Headline
CVE-2020-4067: coturn/ChangeLog at aab60340b201d55c007bcdc853230f47aa2dfdf1 · coturn/coturn
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.
24/06/2020 Oleg Moskalenko [email protected] Mihály Mészáros [email protected] Version 4.5.1.3 'dan Eider’: - merge PR #575: (by osterik) * fix rpm packaging - merge PR #576: (by osterik) * tell tar to not include the metadata into release - merge PR #574: (by DevRockstarZ) * change Docker turnserver.conf to latest turnserver.conf - merge PR #566: (by bpcurse) * Remove reference to SSLv3 - merge PR #579: (by islamoglus) *Ignore MD5 for BoringSSL - merge PR #577: (by osterik) *build RPM from local folder instead of git repo - Fix for CVE-2020-4067 * STUN response buffer not initialized properly * The issue found and reported #583 by Felix Dörre all credits belongs to him. 30/04/2020 Oleg Moskalenko [email protected] Mihály Mészáros [email protected] Version 4.5.1.2 'dan Eider’: - merge regression fix: (by Mathieu Brunot) * Do not display empty CLI passwd alert if CLI is not enabled - merge PR #359: (by bradleythughes) * Remove turn_free_simple * Remove turn_malloc() * Remote turn_realloc() * Remote turn_free() * Remove turn_calloc() * Remove turn_strdup() * Remove SSL_NEW() and SSL_FREE() * Remove pointer debugging machinery * Remove ns_bzero(), ns_bcopy(), and ns_bcmp() * Remove [su]{08,16,32,64}bits type defines - merge PR #327 (by Alexander Terczka) * Strip white-spaces from config file lines end - merge PR #386 (by Thibaut ACKERMANN) * fix the webadmin ip permission add/delete sql injection - merge PR #390 (by Thibaut ACKERMANN) * fix mongo driver crash when invalid connection string is used - merge PR #392 enhanced fread return length check (by islamoglus) - merge PR #367 disconnect database gracefully (by Shu Muto) - merge PR #382 (by islamoglus) * Using SSL_get_version method for BoringSSL compatibility * Now we put in turn_session_info->tls_method the real TLS version. Earlier we put UNKNOWN in this field if it was a TLS protocol that was not defined supportel TLS protocol during compile time. - merge PR #276 Add systemd service example (by Liberasys) - merge PR #284 Add bandwidth usage reporting packet/bandwidth usage by peers - merge PR #381 Modifying configure to enable compile with private libraries - merge PR #455 Typo corrected (by chanduthedev) - merge PR #417 Append only to log files rather to override them (by robert-scheck) - merge PR #442 Updated incorrect string length check for ‘ssh’ (by chanduthedev) - merge PR #449 Fix Dockerfile for latest Debian (by rao-donut) - http server NULL dereference * Reported (by quarkslab.com, cisco/talos) * CVE-2020-6061 / TALOS-2020-0984 - http server out of bound read * Reported (by quarkslab.com, cisco/talos) * CVE-2020-6061 / TALOS-2020-0984 - merge PR #472 STUN input validation (by bobsayshilol) - merge PR #398 FIPS (by byronclark) - merge PR #478 prod (by alepolidori) - merge PR #463 fix typos and grammar (by xthursdayx) - update travis config ubuntu/mac images - merge PR #466 added null check for second char (by chanduthedev) - merge PR #470 compiler warning fixes (by bobsayshilol) - merge PR #475 Update README.docker (by raksonibs) - merge PR #471 Fix a memory leak when an SHATYPE isn’t supported (by bobsayshilol) - merge PR #488 Fix typos about INSTALL filenames (by raccoonback) - fix compiler warning comparison between signed and unsigned integer expressions - fix compiler warning string truncation - change Diffie Hellman default key length from 1066 to 2066 - merge PR #522 drop of supplementary group IDs (by weberhofer) - merge PR #514 Unify spelling of Coturn (by paulmenzel) - merge PR#506 Rename “prod” config option to “no-software-attribute” (by dbrgn) - merge PR #519 fix config extension in README.docker (by ooookai) - merge PR #516 change sql data dir in docker-compose-all.yml (by raghumuppa) - merge PR #513 remove trailing spaces from READMEs (by paulmenzel) - merge PR #525 add flags to disable periodic use of dynamic tables (by gfodor) 02/03/2019 Oleg Moskalenko [email protected] Mihály Mészáros [email protected] Version 4.5.1.1 'dan Eider’: - merge PR #330 missing \r\n after http Connection:close (by gribunin) - merge PR #303 fix typo enpoint (by Majid Motallebikashani) - merge PR #129 seperate http web-admin listener (by Thibaut ACKERMANN) - regression from 4.5.1.0 * readd pwd check * add to config missing web-admin-listen-on-workers option - merge docker branch * Add Docker file for all database backend. - merge sparc64 branch * Fix mem alingment issue on 64 bit architecture That issue caused earlier “bus error” on sparc64 and armhf - merge PR #336 Clarify Debian install (by David-dp-) - merge PR #339 RPM build fix (by Peter Hudec ) 24/11/2018 Oleg Moskalenko [email protected] Mihály Mészáros [email protected] Version 4.5.1.0 'dan Eider’: Consider to change config file after upgrade, because it contains some not backward compatible breaking changes !! - Security fixes Many thanks to Nicolas Edet (Cisco) !! who reported all of the following issues: * DB/SQL injection in stun realm. Fix: add extra string validation. * DB/SQL injection in web-admin interface lack of admin user validation. Fix: add extra string validation. * Fix for earlier unsafe default settings: o HTTPS administrator interface should be disabled by default It could be enbled with “web-admin” option. o Default configuration allowed earlier forwarding traffic from an external interface to loopback interface. Now it has been changed and option name is also changed! !!BREAKING change!! Don’t forget to change