[SECURITY] [DLA 2271-1] coturn security update

2020-07-0112:32:12

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.2

Confidence

High

EPSS

0.006

Percentile

79.3%

JSON

Package : coturn
Version : 4.2.1.2-1+deb8u2
CVE ID : CVE-2020-4067

In coturn before version 4.5.1.3, there is an issue whereby
STUN/TURN response buffer is not initialized properly. There
is a leak of information between different client connections.
One client (an attacker) could use their connection to
intelligently query coturn to get interesting bytes in the
padding bytes from the connection of another client.

For Debian 8 "Jessie", this problem has been fixed in version
4.2.1.2-1+deb8u2.

We recommend that you upgrade your coturn packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8armelcoturn< 4.2.1.2-1+deb8u2coturn_4.2.1.2-1+deb8u2_armel.deb
Debian10armelcoturn-dbgsym< 4.5.1.1-1.1+deb10u1coturn-dbgsym_4.5.1.1-1.1+deb10u1_armel.deb
Debian10arm64coturn< 4.5.1.1-1.1+deb10u1coturn_4.5.1.1-1.1+deb10u1_arm64.deb
Debian9i386coturn-dbgsym< 4.5.0.5-1+deb9u2coturn-dbgsym_4.5.0.5-1+deb9u2_i386.deb
Debian9ppc64elcoturn< 4.5.0.5-1+deb9u2coturn_4.5.0.5-1+deb9u2_ppc64el.deb
Debian9mips64elcoturn< 4.5.0.5-1+deb9u2coturn_4.5.0.5-1+deb9u2_mips64el.deb
Debian8amd64coturn< 4.2.1.2-1+deb8u2coturn_4.2.1.2-1+deb8u2_amd64.deb
Debian10armhfcoturn< 4.5.1.1-1.1+deb10u1coturn_4.5.1.1-1.1+deb10u1_armhf.deb
Debian9s390xcoturn< 4.5.0.5-1+deb9u2coturn_4.5.0.5-1+deb9u2_s390x.deb
Debian10arm64coturn-dbgsym< 4.5.1.1-1.1+deb10u1coturn-dbgsym_4.5.1.1-1.1+deb10u1_arm64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armel	coturn	< 4.2.1.2-1+deb8u2	coturn_4.2.1.2-1+deb8u2_armel.deb
Debian	10	armel	coturn-dbgsym	< 4.5.1.1-1.1+deb10u1	coturn-dbgsym_4.5.1.1-1.1+deb10u1_armel.deb
Debian	10	arm64	coturn	< 4.5.1.1-1.1+deb10u1	coturn_4.5.1.1-1.1+deb10u1_arm64.deb
Debian	9	i386	coturn-dbgsym	< 4.5.0.5-1+deb9u2	coturn-dbgsym_4.5.0.5-1+deb9u2_i386.deb
Debian	9	ppc64el	coturn	< 4.5.0.5-1+deb9u2	coturn_4.5.0.5-1+deb9u2_ppc64el.deb
Debian	9	mips64el	coturn	< 4.5.0.5-1+deb9u2	coturn_4.5.0.5-1+deb9u2_mips64el.deb
Debian	8	amd64	coturn	< 4.2.1.2-1+deb8u2	coturn_4.2.1.2-1+deb8u2_amd64.deb
Debian	10	armhf	coturn	< 4.5.1.1-1.1+deb10u1	coturn_4.5.1.1-1.1+deb10u1_armhf.deb
Debian	9	s390x	coturn	< 4.5.0.5-1+deb9u2	coturn_4.5.0.5-1+deb9u2_s390x.deb
Debian	10	arm64	coturn-dbgsym	< 4.5.1.1-1.1+deb10u1	coturn-dbgsym_4.5.1.1-1.1+deb10u1_arm64.deb