coturn-4.5.2-2.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10696-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z coturn-4.5.2-2.2 on GA media These are all security issues fixed in the coturn-4.5.2-2.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10696 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-26262/ SUSE CVE CVE-2020-26262 page https://www.suse.com/security/cve/CVE-2020-4067/ SUSE CVE CVE-2020-4067 page https://www.suse.com/security/cve/CVE-2020-6061/ SUSE CVE CVE-2020-6061 page openSUSE Tumbleweed coturn-4.5.2-2.2 coturn-devel-4.5.2-2.2 coturn-utils-4.5.2-2.2 coturn-4.5.2-2.2 as a component of openSUSE Tumbleweed coturn-devel-4.5.2-2.2 as a component of openSUSE Tumbleweed coturn-utils-4.5.2-2.2 as a component of openSUSE Tumbleweed Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either `[::1]` or `[::]` as the peer address. By using the address `0.0.0.0` as the peer address, a malicious user will be able to relay packets to the loopback interface, unless `--denied-peer-ip=0.0.0.0` (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the `denied-peer-ip` setting. The issue patched in version 4.5.2. As a workaround the addresses in the address block `0.0.0.0/8`, `[::1]` and `[::]` should be denied by default unless `--allow-loopback-peers` has been specified. CVE-2020-26262 openSUSE Tumbleweed:coturn-4.5.2-2.2 openSUSE Tumbleweed:coturn-devel-4.5.2-2.2 openSUSE Tumbleweed:coturn-utils-4.5.2-2.2 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26262.html CVE-2020-26262 https://bugzilla.suse.com/1180764 SUSE Bug 1180764 In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3. CVE-2020-4067 openSUSE Tumbleweed:coturn-4.5.2-2.2 openSUSE Tumbleweed:coturn-devel-4.5.2-2.2 openSUSE Tumbleweed:coturn-utils-4.5.2-2.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-4067.html CVE-2020-4067 https://bugzilla.suse.com/1173510 SUSE Bug 1173510 An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. CVE-2020-6061 openSUSE Tumbleweed:coturn-4.5.2-2.2 openSUSE Tumbleweed:coturn-devel-4.5.2-2.2 openSUSE Tumbleweed:coturn-utils-4.5.2-2.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6061.html CVE-2020-6061