config!! “no-loopback-peers” replaced by “allow-loopback-peers” o Unauthenticated telnet admin interface runs on the loopback interface, which can be accessed by exploiting the loopback relay that was enabled by default. * Add username string sanity check on web admin interface to avoid any sql-injection attacks. - Admin portal does not list TCP session ( reported and fixed by Nicolas Edet ) - Fix memory leak in read_config_file (by Thibaut Ackermann) - Add a release helper script. - Web Admin interface use own listener (it is disableb by default) (by Thibaut ACKERMANN) !!BREAKING change!! Don’t forget to change/review config!! * Add new option “web-admin-ip” to set listener ip. By default (127.0.0.1) * Add new option “web-admin-port” to set webadmin listen port * Add new option “web-admin-listen-on-workers” to change back to earlier behaviour and listen web admin on all worker processes and ports. - Not allow to start server if “allow-loopback-peers” set without “cli-password” !!BREAKING change!! Don’t forget to change config!! Added a warning if cli-password is empty or missing, but allow-loopback-peers set, and so loopback allocation is enalbed. 27/09/2018 Oleg Moskalenko [email protected] Mihály Mészáros [email protected] Version 4.5.0.8 'dan Eider’: - Travis CI integration - to avoid warnings add compiler comment hint to fallthrough - reload-tls-certs PR#236 (by Arne Georg Gisnås Gleditsch) - minor fixes PR#223 (by Pavel Kretov) move rm Makefile to distclean list all phony targets - Fix typo PR#253 (by Orsiris de Jong) - Fix stuck IPv6 connections. (issue #217) THX to damencho, vol4iniche - Spelling fixes. - Add a warning if --lt-cred-mech and --use-auth-secret both presents. - Revert "Add the realm parameter in the example config file (by Domenico)" - Fix for Verbose config file option -v cli option override - Add a Notice to config about realm default value is the domain name. - Update total allocation usage on client shutdown - Fix total and user quota mix-up - Fixed typos in postinstall.txt (by Prashanth Rajaram) - MySQL password encryption (by Mustafa Bingül & Erdem Duman) - Do not write to log before logging configuration is read from a config file (by eiver) - Add more explanation on use-auth-secret / REST in example config (by Krithin Sitaram) - Add a Warning if lines in config file ends with semicolon (by heyheyjc) - Fix --prod pointer bug - Fix auth server thread detach race (by weishuyin) - New Feature: Add -K --keep-address-family Be aware if you enable it, then it breaks rfc6156 section 4.2 (default IPv4 family fallback) - Fix dtls double free crash - Fix compilation errors and warnings (by Oleg) 12/10/2017 Oleg Moskalenko [email protected] Version 4.5.0.7 'dan Eider’: - Misc security improvements. 10/17/2016 Oleg Moskalenko [email protected] Version 4.5.0.6 'dan Eider’: - Typos in the text fixed. - TLS1.2 support fixed. - uclient minor performance tweak. - Issue #113 fixed (by David Benjamin) - Report total traffic used per allocation via Redis (by Bradley T. Hughes) - Add the realm parameter in the example config file (by Domenico) 08/27/2016 Oleg Moskalenko [email protected] Version 4.5.0.5 'dan Eider’: - Typos in the text fixed. - LibreSSL compatibility fixed. - “read_timeout” option support for MySQL. - new NAT behavior discovery utilty. - new OAuth access_token encrypt/decrypt utilty. - improved configurability: added parameters for allocate, channel and permission lifetimes (by Richard Garnier). 08/20/2016 Oleg Moskalenko [email protected] Version 4.5.0.4 'dan Eider’: - OpenSSL 1.1.0 support added. - CentOS 7 installation updated. - hiredis and mongo compilation configuration fixed (fix provided by Harsha Bellur). - RPM: Systemd optimization. - REST API option fixed. - Thread creation error handling fixed. - Issue #36 fixed. 11/15/2015 Oleg Moskalenko [email protected] Version 4.5.0.3 'dan Eider’: - SSLv3 support removed. That provides extra security and compatibility with OpenSSL distributions or clones that do not support SSLv3 (like LibreSSL 2.3.0). This fix is required for fresh FreeBSD and for Debian unstable. - Compilation and configuration cleaning. - Fix for non-interactive shells. - RPM: Fixed mongo-c-driver include path (by Sergey Safarov). - RPM: Fixed startup daemon as non root user (by Sergey Safarov). - RPM: Systemd optimized for high-volume network traffic (by Sergey Safarov). 9/29/2015 Oleg Moskalenko [email protected] Version 4.5.0.2 'dan Eider’: - DTLS segmentation fault fixed; 9/13/2015 Oleg Moskalenko [email protected] Version 4.5.0.1 'dan Eider’: - multiple realms based on oAuth (third-party authorization); - STUN attributes conflict resolution; - SIGHUP handler fixed; - error message logging improved; - mongo test db files fixed. 7/18/2015 Oleg Moskalenko [email protected] Version 4.4.5.4 'Ardee West’: - moved to github. 6/20/2015 Oleg Moskalenko [email protected] Version 4.4.5.3 'Ardee West’: - third-party authorization STUN attributes adjusted according to the values assigned by IANA. - SQL injection security hole fixed. 5/29/2015 Oleg Moskalenko [email protected] Version 4.4.5.2 'Ardee West’: - dual allocation adjusted according to the new TURN-bis draft; - options sha256, sha384, sha512 retired as non-standard; - third-party authorization (oAuth) updated according to the version 16 of the draft; - C++ compilation fixes; - cosmetic fixes; - fixed binary package for CentOS 7.1; - support for older SQLite versions added; - compilation support for older CentOS release 5.x added; - Issue 11 fixed; - Issue 12 fixed. 