Bug#951876: coturn: CVE-2020-6061 CVE-2020-6062
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 22 15:51:22 GMT 2020
Source: coturn
Version: 4.5.1.1-1.1
Severity: important
Tags: security upstream
Control: found -1 4.5.0.5-1+deb9u1
Control: found -1 4.5.0.5-1
Hi,
The following vulnerabilities were published for coturn.
CVE-2020-6061[0]:
| An exploitable heap overflow vulnerability exists in the way CoTURN
| 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST
| request can lead to information leaks and other misbehavior. An
| attacker needs to send an HTTPS request to trigger this vulnerability.
CVE-2020-6062[1]:
| An exploitable denial-of-service vulnerability exists in the way
| CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
| HTTP POST request can lead to server crash and denial of service. An
| attacker needs to send an HTTP request to trigger this vulnerability.
I marked the issue as no-da, becuase it's an issue in the respective
administration web server (which should not be started by default).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-6061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6061
[1] https://security-tracker.debian.org/tracker/CVE-2020-6062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6062
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list