Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710286 (CVE-2020-6061, CVE-2020-6062) - net-im/coturn: multiple vulnerabilities (CVE-2020-6061,CVE-2020-6062)
Summary: net-im/coturn: multiple vulnerabilities (CVE-2020-6061,CVE-2020-6062)
Status: RESOLVED FIXED
Alias: CVE-2020-6061, CVE-2020-6062
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-20 10:10 UTC by filip ambroz
Modified: 2020-06-25 11:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-20 10:10:01 UTC
An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability.
Comment 1 filip ambroz 2020-02-20 10:43:36 UTC
CVE-2020-6062:
An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability.

References:
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6062
https://nvd.nist.gov/vuln/detail/CVE-2020-6062
Comment 2 Sam James gentoo-dev Security 2020-03-19 04:06:15 UTC
@maintainer(s), please create an appropriate ebuild
Comment 3 Hank Leininger 2020-06-09 17:06:19 UTC
It looked like the net-im/coturn maintainer might not be cc'ed on this 3+ month old security bug; added them.
Comment 4 Andreas Schürch gentoo-dev 2020-06-25 10:52:39 UTC
I bumped 4.5.1.2 now and removed the older version.
Sorry for the delay!
Comment 5 Sam James gentoo-dev Security 2020-06-25 11:48:49 UTC
(In reply to Andreas Schürch from comment #4)
> I bumped 4.5.1.2 now and removed the older version.
> Sorry for the delay!

No worries. Thank you! 

Unstable so no GLSA, all done here. Closing.