3/31/2015 Oleg Moskalenko [email protected] Version 4.4.4.2 'Ardee West’: - SCTP fixes; 3/15/2015 Oleg Moskalenko [email protected] Version 4.4.4.1 'Ardee West’: - ‘native’ SCTP support (experimental); - option of encrypted stored passwords for web admin users; - option of encrypted stored password for CLI user; 2/28/2015 Oleg Moskalenko [email protected] Version 4.4.2.3 'Ardee West’: - bandwidth control fixed; - STUN/TURN control traffic counted separately from data traffic, for the sake of the bandwidth control; - higher bandwidth limit capacity on 64 bits systems; - redis operations with the realm options fixed; 2/18/2015 Oleg Moskalenko [email protected] Version 4.4.2.2 'Ardee West’: - admin_user table schema fixed; - REST API docs fixed; - Amazon AWS uses syslog; 2/3/2015 Oleg Moskalenko [email protected] Version 4.4.2.1 'Ardee West’: - (HMAC-)SHA-512 and -384 algorithms added; - TOS (DiffServer) and TTL IP header field handling fixed; - updates according to the new third-party-auth draft (oauth); - peer logging added; 2/1/2015 Oleg Moskalenko [email protected] Version 4.4.1.2 'Ardee West’: - SSODA updates according to turnbis specs; - TRANSPORT attribute handling fixed; - hostname-to-IP-address resolution fix; - updates for Solaris (name resolution libraries); 1/24/2015 Oleg Moskalenko [email protected] Version 4.4.1.1 'Ardee West’: - https admin server; - SSLv2 support cancelled (security concern fixed); - The server-side short-term credentials mechanism support cancelled; - OpenSSL 1.1.0 supported; - shared secrets fixed in MongoDB: multiple secrets per realm allowed; - shared secrets admin fixed in Redis; 12/24/2014 Oleg Moskalenko [email protected] Version 4.3.3.1 'Tolomei’: - multiple authentication threads; - database code cleaned; 12/14/2014 Oleg Moskalenko [email protected] Version 4.3.2.2 'Tolomei’: - Redis read message queue bug fixed; - STUN/TURN ALPN supported (when compiled with OpenSSL 1.0.2+ ); - DTLS v1.2 supported (when compiled with OpenSSL 1.0.2+ ); - Auto optimal ECDH parameters (when compiled with OpenSSL 1.0.2+ ); - TLS/DTLS code cleaning. 11/29/2014 Oleg Moskalenko [email protected] Version 4.3.1.3 'Tolomei’: - Reliability fixes (Issue 141 from rfc5766-turn-server). - HTTP/HTTPS echo fixed. - External address mapping fixes for Amazon EC2. - Minor docs improvements. 11/23/2014 Oleg Moskalenko [email protected] Version 4.3.1.2 'Tolomei’: - Debian package fixes. 11/22/2014 Oleg Moskalenko [email protected] Version 4.3.1.1 'Tolomei’: - SQLite supported as the default user database. - Support of the flat-file user database removed. - TLS connection procedure improved in uclient test program. 11/07/2014 Oleg Moskalenko [email protected] Version 4.2.3.1 'Monza’: - Request re-transmission implemented in uclient test program. - TLS connection procedure improved in uclient test program. 10/26/2014 Oleg Moskalenko [email protected] Version 4.2.2.2 'Monza’: - Black- and white- IP lists are divided per realm (the DB schema for those two tables changed); - Updated Redis database schema. - Debian UFW file added (Issue 1 fixed). - TCP/TLS tests extended. - Relay RTCP sockets ports allocation fixed. - List of libraries cleaned. - SSL renegotiation callback fixed. 10/05/2014 Oleg Moskalenko [email protected] Version 4.2.1.2 'Monza’: - oAuth security experimental implementation; - The “TLS renegotiation” DoS attack prevention implemented; - FQDN as relay-ip and listener-ip parameters (issue 6) (patch provided by Iñaki Baz Castillo); - redis user key operation fixed. - redis, mysql and psql db operations fixed. - SHA-256 memory leak fixed. - Mobility ticket retransmission fixed. - Move debian package from SVN to GIT. - Move secondary download area to coturn.net. - Quota allocation fixed. - Core dump fixed. - Bandwidth allocation fixed. - Memory code cleaning. - Logging fixed. 08/14/2014 Oleg Moskalenko [email protected] Version 4.1.2.1 'Vitari’: - The origin attribute is verified in the subsequent session messages (server flag --check-origin-consistency). - MySQL SSL connection support. - Crash fixed when the DB connection string is incorrect. - Minor docs fixes. 07/29/2014 Oleg Moskalenko [email protected] Version 4.1.1.1 'Vitari’: - Forceful server-side session cancellation implemented (in telnet console). 07/22/2014 Oleg Moskalenko [email protected] Version 4.1.0.2 'Vitari’: - SSODA (double allocation) draft support added. - DB “driver” abstraction and MongoDB support (by Federico Pinna). - multiple origins supported per request. - “allocation mismatch” condition fixed (merged from rfc5766-turn-server). - STUN BINDING response fixed in the case of -X (external address) option. - “pu” CLI command fixed. - session cleaning fixed in TCP relay functionality (RFC 6062). - some crash conditions fixed. - working on compilation warnings. 06/21/2014 Oleg Moskalenko [email protected] Version 4.0.1.3 'Severard’: - Redis DB connection status fixed (Issue 129). - Logfile reset on SIGHUP (Gustavo Garcia suggestion). - Log reset CLI command. - Some error code corrections: * “Mobility forbidden” error changed, to value 405. * “Wrong credentials” situation is now treated as error 441. 06/06/2014 Oleg Moskalenko [email protected] Version 4.0.1.2 'Severard’: - Bandwidth draft implemented. - Issues 126, 127 and 128 fixes merged from rfc5766-turn-server. 05/18/2014 Oleg Moskalenko [email protected] Version 4.0.0.2 'Threetrees’: - Code cleaning. 05/07/2014 Oleg Moskalenko [email protected] Version 4.0.0.1 'Threetrees’: - Kernel channel placeholder definitions. 05/02/2014 Oleg Moskalenko [email protected] Version 4.0.0.0 'Threetrees’: - Multi-tenant server. 