Debian Bug report logs -
#951876
coturn: CVE-2020-6061 CVE-2020-6062
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Feb 2020 15:54:02 UTC
Severity: important
Tags: security, upstream
Found in versions coturn/4.5.0.5-1+deb9u1, coturn/4.5.1.1-1.1, coturn/4.5.0.5-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#951876; Package src:coturn.
(Sat, 22 Feb 2020 15:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Sat, 22 Feb 2020 15:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: coturn
Version: 4.5.1.1-1.1
Severity: important
Tags: security upstream
Control: found -1 4.5.0.5-1+deb9u1
Control: found -1 4.5.0.5-1
Hi,
The following vulnerabilities were published for coturn.
CVE-2020-6061[0]:
| An exploitable heap overflow vulnerability exists in the way CoTURN
| 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST
| request can lead to information leaks and other misbehavior. An
| attacker needs to send an HTTPS request to trigger this vulnerability.
CVE-2020-6062[1]:
| An exploitable denial-of-service vulnerability exists in the way
| CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
| HTTP POST request can lead to server crash and denial of service. An
| attacker needs to send an HTTP request to trigger this vulnerability.
I marked the issue as no-da, becuase it's an issue in the respective
administration web server (which should not be started by default).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-6061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6061
[1] https://security-tracker.debian.org/tracker/CVE-2020-6062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6062
Regards,
Salvatore
Marked as found in versions coturn/4.5.0.5-1+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 22 Feb 2020 15:54:04 GMT) (full text, mbox, link).
Marked as found in versions coturn/4.5.0.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 22 Feb 2020 15:54:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 22 16:42:48 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon