Your message dated Fri, 03 Jul 2020 18:17:29 +0000
with message-id <[email protected]>
and subject line Bug#951876: fixed in coturn 4.5.0.5-1+deb9u2
has caused the Debian Bug report #951876,
regarding coturn: CVE-2020-6061 CVE-2020-6062
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
951876: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951876
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: coturn
Version: 4.5.1.1-1.1
Severity: important
Tags: security upstream
Control: found -1 4.5.0.5-1+deb9u1
Control: found -1 4.5.0.5-1
Hi,
The following vulnerabilities were published for coturn.
CVE-2020-6061[0]:
| An exploitable heap overflow vulnerability exists in the way CoTURN
| 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST
| request can lead to information leaks and other misbehavior. An
| attacker needs to send an HTTPS request to trigger this vulnerability.
CVE-2020-6062[1]:
| An exploitable denial-of-service vulnerability exists in the way
| CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
| HTTP POST request can lead to server crash and denial of service. An
| attacker needs to send an HTTP request to trigger this vulnerability.
I marked the issue as no-da, becuase it's an issue in the respective
administration web server (which should not be started by default).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-6061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6061
[1] https://security-tracker.debian.org/tracker/CVE-2020-6062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6062
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: coturn
Source-Version: 4.5.0.5-1+deb9u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
coturn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated coturn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Jun 2020 13:49:31 +0200
Source: coturn
Architecture: source
Version: 4.5.0.5-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 951876
Changes:
coturn (4.5.0.5-1+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* specially crafted HTTP POST request can lead to heap overflow which can
result in information leak (CVE-2020-6061) (Closes: #951876)
* specially crafted HTTP POST request can lead to server crash and denial of
service (CVE-2020-6062) (Closes: #951876)
* init with zero any new or reused stun buffers (CVE-2020-4067)
Checksums-Sha1:
9553d1eb253504965b95a34cf394a219d50e8812 2313 coturn_4.5.0.5-1+deb9u2.dsc
068e8caaaf25e7473d05ce699fc1c59762d3c9b5 12276
coturn_4.5.0.5-1+deb9u2.debian.tar.xz
Checksums-Sha256:
019515775e683ef3e50bbc278c9205b9c23b1016472a562e890f49431e3e8525 2313
coturn_4.5.0.5-1+deb9u2.dsc
601982e3375806ab777767a126d4ba902a52e40e6e902e3f3c301189824afc30 12276
coturn_4.5.0.5-1+deb9u2.debian.tar.xz
Files:
9347546755e1ad4376e68ab1ac3460f4 2313 net extra coturn_4.5.0.5-1+deb9u2.dsc
377596383c02c0c36a90d56fe5c0f3a7 12276 net extra
coturn_4.5.0.5-1+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7140dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E6g0P/R5o7W/aUEJcf9hmqb6j4DcEIKXxyBot
IK4Zu2Hqe5Q91MT5UIAbnk9eZOUA9N4/4CC+5fSEDIj5eU4bs1mFDFwpXqIDv8MJ
HVWTyAyIOgSya2auxDdmtkynGGcF4RM87nOLklr2jgI17i5vfZpwBKnl0+CMzf/n
tTCZuvh4omAwqv8uz2riYORb+h4QsXs8Zjk0eI+ae3bQUaKS0FEkFsJTxQkwA4ZI
O2mXlXWmjFDLfxN67m6LzbfD6EYFRL/lGu9qrtWOH520jI6FeLI8115RgPdHV+1v
6GQnHuUlsb98aMQ4P9ekYT9KQluZ4zc0MY2UWmli4lZhmdj3MPm8jYum/ZxwSPnk
gPf89qUahvPlB4D5jfr1BfZdHTIupNvjdUQFUoz22sOqeDmJvVxyQrLcztawBqpy
QOCggl4chu1ia28dS/vz6A32z1+8oawsdMp1caUr/I60A/fcWb/OLkgki2JCEoZ4
p/cEWdELraRp9XXaSy6ApEVJfEakScvub05X3/JuReu+bKwSIweB9MJYrI0d40Dh
jsCj7XNBNKQIbzidUEVWFUV+nzXZI+6ybQdAjBU2krae4pWhUeTxVXeyUxucdzin
tUC4ZOKcC0jMhqxbnC0x4gBsHDNlz8NhVcz9qljsMUBtCIIQeJbFs3oqcBzx8ARg
F3Aj2RwvvtUM
=Qxh5
-----END PGP SIGNATURE-----
--- End Message ---