04/13/2014 Oleg Moskalenko [email protected] Version 3.2.3.6 'Marshal West’: - Addresses logging fixed. - Redis admin options fixed. - Redis compilation cleaned. 04/07/2014 Oleg Moskalenko [email protected] Version 3.2.3.5 'Marshal West’: - Mobile allocation quota fixed (issue 121); - --simple-log option added (Issue 122); - documentation fixes (REST API, Redis). 04/06/2014 Oleg Moskalenko [email protected] Version 3.2.3.4 'Marshal West’: - Mobile TCP sessions fixed (issue 120); - log information improvements. 04/04/2014 Oleg Moskalenko [email protected] Version 3.2.3.3 'Marshal West’: - Pkey and cert file descriptors to be closed on initialization (issue 118); - Address bind indefinite cycle on start-up fixed (Issue 119); - Allocation counters time lag improved. 03/30/2014 Oleg Moskalenko [email protected] Version 3.2.3.2 'Marshal West’: - Allocation counters fixed (issue 117); - a possible core dump in the server code fixed; - a possible memory leak in server fixed. 03/29/2014 Oleg Moskalenko [email protected] Version 3.2.3.1 'Marshal West’: - TCP congestion avoidance completed. - Read and write streams are treated separately in bandwidth control. - Test client fixed. - Experimental SHA256 key storage supported. 03/17/2014 Oleg Moskalenko [email protected] Version 3.2.2.912 'Marshal West’: - TCP-in-TCP congestion avoidance implemented. - UDP-in-TCP congestion avoidance improved. - Alternate-server code cleaned. 03/10/2014 Oleg Moskalenko [email protected] Version 3.2.2.911 'Marshal West’: - “Congestion control” for UDP-inside-TCP tunneling; - memory management improvements; - socket logging improvements; - debug info added to CentOS and Fedora RPMs; - TCP traffic buffering improved; - Thread barriers cleaned; - TCP memory leak fixed; - minor TCP test client improvement. 03/09/2014 Oleg Moskalenko [email protected] Version 3.2.2.910 'Marshal West’: - Log messages extended and cleaned. - Some memory cleaning. 03/02/2014 Oleg Moskalenko [email protected] Version 3.2.2.9 'Marshal West’: - Issue 113 fixed (TCP rate limit fixed); - Issue 114 fixed (TCP stability). 02/18/2014 Oleg Moskalenko [email protected] Version 3.2.2.8 'Marshal West’: - Issue 102: SO_BSDCOMPAT socket option removed; - Issue 104: check for the REALM attribute value; - Issue 105: no-cli segfault fixed; - Issue 106: MESSAGE-INTEGRITY removed from DATA indication; - Issue 108: Server should return 438 on unknown nonce; - Issue 109: make the random functions stronger (mostly for transaction ID and for nonce); - Issue 111: fix valgrind warning on memory initialization. - Issue 112: RTCP sockets logging. 02/12/2014 Oleg Moskalenko [email protected] Version 3.2.2.7 'Marshal West’: - Possible indefinite cycle fixed in TCP/TCP routing (Issue 99); - Address 0.0.0.0 can be used as a listener address (Issue 100); - DHCP-configured servers supported (Issue 101); 02/04/2014 Oleg Moskalenko [email protected] Version 3.2.2.6 'Marshal West’: - Channel traffic memory copy elimination. - Send indication memory copy elimination. - DTLS traffic processing memory copy eliminated. - Mobility forbidden error code number fixed - according to the new draft document. - getsockname() usage minimized. - port allocation improved. - default relay behavior fixed (when no relay addresses defined). - atomic create permission request handling (Issue 97). 01/25/2014 Oleg Moskalenko [email protected] Version 3.2.2.5 'Marshal West’: - code optimization. 01/24/2014 Oleg Moskalenko [email protected] Version 3.2.2.4 'Marshal West’: - HMAC key handling fixed (Issue 96). 01/23/2014 Oleg Moskalenko [email protected] Version 3.2.2.3 'Marshal West’: - Security fix (issue 95). - Default “implicit” relay IP allocation policy is more usable (issue 94 fixed). - SSLv2 fixed (for those who are still using it) (issue 93 fixed). - Cosmetic changes. 01/19/2014 Oleg Moskalenko [email protected] Version 3.2.2.1 'Marshal West’: - CPU/memory cache optimization (memory locality). - torture tests enhanced. - stability fixes. - minor possible memory leak fix. - new TLS options: --no-sslv2, --no-sslv3, --no-tlsv1, --no-tlsv1_1, --no-tlsv1_2 01/06/2014 Oleg Moskalenko [email protected] Version 3.2.1.4 'Marshal West’: - Linux epoll performance improvements. - DTLS minor fix. 01/06/2014 Oleg Moskalenko [email protected] Version 3.2.1.3 'Marshal West’: - Telnet client added to installation when necessary. 01/05/2014 Oleg Moskalenko [email protected] Version 3.2.1.2 'Marshal West’: - Config file adjusted for DragonFly. 01/03/2014 Oleg Moskalenko [email protected] Version 3.2.1.1 'Marshal West’: - Minor TLS fix. - Default cipher list is DEFAULT now. 12/26/2013 Oleg Moskalenko [email protected] Version 3.2.1.0 'Marshal West’: - Optimized TCP network engine for Linux 3.9+. - Security fix: DH and ECDH temporary keys are now regenerated for each TLS or DTLS session. - Fix for systems with multiple CPU cores (more than 128). - DH TLS key now can be configured as 566, 1066 (default) or 2066 bits. - DH TLS key can be taken from a PEM file. - Issue 91 (test client crash) fixed. - Configurable net engine type. 12/25/2013 Oleg Moskalenko [email protected] Version 3.1.6.0 'Arch Lector’: - Timers optimization: linked list timers structure for often-used intervals. 12/23/2013 Oleg Moskalenko [email protected] Version 3.1.5.3 'Arch Lector’: - HTTP “keep-alive” support improved. - TCP channel “fortification". 12/19/2013 Oleg Moskalenko [email protected] Version 3.1.5.1 'Arch Lector’: - Private key password allowed for encrypted keys. - HTTP “keep-alive” supported. - “psd” CLI command added (ps dump to file). 