Hi Adrian, On Fri, Jul 03, 2026 at 12:34:21AM +0300, Adrian Bunk wrote: > On Mon, Jun 22, 2026 at 09:03:06PM +0200, Salvatore Bonaccorso wrote: > > Source: coturn > > Version: 4.12.0-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for coturn. > > > > CVE-2026-43994[0]: > > | Coturn is a free open source implementation of TURN and STUN Server. > > | Versions prior to 4.10.0 contain a stack buffer overflow in > > | decode_oauth_token_gcm(). A uint16_t nonce_len field read from an > > | attacker-supplied OAuth access token (0-65535) is passed directly to > > | memcpy() as the copy length into a 256-byte stack buffer > > | (oauth_encrypted_block.nonce[256]) without bounds checking. The > > | overflow occurs before AES-GCM authentication is verified, the > > | attacker does not need to know the OAuth key or produce a valid AES- > > | GCM token. Up to 735 bytes of attacker-controlled data are written > > | past the buffer, may corrupt adjacent stack data, including control- > > | flow data depending on compiler, ABI, and mitigations. Requires > > | --oauth mode (non-default). This may provide a plausible RCE > > | primitive depending on exploit mitigations; because coturn is widely > > | deployed for WebRTC TURN/STUN and --oauth is commonly recommended, > > | impact can be broad. This issue has been fixed in version 4.10.0. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2026-43994 > > https://www.cve.org/CVERecord?id=CVE-2026-43994 > > [1] https://github.com/coturn/coturn/security/advisories/GHSA-74pg-rfh2-5qw5 > > [2] > > https://github.com/coturn/coturn/commit/5ca467e70915c033f371cd7a9742759c68f56363 > > The commit looks wrong, my reading of the CVE is that it got fixed by > > https://github.com/coturn/coturn/commit/46368b3e1ecda2175f8db8b05ece8bbdbf844cea > which is already included in the version in unstable.
This looks right. In fact we initially marked it as such but without identifying the fixing commit, later on the CVE entry was revisited and we referenced the above hardening commit. But in fact the earlier commit matches the proposed change from the advisory. I have updated the tracking again accordingly. Regards, Salvatore

