Your message dated Wed, 08 Jul 2020 21:02:08 +0000
with message-id <[email protected]>
and subject line Bug#951876: fixed in coturn 4.5.1.1-1.1+deb10u1
has caused the Debian Bug report #951876,
regarding coturn: CVE-2020-6061 CVE-2020-6062
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
951876: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951876
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: coturn
Version: 4.5.1.1-1.1
Severity: important
Tags: security upstream
Control: found -1 4.5.0.5-1+deb9u1
Control: found -1 4.5.0.5-1
Hi,
The following vulnerabilities were published for coturn.
CVE-2020-6061[0]:
| An exploitable heap overflow vulnerability exists in the way CoTURN
| 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST
| request can lead to information leaks and other misbehavior. An
| attacker needs to send an HTTPS request to trigger this vulnerability.
CVE-2020-6062[1]:
| An exploitable denial-of-service vulnerability exists in the way
| CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
| HTTP POST request can lead to server crash and denial of service. An
| attacker needs to send an HTTP request to trigger this vulnerability.
I marked the issue as no-da, becuase it's an issue in the respective
administration web server (which should not be started by default).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-6061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6061
[1] https://security-tracker.debian.org/tracker/CVE-2020-6062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6062
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: coturn
Source-Version: 4.5.1.1-1.1+deb10u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
coturn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated coturn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Jun 2020 10:49:56 +0200
Source: coturn
Architecture: source
Version: 4.5.1.1-1.1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 951876
Changes:
coturn (4.5.1.1-1.1+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* specially crafted HTTP POST request can lead to heap overflow which can
result in information leak (CVE-2020-6061) (Closes: #951876)
* specially crafted HTTP POST request can lead to server crash and denial of
service (CVE-2020-6062) (Closes: #951876)
* init with zero any new or reused stun buffers (CVE-2020-4067)
Checksums-Sha1:
82ad757f79403b00b0beb31eda8275e597e128dc 2391 coturn_4.5.1.1-1.1+deb10u1.dsc
6f0554be9347aa085dc98a0babb9716e1463270f 423160 coturn_4.5.1.1.orig.tar.gz
680583e97ae13d80505c0599114cccd9adec4727 12972
coturn_4.5.1.1-1.1+deb10u1.debian.tar.xz
Checksums-Sha256:
b38dac577ebc0b45077d26a5db8713e4767ca735e122f7362c7202b2597310d7 2391
coturn_4.5.1.1-1.1+deb10u1.dsc
e020ce90ea0301213451d37099185ff25d93f97fa0f2b48bf21b2946fc3696a4 423160
coturn_4.5.1.1.orig.tar.gz
2caa64b8429079815d9e49091b9ff95e7f715f521290e3dac235807c4ed23fde 12972
coturn_4.5.1.1-1.1+deb10u1.debian.tar.xz
Files:
21bf6b5aedc4601b72843d95918ca4db 2391 net optional
coturn_4.5.1.1-1.1+deb10u1.dsc
379ee380c00c4bc88c27e5fe50b8c8ab 423160 net optional coturn_4.5.1.1.orig.tar.gz
68f50abf7578d0ede3425c4e1e0a9c4a 12972 net optional
coturn_4.5.1.1-1.1+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl713z9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E8mwP/iy40iDAI9jIh8YHPIycsN5sMlHSWezr
HA3HgYMmk4aT0SfenoPtGD7NjbEJNpSRU4AF9LlHQG5li1DaRextJG8D6BnAMxeU
B6g7oNoSv2La+C7r2glaU2CXfLo9ph0cJRsfxyXGonjZnmtvpaOFp7RZdubia4hK
+15B7RrDxv5Z4tD6Y0X5iGs+BoB9kUTpFy60ja9DLlTgZ2tBIzjp09tAuxka+8yU
tuafgo3bAT8bihox0XUURo4/s54R+wKtifSLJ4/oy5d3E8yNHrQ1QkgQN2T2fNkC
9qQiBWSaK7N0Qb5ZAKJ9tIsS8P2x4/eFZuUqrj9+phyYCDcIQT2LSicEM0QEzGwO
rfCukz/Gz97+No+4akf4cemu70mPKOu2xTdR7JW9rz0YBVE8WhfzbnjM3OwH05lf
Y/XJCMYcgUQEDyXbxahh24CTm4++uDpDcyClIVQgII/YqcvFtR7EwveLtRKUMHjt
b4pavjgiJJc7bQVUc5zpfwEcHocvXHfL5j+zgc4PIGUl+EI3mnIpx9PcV9Y46MIW
v740ghmOaMhIEdGLB1EbC/7m/t07Miv9211nihK9hUShemqDPC9fuE07F/k3xYm0
oXOCUHaEZPWDfmo/vEE59GhxKf/vToG+P8SCFnKRunydNYBodpY2JTJQGpK2FPTS
3oVV3EZ1STe9
=+S0J
-----END PGP SIGNATURE-----
--- End Message ---