12/18/2013 Oleg Moskalenko [email protected] Version 3.1.4.2 'Arch Lector’: - Time functions optimization. - Online changes to the alternate servers list thru telnet CLI. - Certificate chain files allowed. 12/13/2013 Oleg Moskalenko [email protected] Version 3.1.3.1 'Arch Lector’: - “Start time” ps command info added. - Protocol option added to “pu” command. - “Delete allocation” debug message fixed. - “Allocation id” debug info message fixed. - RFC6062 usage statistics fixed. - Info/Debug messages cleaned. 12/11/2013 Oleg Moskalenko [email protected] Version 3.1.2.3 'Arch Lector’: - CentOS 6 package fixed. 12/10/2013 Oleg Moskalenko [email protected] Version 3.1.2.2 'Arch Lector’: - ps output typo fixed (TLS params). - configurable EC curve name. - CLI TLS-related information extended. - “print users” (pu) CLI command added. 12/09/2013 Oleg Moskalenko [email protected] Version 3.1.2.1 'Arch Lector’: - DH cipher suites basic implementation. - Elliptic Curve cipher suites basic implementation. - RFC 6062 crash fixed. - More CLI parameters added. - Redis allocation statistics fixed. - Number of cli max session lines configurable. - uclient cipher suite configurable. 12/08/2013 Oleg Moskalenko [email protected] Version 3.1.1.0 'Arch Lector’: - Telnet CLI. - RFC 6062 internal messaging fixed. - Server relay endpoints (a non-standard feature). - “atomic line” stdout log print. - printed help minor fix. - client program does not necessary require certificate for TLS. - docs fixes. - allocation quota bug fixed. 11/29/2013 Oleg Moskalenko [email protected] Version 3.0.2.1 'Practical Frost’: - TCP stability fixes. - RFC 6062 “first packet(s)" bug fixed. - RFC 6062 stability fixes. - Multithreaded Mobile ICE. 11/28/2013 Oleg Moskalenko [email protected] Version 3.0.1.4 'Practical Frost’: - CentOS/Fedora packaging fixed. - PID file fixed. 11/26/2013 Oleg Moskalenko [email protected] Version 3.0.1.3 'Practical Frost’: - Misc cosmetic changes. - CentOS/Fedora packaging fixed. 11/25/2013 Oleg Moskalenko [email protected] Version 3.0.1.2 'Practical Frost’: - Mobility draft implemented. - DTLS communications fixes. - UDP Linux optimization. - Log output time starts with 0. - A new “drop root privileges” options: --proc-user and --proc-group added. - SHA256 agility updated: 426 error code on too weak SHA function. - "-m 0” and "-m 1” options improved. - non-threading environment support dropped. - stability fixes. - OpenSUSE support added. 11/10/2013 Oleg Moskalenko [email protected] Version 3.0.0.0 'Practical Frost’: - New network engine for Linux kernel 3.9+. 11/08/2013 Oleg Moskalenko [email protected] Version 2.6.7.2 'Harding Grim’: - SHA256 agility updated: 441 error code on too weak SHA function. 11/07/2013 Oleg Moskalenko [email protected] Version 2.6.7.1 'Harding Grim’: - CentOS / Fedora uninstall script. - Debian compilation error fixed. - OpenSSL 0.9.7 and earlier build fixed. - NetBSD build fixed. 11/03/2013 Oleg Moskalenko [email protected], Peter Dunkley [email protected] Version 2.6.7.0 'Harding Grim’: - CentOS 6 pre-compiled distribution. - Fedora pre-compiled distribution. - TURN_NO_TLS case compilation cleaning. - Text files cleaning. - Issue 68 fixed (no-stun option added). 10/27/2013 Oleg Moskalenko [email protected] Version 2.6.6.1 'Harding Grim’: - SHA256 added as a non-standard message integrity option. - CentOS rpm specs added. - Peter Dunkley added to the authors list. 10/20/2013 Oleg Moskalenko [email protected] Version 2.6.6.0 'Harding Grim’: - Cygwin loopback relay interfaces fixed (Issue 62). - rpath added to the Makefile (Issue 63). - CONFLICTS added to FreeBSD port Makefile (Issue 64). - Certificate check options, for server and for the test client (Issue 65). - Some compilation cleaning. 10/09/2013 Oleg Moskalenko [email protected] Version 2.6.5.2 'Harding Grim’: - Documentation changes. - Redis-related memory leak fixed (Issue 61). 09/25/2013 Oleg Moskalenko [email protected] Version 2.6.4.1 'Harding Grim’: - Crash on uninitialized redis db name is fixed (Issue 59). - Optional authentication of STUN Binding request is implemented (Issue 60). 09/16/2013 Oleg Moskalenko [email protected] Version 2.6.3.1 'Harding Grim’: - Issue 58: support changing white/black IP lists while server is running. database tables (keys for redis) added for that new functionality. 09/03/2013 Oleg Moskalenko [email protected] Version 2.6.2.2 'Harding Grim’: - Issue 52: RFC 6062 relay endpoints connection process fixed for Linux pre-3.9 kernel. 09/03/2013 Oleg Moskalenko [email protected] Version 2.6.2.1 'Harding Grim’: - UDP performance improvements. - Issue 56: DTLS scaleability improvements. - Issue 55: DTLS support in Cygwin. - Issue 57: --pidfile option - Issue 52: RFC 6062 relay endpoints connection process fixed. - Issue 53: Fingerprints added to the indications. - Issue 54: Long-term credentials mechanism integrity and software attributes added to the indications. 08/11/2013 Oleg Moskalenko [email protected] Version 2.6.1.4 'Harding Grim’: - UDP memory leak fixed. 08/11/2013 Oleg Moskalenko [email protected] Version 2.6.1.3 'Harding Grim’: - DTLS crash fix. 08/10/2013 Oleg Moskalenko [email protected] Version 2.6.1.2 'Harding Grim’: - TLS buffer decreased to avoid memory problems. - TLS BIO object fix. - UDP socket open/reopen process fixed. 