coturn-4.9.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10375-1 Final 1 1 2026-03-15T00:00:00Z current 2026-03-15T00:00:00Z 2026-03-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z coturn-4.9.0-1.1 on GA media These are all security issues fixed in the coturn-4.9.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10375 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-69217/ SUSE CVE CVE-2025-69217 page https://www.suse.com/security/cve/CVE-2026-27624/ SUSE CVE CVE-2026-27624 page openSUSE Tumbleweed coturn-4.9.0-1.1 coturn-devel-4.9.0-1.1 coturn-utils-4.9.0-1.1 coturn-4.9.0-1.1 as a component of openSUSE Tumbleweed coturn-devel-4.9.0-1.1 as a component of openSUSE Tumbleweed coturn-utils-4.9.0-1.1 as a component of openSUSE Tumbleweed coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Additionally, random numbers aren't generated with openssl's RAND_bytes but libc's random() (if it's not running on Windows). When fetching about 50 sequential nonces (i.e., through sending 50 unauthenticated allocations requests) it is possible to completely reconstruct the current state of the random number generator, thereby predicting the next nonce. This allows authentication while spoofing IPs. An attacker can send authenticated messages without ever receiving the responses, including the nonce (requires knowledge of the credentials, which is e.g., often the case in IoT settings). Since the port randomization is deterministic given the pseudorandom seed, an attacker can exactly reconstruct the ports and, hence predict the randomization of the ports. If an attacker allocates a relay port, they know the current port, and they are able to predict the next relay port (at least if it is not used before). Commit 11fc465f4bba70bb0ad8aae17d6c4a63a29917d9 contains a fix. CVE-2025-69217 openSUSE Tumbleweed:coturn-4.9.0-1.1 openSUSE Tumbleweed:coturn-devel-4.9.0-1.1 openSUSE Tumbleweed:coturn-utils-4.9.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69217.html CVE-2025-69217 https://bugzilla.suse.com/1255744 SUSE Bug 1255744 Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262. CVE-2026-27624 openSUSE Tumbleweed:coturn-4.9.0-1.1 openSUSE Tumbleweed:coturn-devel-4.9.0-1.1 openSUSE Tumbleweed:coturn-utils-4.9.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-27624.html CVE-2026-27624 https://bugzilla.suse.com/1180764 SUSE Bug 1180764