Fedora has issued an advisory today (April 1): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/ Mageia 7 is also affected. As the importer/maintainer of this package has disappeared on us again, we should probably drop it.
Patches available from this commit: https://src.fedoraproject.org/rpms/coturn/c/d9dbecf09d39006f3918e5d372d7ca948269484a?branch=master
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patches available from Fedora
Created attachment 11640 [details] A patch for the RPM package Patch adapted from Fedora, I do not have commit rights yet, so my mentor will likely submit it.
CC: (none) => CheeseEBoi
Created attachment 11641 [details] A patch for the full RPM package instead of the source Sorry, I sent a patch for the software instead of just an "svn diff." This patch is an svn diff that can easily be applied to the package in Mageia 7 right now.
Attachment 11640 is obsolete: 0 => 1
Created attachment 11642 [details] Svn diff with subrel Fixed versioning issue
Attachment 11641 is obsolete: 0 => 1
Created attachment 11643 [details] Fixed formatting
Attachment 11642 is obsolete: 0 => 1
Created attachment 11644 [details] Accidentally used commit as patch, my bad
Attachment 11643 is obsolete: 0 => 1
Thanks, Elliot! Patch applied, committed and submitted in coturn / r1583582 : http://pkgsubmit.mageia.org/
CC: (none) => shlomif
Nice to see this getting worked on. A couple of minor nits, as it says here: https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29 it should be %define subrel, not %global (although the latter seemed to work in this case, I think there are some subtle differences) and although it doesn't explicitly say it, the subrel definition should go *immediately* above the %mkrel call, just for consistency's sake, so if someone else updates the package later, they won't miss that there's a subrel already there. You don't need to rebuild the package, but do please make those changes in SVN. Then, going back to the URL above, the next step is to make an advisory and assign to QA. I can help with this if need be. Also note the other changes I'm making to the bug.
Status comment: Patches available from Fedora => (none)Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Advisory: ======================== Updated coturn package in order to fix security vulnerability: http_server.c: An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/ ======================== Updated packages in core/updates_testing: ======================== coturn-4.5.1.2-1.mga7.x86_64.rpm from coturn-4.5.1.2-1.mga7.src.rpm
There were 2 CVEs fixed here, so they should both be in the advisory, and the updated package is actually coturn-4.5.0.7-2.3.mga7.
Revised Advisory: ======================== Updated the coturn package in order to fix some security vulnerabilities: http_server.c: An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability (CVE-2020-6061). http_server.c An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability (CVE-2020-6062). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6061 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6062 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/ ======================== Updated the package in core/updates_testing: ======================== coturn-4.5.0.7-2.3.mga7.x86_64.rpm from coturn-4.5.0.7-2.3.mga7.src.rpm
Assignee: pterjan => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. No previous update or wiki, so experimenting. Found https://ourcodeworld.com/articles/read/1175/how-to-create-and-configure-your-own-stun-turn-server-with-coturn-in-ubuntu-18-04 and at CLI after installation: # systemctl -l status turnserver ● turnserver.service - coturn Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:coturn(1) man:turnadmin(1) man:turnserver(1) May 17 14:32:41 mach5.hviaene.thuis systemd[1]: /usr/lib/systemd/system/turnserver.service:10: PIDFile= references path be> # systemctl start turnserver # systemctl -l status turnserver ● turnserver.service - coturn Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2020-05-17 14:33:06 CEST; 3s ago Docs: man:coturn(1) man:turnadmin(1) man:turnserver(1) Process: 7691 ExecStart=/usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf $EXTRA_OPTIONS (code=exited, status=0/> Main PID: 7861 (turnserver) Tasks: 9 (limit: 4915) Memory: 5.4M CGroup: /system.slice/turnserver.service └─7861 /usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: turn server id=0 created May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (general relay thread): epoll (with changelist) May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: turn server id=3 created May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (general relay thread): epoll (with changelist) May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: turn server id=2 created May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: Total General servers: 4 May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (auth thread): epoll (with changelist) May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (admin thread): epoll (with changelist) May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (auth thread): epoll (with changelist) May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: SQLite DB connection success: /var/db/turndb Checked /etc/turnserver/turnserver.conf and found 3478 as default port. Tested by trying acces from my desktop PC: $ telnet mach5 3478 Trying 192.168.2.5 Connected to mach5.xxx.yyyy (192.168.2.5) That's it for me, I will not object OK'ing if this is deemed to be enough as a test.
CC: (none) => herman.viaene
Since there's been no response for nearly two weeks, I'm going to assume that it is enough. If it isn't we'll soon know. OKing and validating. Advisory in Comment 11.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0254.html
Status: NEW => RESOLVEDResolution: (none) => FIXED