08/08/2013 Oleg Moskalenko [email protected] Version 2.6.1.1 'Harding Grim’: - Network optimization: * “pure” UDP setup optimized (when no DTLS configured); * Auxiliary listening endpoints (configured by --aux-server=<ip:port>). * --udp-self-balance option to balance the UDP traffic among the aux endpoints (for clients supporting 300 ALTERNATE-SERVER response). - Security improvements: * no authentication required on the load balancer server (Issue 50). * REST API improvement: = --secret-ts-exp-time option deprecated; = In REST API timestamp, we are now using the expiration time (Issue 31). * Configurable cipher suite in the TURN server. * SSLv3 support. * TLS 1.1 and 1.2 support. * SSLv2 “encapsulation” mode support. * NULL OpenSSL cipher is allowed to be negotiated between server and client. * -U option (NULL cipher) added to the test client. * DTLS crash fixed on overload. - STUN enhancements and fixes: * Classic STUN transaction ID fixed (Issue 48). * Classic STUN attribute ERROR fixed (Issue 49). * Unused RFC 5780 functionality removed from TCP, TLS and DTLS relays. * resources optimization for stun-only: short connection expiration time. 07/26/2013 Oleg Moskalenko [email protected], Vladimir Tsanev [email protected] Version 2.5.2.1 'Shivers’: - log file placement changes. - Base64 encode/decode memory initialization fix. 07/23/2013 Oleg Moskalenko [email protected], Po-sheng Lin [email protected] Version 2.5.1.2 'Shivers’: - getopt fix in client test programs. - cosmetic changes. - allow anonymous alternate-server functionality. 07/21/2013 Oleg Moskalenko [email protected] Version 2.5.1.1 'Shivers’: - Improved “split” network engine: two different threading models for TCP and UDP. - DTLS crash fixed. - Multithreading with Cygwin. 07/20/2013 Oleg Moskalenko [email protected] Version 2.1.3.1 'Shivers’: - DTLS improvements for DOS attacks - deeper optimization for DOS attack (mostly for Linux) 07/19/2013 Oleg Moskalenko [email protected] Version 2.1.2.0 'Shivers’: - deeper optimization for DOS attack (mostly for Linux) 07/18/2013 Oleg Moskalenko [email protected], Po-sheng Lin [email protected] Version 2.1.1.1 'Shivers’: - udp fixes. - Makefile cleaning. - Dependencies cleaning. - DOS attack client emulation. - DOS attack defense logic added to the server. 07/14/2013 Oleg Moskalenko [email protected] Version 2.0.0.0 'Shivers’: - new networking engine: - scalable UDP socket model. - multithreaded TCP relay implemented. - race condition fixed in authentication of TCP sessions. - Cygwin “port” fixed. 06/23/2013 Oleg Moskalenko [email protected], Vladimir Tsanev [email protected] Version 1.8.7.0 'Black Dow’: - Added support for obsolete “classic” STUN RFC 3489; - Full TURN support for Cygwin implemented: MS-Win UDP sockets fixed; - Relay threads number changed; - Fedora warnings fixed; - turndb/testdbsetup.sh example file added; - Multiple Makefile and ./configure script fixes implemented: * Changes taken from Arch Linux port; * Manpages installation and deinstallation; * rfc5769check utility removed from installation, it is used for the compilation result test only and makes no sense for the end user; * “–parameter” format support in ./configure script; it allows simpler native OS package definitions (like in Debian package); * Mac OS X linking warnings removed. * pthread test fixed. 06/08/2013 Oleg Moskalenko [email protected] Version 1.8.6.3 'Black Dow’: - DONT-FRAGMENT flag removed on UDP listening (clients-facing) sockets. - UDP fix for Cygwin only: UDP channels work fine now. - docs fixes. 06/06/2013 Oleg Moskalenko [email protected] Version 1.8.6.2 'Black Dow’: - Just cosmetic re-packaging for Debian, tarball warnings removed. 06/05/2013 Oleg Moskalenko [email protected] Version 1.8.6.1 'Black Dow’: - Peer permissions bug fixed. 06/03/2013 Oleg Moskalenko [email protected] Version 1.8.6.0 'Black Dow’: - Optimization. - Mac OS X compilation fixes. 06/01/2013 Oleg Moskalenko [email protected] Version 1.8.5.4 'Black Dow’: - Issues 29 and 30 fixed (channels padding). - minor fixes. - Mac OS X compilation fixes. - Cygwin-related compilation fixes and INSTALL additions. 05/31/2013 Oleg Moskalenko [email protected] Version 1.8.5.3 'Black Dow’: - REST API extra script example and docs extension. 05/26/2013 Oleg Moskalenko [email protected] Version 1.8.5.1 'Black Dow’: - Config file parsing fixed (Issue 28) 05/20/2013 Oleg Moskalenko [email protected], Erik Johnston [email protected] Version 1.8.5.0 'Black Dow’: - IP access control lists. - log file name fix. - alt-* ports default behavior changed. - “passive TCP” option in uclient. 05/18/2013 Oleg Moskalenko [email protected] Version 1.8.4.5 'Black Dow’: - socket conditions cleaned (SIGPIPE, etc) 05/17/2013 Oleg Moskalenko [email protected] Version 1.8.4.4 'Black Dow’: - configuration and installation adjusted for: - NetBSD; - Solaris; - OpenBSD; - Screen messages fixed; - code security fixes. 05/15/2013 Oleg Moskalenko [email protected] Version 1.8.4.3 'Black Dow’: - Compilation warning removed. - Log file fixed (Issue 26) 05/15/2013 Oleg Moskalenko [email protected] Version 1.8.4.2 'Black Dow’: - repackaging for Debian compliance. Docs separated. 05/14/2013 Oleg Moskalenko [email protected] Version 1.8.4.1 'Black Dow’: - Cosmetics (docs, warnings, etc). - More complex case of TURN-server-behind-NAT is implemented, when multiple public-ip/private-ip mappings are involved. 05/13/2013 Oleg Moskalenko [email protected] Version 1.8.4.0 'Black Dow’: - Redis DB support added. - Crash on help text fixed. - Max allocation time can be changed in the command-line or in the config file. 05/09/2013 Oleg Moskalenko [email protected] Version 1.8.3.9 'Black Dow’: - No changes - just the tarball is repackaged for Debian compatibility. 05/07/2013 Oleg Moskalenko [email protected] Version 1.8.3.8 'Black Dow’: - multicast and loopback addresses disallow options added. - option to direct all log messages to the system log (syslog). 