoraFedora 43 Coturn 4.10.0 Security Update CVE-2026-40613 Denial of Service
Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-1adc5f1ef8 2026-04-25 01:42:21.312856+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 43 Version : 4.10.0 Release : 1.fc43 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented with the following tools (either one ora combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.10.0 Performance Add Linux-only recvmmsg client receive path for DTLS/UDP listener Skip response buffer allocation for STUN indications Remove mutex from per-thread super_memory allocator Eliminate mutex and reduce copies on auth message dispatch Replace mutex_bps with lock-free atomics for bandwidth tracking Remove unused mutex from ur_map structure WebRTC Auth optimization path Improve worst case scenario - avoid memory allocation Memory issues Fix null pointer dereferences in post_parse() Fix stack buffer overflow in OAuth token decoding Fix uint16_t truncation overflow in stun_get_message_len_str() Initialize variables before use Security CVE-2026-40613 Misaligned Memory Access STUN Attribute Parser General Improvements Disable reason string in response messages to reduce amplification factor Keep only NEV_UDP_SOCKET_PER_THREAD network engine Replace perror with logging Extend seed corpus and add more fuzzing scenarios Update config and Readme files about deprecated TLSv1/1.1 Restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0 Change port identifiers to use uint16_t Fixes: run_tests.sh and no db Improve PostgreSQL.md clarity Add session usage reporting callback to TURN database driver CLI interface is disabled by default -------------------------------------------------------------------------------- ChangeLog: * Fri Apr 17 2026 Robert Scheck - 4.10.0-1 - Upgrade to 4.10.0 (#2458094) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2460213 - CVE-2026-40613 coturn: coturn: Denial of Service due to misaligned memory reads from crafted STUN messages https://bugzilla.redhat.com/show_bug.cgi?id=2460213 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1adc5f1ef8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 25, 2026
•Important
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!