coTRUN 4.5.1.0 released (security updates!)

152 views
Skip to first unread message

Mészáros Mihály

unread,
Jan 28, 2019, 1:39:38 PM1/28/19
to TURN Server (Open-Source project)
Dear All,

TL;DR;
Please upgrade your TURN servers ASAP to coTURN version 4.5.1.0!!
It fix a remote SQL injection, and it avoids other critical vulnerabilities.


The details:

We made 4.5.1.0 release public today that fixes many vulnerabilities.

It fix the following vulnerabilities:

  • CVE-2018-4056
  • CVE-2018-4058
  • CVE-2018-4059

They will be exposed very soon..

Many thanks to Cisco for reporting vulnerabilities and helping in opening and coordinating the CVEs!

I have also made a hotfix for Debian stable image that disables web-admin interface, and fix the other issues too.
It also has been released today. See version: 4.5.0.5-1+deb9u1
Announcement: https://www.debian.org/security/2019/dsa-4373

Hotfix is good start, but the real fix comes in 4.5.1.0 that is available actually in Debian sid,
and hopefully in the next few days it will arrive to Debian testing/buster.
After it is in testing/buster we will also release a Debian backports 4.5.1.0  package for stable/stretch.

In the new release the web-admin is disabled by default, and it does not listen on workers.

Other coTURN distributions please also update your packages..


For more details please read more in the coTURN ChangeLog.

Many thanks to All who helped me to make this happen!

Misi

Bradley T. Hughes

unread,
Jan 29, 2019, 5:24:12 PM1/29/19
to Mészáros Mihály, TURN Server (Open-Source project)
Thank you, Misi, for pulling in so many good changes and handling the disclosure. I will have the FreeBSD port updated tomorrow morning European time. :)

Sent from my iPhone
--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

Zoltan

unread,
Feb 26, 2019, 10:48:04 AM2/26/19
to TURN Server (Open-Source project)
Hi Misi!
I hope you can help me.
I have been using the old RFC5766 server for years without issues. I am testing Coturn and I noticed that its CPU usage is much higher than the legacy model. The old server with 250 video sessions uses like 37% CPU, but Coturn at 15 sessions already use 23% according to top command. Am I configuring it incorrectly? The config file is almost the same as in the former version, only had to play with the turnuser to make it working. I would like to use Coturn but the performance testing is just not convincing! Can you please advise?
Many thanks

Zoli

Mészáros Mihály

unread,
Feb 26, 2019, 3:59:18 PM2/26/19
to turn Server (Open-Source project)
Szia Zoli,

coTURN collects more statistics than rfc5766, but I don't think
difference should be so huge.
I have to investigate it more what could cause this huge difference.

But the devil is always in the details. :)

Can you share your config and operating system version. (Even in private
if you prefer it.)

coturn version..

cpu type, architecture, number of cores, etc.

Any coturn and rfc7635 logs.
Is there any difference?

Which network engine do you use?

Which transport do your client use for the media traffic?
Do they use the same transport for bot case? sctp/udp/tcp/tls/dtls?

How did you test it with turnutils_uclient or headless browser or any
other ways?

So please share more info, and I will try to help..

Misi
pEpkey.asc
pEpkey.asc
Reply all
Reply to author
Forward
0 new messages