05/02/2013 Oleg Moskalenko [email protected] Version 1.8.3.7 'Black Dow’: - Allocation status log. 05/01/2013 Oleg Moskalenko [email protected] Version 1.8.3.6 'Black Dow’: - Stuntman client interoperability fixed. - Manpages installation fixed. 04/30/2013 Oleg Moskalenko [email protected] Version 1.8.3.5 'Black Dow’: - Lintian fixes. 04/27/2013 Oleg Moskalenko [email protected] Version 1.8.3.4 'Black Dow’: - Installation fixes. 04/26/2013 Oleg Moskalenko [email protected] Version 1.8.3.3 'Black Dow’: - Log file midnight rollover implemented (Issue 15). 04/25/2013 Oleg Moskalenko [email protected] Version 1.8.3.1 'Black Dow’: - Configurable REST API separator symbol (Issue 16). - Stale Nonce bug fixed (Issue 17). - Minor client fix. 04/21/2013 Oleg Moskalenko [email protected] Version 1.8.3.0 'Black Dow’: - STUN stand-alone functionality improved according to RFC 5389. - ALTERNATE-SERVER implemented as “light” load balancing feature. - stun-only option implemented. - scripts directory reorganized. 04/19/2013 Oleg Moskalenko [email protected] Version 1.8.2.1 'Black Dow’: - Misc docs fixes. 04/13/2013 Oleg Moskalenko [email protected] Version 1.8.2.0 'Black Dow’: - Multiple database shared secrets supported for REST API. - Added support for some OpenSSL FIPS versions (like openssl 0.9.8e-fips-rhel5). 04/13/2013 Oleg Moskalenko [email protected] Version 1.8.1.3 'Black Dow’: - Maintenance (docs, etc). - Added partial support for Cygwin. Only TCP & TLS protocols are support for client-to-server communications (as in RFC 5766 and RFC 6062). UDP supported only for relay communications. DTLS is not supported at all. The problem is in Winsock UDP sockets implementation. 04/11/2013 Oleg Moskalenko [email protected] Version 1.8.1.2 'Black Dow’: - Work on configuration and build. 04/9/2013 Oleg Moskalenko [email protected] Version 1.8.1.1 'Black Dow’: - Docs improvements. - Load balancing use case added to TurnNetworks.pdf. - Verbose mode split into ‘normal’ and ‘extra’ modes. - Logging extended and fixed. 04/7/2013 Oleg Moskalenko [email protected] Version 1.8.1.0 'Black Dow’: - Compilation flags improved. - utility programs renamed and moved to bin/ directory. - README and turnserver man page separated into three sections - turnserver, turnadmin, turnutils. 04/6/2013 Oleg Moskalenko [email protected] Version 1.8.0.6 'Black Dow’: - Added option “–psql-userdb” for better visual separation between PostgreSQL and MySQL stuff. - turnadmin flat files handling fixed. - added set/show commands to turnadmin for secret key. 04/6/2013 Oleg Moskalenko [email protected] Version 1.8.0.5 'Black Dow’: - turnadmin MySQL connection fixed. - minor cosmetic changes. - Added “list” commands for long-term and short-term users, to turnadmin. 04/5/2013 Oleg Moskalenko [email protected] Version 1.8.0.4 'Black Dow’: - Minor compilation fixes. - Minor docs fixes. - “connect_timeout” option support for MySQL. 04/5/2013 Oleg Moskalenko [email protected] Version 1.8.0.3 'Black Dow’: - Issue 11 (secret timestamp check) fixed. 04/4/2013 Oleg Moskalenko [email protected] Version 1.8.0.2 'Black Dow’: - TCP sockets flush removed. - rfc5769check utility removed from the Makefile. 04/4/2013 Oleg Moskalenko [email protected] Version 1.8.0.1 'Black Dow’: - Some short-term auth problems fixed. - rfc5769check utility added to the Makefile and upgraded. 04/3/2013 Oleg Moskalenko [email protected] Version 1.8.0.0 'Black Dow’: - Short-term credentials mechanism implemented. 04/2/2013 Oleg Moskalenko [email protected] Version 1.7.3.1 'Superior Glokta’: - Listeners code cleaned. - The default number of extra relay threads changes from 0 to 1. 04/1/2013 Oleg Moskalenko [email protected] Version 1.7.3.0 'Superior Glokta’: - Issue 10 fixed: log file control options. Two options added: --no-stdout-log and --log-file. 03/29/2013 Oleg Moskalenko [email protected] Version 1.7.2.0 'Superior Glokta’: - Issue 9 fixed (uclient). - Secret-based authentication implemented (see TURNServerRESTAPI.pdf). - Uclient docs fixed. - database schema extended (table for the secret added). 03/27/2013 Oleg Moskalenko [email protected] Version 1.7.1.2 'Superior Glokta’: - CHANNEL BIND request handling fixed: now it produces an error when client is trying to tie the same peer address to different channels. - uclient and peer test apps upgraded so that RTP channels are talking to <port> and RTCP channels are talking to <port+1> in client-to-peer communication patterns. - compilation warning is fixed when MySQL is not used. 03/27/2013 Oleg Moskalenko [email protected] Version 1.7.1.1 'Superior Glokta’: - CONNECT response fixed in RFC 6062. - uclient checks server responses integrity. 03/26/2013 Oleg Moskalenko [email protected] Version 1.7.1.0 'Superior Glokta’: - MySQL support added for the user keys repository. - PostgreSQL support improved. - Docs fixed. - 64 bits platform fixes. 03/23/2013 Oleg Moskalenko [email protected] Version 1.7.0.0 'Glokta’: - Authentication fix. - PostgreSQL database can be used as the user keys repository. 03/21/2013 Oleg Moskalenko [email protected] Version 1.6.1.3 'Whirrun’: - UDP segmentation fault fixed 03/21/2013 Oleg Moskalenko [email protected] Version 1.6.1.2 'Whirrun’: - RFC 6062 fix 03/21/2013 Oleg Moskalenko [email protected] Version 1.6.1.1 'Whirrun’: - Authentication error fixed 03/19/2013 Oleg Moskalenko [email protected] Version 1.6.1.0 'Whirrun’: - --stale-nonce option - working on userdb - “hang on” option fixed in uclient 03/18/2013 Oleg Moskalenko [email protected] Version 1.6.0.2 'Whirrun’: - working on userdb - c++ compilation fix 03/17/2013 Oleg Moskalenko [email protected] Version 1.6.0.1 'Whirrun’: - uclient performance improved - TurnNetworks.pdf document added 03/15/2013 Oleg Moskalenko [email protected] Version 1.6.0.0 'Whirrun’: - “Pure” TCP relaying (RFC 6062) implemented. - Network interactions fixes. - RFC 6062 test scripts added. 