Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 730180 (CVE-2020-4067)

Summary: <net-im/coturn-4.5.1.3: Information leak between clients (CVE-2020-4067)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: nativemad
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 20:56:04 UTC
Description:
"In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 20:56:32 UTC
Please bump to 4.5.1.3! Thanks.
Comment 2 Andreas Schürch gentoo-dev 2020-07-07 10:25:23 UTC
Bump is done, vulnerable version is removed.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 20:52:45 UTC
(In reply to Andreas Schürch from comment #2)
> Bump is done, vulnerable version is removed.

Thanks!