03/03/2013 Oleg Moskalenko [email protected] Version 1.5.2.8 'Iosiv Lestek’: - authorization processing improvements. - peer application fixed. - some ICE attributes added. 02/27/2013 Oleg Moskalenko [email protected] Version 1.5.2.7 'Iosiv Lestek’: - authorization processing improvements - Issue 4 fixed. - secure client-to-client script added 02/22/2013 Oleg Moskalenko [email protected] Version 1.5.2.6 'Iosiv Lestek’: - strcpy/strncpy fixed - some screen messages fixed - uclient statistics fixed - software attribute fixed - example scripts fixed 02/16/2013 Oleg Moskalenko [email protected] Version 1.5.2.5 'Lestek’: - uclient application fixed - Docs fixes 02/14/2013 Oleg Moskalenko [email protected] Version 1.5.2.4 'Lestek’: - Crash fixed on unconfigured interfaces - Docs fixes 02/12/2013 Oleg Moskalenko [email protected] Version 1.5.2.3 'Lestek’: - Added feature: TURN Server always uses fingerprints in a session if the session client is using fingerprints. - Default unsecure alternative port changed to 3479, default secure alternative port changed to 5350. - TURN Server always trying to search for default certificate file turn_server_cert.pem and for default private key file turn_server_pkey.pem, if not certificate or private key is explicitly configured. - configurable packet rate in the uclient test program. - default peer port changed to 3480. - -z, --no-auth option added to turnserver. 02/11/2013 Oleg Moskalenko [email protected] Version 1.5.2.2 'Lestek’: - Some cleanup added to the network input handlers. 02/9/2013 Oleg Moskalenko [email protected] Version 1.5.2.1 'Lestek’: - Binding requests do not require authentication. - SOFTWARE in the end of the message. 02/8/2013 Oleg Moskalenko [email protected] Version 1.5.2.0 'Lestek’: - NAT discovery fixed (RFC5780). 02/8/2013 Oleg Moskalenko [email protected] Version 1.5.1.6 'Calder’: - Installation instructions fixed. 02/8/2013 Oleg Moskalenko [email protected] Version 1.5.1.5 'Calder’: - Mac compilation fixes. - Fixes for old Linuxes. 02/7/2013 Oleg Moskalenko [email protected] Version 1.5.1.4 'Calder’: - Configuration alert (warning) messages. - Relay addresses by default use listener addresses. - Realm/user sequence fixed in the config file reading. 01/27/2013 Oleg Moskalenko [email protected] Version 1.5.1.3 'Calder’: - ‘External’ IP implemented for TURN-server-behind-NAT situation. 01/26/2013 Oleg Moskalenko [email protected] Version 1.5.1.2 'Calder’: - Alternative ports moved to 20000-ish territory. - Docs fixes. 01/22/2013 Oleg Moskalenko [email protected] Version 1.5.1.1 'Calder’: - Docs fixes. 01/22/2013 Oleg Moskalenko [email protected] Version 1.5.1.0 'Calder’: - C++ compatible headers and build. - C++ library header. - HTML-formatted development reference. 01/14/2013 Oleg Moskalenko [email protected] Version 1.5.0.0 'Calder’: - RFC 5769 check utility implemented. - RFC 5780 STUN extension implemented. 01/13/2013 Oleg Moskalenko [email protected] Version 1.4.2.5 'Scale’: - Issue 2 fixed. 01/08/2013 Oleg Moskalenko [email protected] Version 1.4.2.4 'Scale’: - Bogus “Bind to device” error message removed (Linux). - Docs improvements. 01/08/2013 Oleg Moskalenko [email protected] Version 1.4.2.3 'Scale’: - Bandwidth limitation implemented (–max-bps option). - DTLS communications improved. 01/07/2013 Oleg Moskalenko [email protected] Version 1.4.2.2 'Scale’: - Output messages fixed. - Peer test application accepts multiple listening addresses. - config search directories improved. 01/06/2013 Oleg Moskalenko [email protected] Version 1.4.2.1 'Scale’: - Examples directory structure fixed - Installation fixes - Output messages fixed 01/05/2013 Oleg Moskalenko [email protected] Version 1.4.2 'Scale’: - Daemon execution improved - Installation fixes - Added comments to the scripts 01/04/2013 Oleg Moskalenko [email protected] Version 1.4.1.2 'Scale’: - Configure script introduced - Installation fixes - Run as daemon 01/01/2013 Oleg Moskalenko [email protected] Version 1.4.1 'Scale’: - Options fixes - Build fixes - Script fixes - Installation fixes 12/31/2012 Oleg Moskalenko [email protected] Version 1.4 'Scale’: - Separate file for the dynamic user database - Build fixes - Script fixes - Logging fixes 12/29/2012 Oleg Moskalenko [email protected] Version 1.3.0.2 'Ferro’: - Debian ‘squeeze’ compilation fix 12/26/2012 Oleg Moskalenko [email protected] Version 1.3.0.1 'Ferro’: - install procedure minor improvements 12/24/2012 Oleg Moskalenko [email protected] Version 1.3 'Ferro’: - default conf file renamed to turnserver.conf - build script improved - client library linking fixed - install procedure 12/23/2012 Oleg Moskalenko [email protected] Version 1.2.3 'Luthar’: - turnserver options fixed - man page renamed to turnserver 12/22/2012 Oleg Moskalenko [email protected] Version 1.2.2: - Man page fix 12/21/2012 Oleg Moskalenko [email protected] Version 1.2.1 'Juvens’: - Man page 12/21/2012 Oleg Moskalenko [email protected] Version 1.2 'Euz’: - Project cleaning 12/20/2012 Oleg Moskalenko [email protected] Version 1.1 'no name’: - DTLS extension 12/17/2012 Oleg Moskalenko [email protected] Version 1.0 'no name’: - RFC 5766 - RFC 6156
Related news
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability.