- Package:
- src:coturn
- Source:
- src:coturn
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-10 09:35:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for coturn. CVE-2026-27624[0]: | Coturn is a free open source implementation of TURN and STUN Server. | Coturn is commonly configured to block loopback and internal ranges | using "denied-peer-ip" and/or default loopback restrictions. | CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and | "[::]", but IPv4-mapped IPv6 is not covered. When sending a | "CreatePermission" or "ChannelBind" request with the "XOR-PEER- | ADDRESS" value of "::ffff:127.0.0.1", a successful response is | received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". | The root cause is that, prior to the updated fix implemented in | version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do | not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks | "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not | "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", | but not "::ffff:0.0.0.0." "addr_less_eq()" used by | "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range | is AF_INET and the peer is AF_INET6, the comparison returns 0 | without extracting the embedded IPv4. Version 4.9.0 contains an | updated fix to address the bypass of the fix for CVE-2020-26262. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27624 https://www.cve.org/CVERecord?id=CVE-2026-27624 [1] https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg [2] https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of coturn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1129267@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Martin <chrism@debian.org> (supplier of updated coturn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Wed, 10 Jun 2026 10:29:35 +0200 Source: coturn Architecture: source Version: 4.12.0-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> Changed-By: Christoph Martin <chrism@debian.org> Closes: 1129267 1134577 Changes: coturn (4.12.0-1) unstable; urgency=high . [ Thomas Bartosik ] * Non-maintainer upload. * New upstream release. * Fixes https://bugs.debian.org/1134577 (CVE-2026-40613), https://bugs.debian.org/1129267 (CVE-2026-27624) * TLS1.3 support for TURN/TLS * Drop obsolete patches for openssl <3 * Built with OpenSSL 3.5 (auto-openssl transition) . [ Christoph Martin ] * cleanup source * add myself to uploaders * Closes: #1134577 * Closes: #1129267 Checksums-Sha1: 5cb2b1270e9a8aec3ddb03e18595c745106bed57 2256 coturn_4.12.0-1.dsc 605422866a4b9061712fc7413a5552c4cc280d22 651908 coturn_4.12.0.orig.tar.gz ed223ee17d23015dadc76928fe45f03925633134 14528 coturn_4.12.0-1.debian.tar.xz 3a8eb7bc183c7ee3f06a72a15d3185e12b1ac4a0 7474 coturn_4.12.0-1_amd64.buildinfo Checksums-Sha256: 6e288ce40b23b3bd1820499b1da9f1d3f917ffcbb4b7518143755371b566b6ff 2256 coturn_4.12.0-1.dsc 5374811d50548e2eb1982c0591a55c79c95d78633c17fd211bef13206087e95b 651908 coturn_4.12.0.orig.tar.gz 39901713ae51a9a9cafb7e37ea46852a25aae763b0ecb7cf8dd20b97fded2ac0 14528 coturn_4.12.0-1.debian.tar.xz 6748a97d911f3bd642c9f6fdd07f355fa1e6fd3bae000f8a7c63e06ef9938960 7474 coturn_4.12.0-1_amd64.buildinfo Files: a5515e35af3a262accf47ca726a665c2 2256 net optional coturn_4.12.0-1.dsc 54652667e84889268ac38fba6f071681 651908 net optional coturn_4.12.0.orig.tar.gz 1bdd14c6e57fa850c469d233a368efc8 14528 net optional coturn_4.12.0-1.debian.tar.xz 05d67986b5ab87a74351a89dc8a3e65d 7474 net optional coturn_4.12.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEbdFebnsTnCYy4y02kcMUbl2GabQFAmopJpYACgkQkcMUbl2G abQRqg/+OuRhdIXFXoRQI9/nxfmmlZiF58Ix1M76phQjgu35eCNahuu6wcSiE1f6 pNrRFVvZIT1cY9uQEzWq5p6iDY14SF0CKXHmNCHMAVUrNTZyx56zU1RbYc8s7ElO 92h/mehr0QBToMqlJbzVrpsjIcL9BDjmRzZrRgxPmIqbpb52hmrxEq4ahGUTgHym +S7tMb8fUNVQAM+8T0VwSGzM1E//Qe99MCD7CGuAyBu2T8shmQ+HKBqFW/npI16n 7nOPEidZhOvWLq4opvCnL2qd8RpnVnOC6R9Q87fJ1b0mSHU9DItWSo7pE6o7DEf6 S5mFvLO+JpD/yJmV+AJmG+dw+5UinhEgfgHpX+wi1WeXGnPIAnbp2HeIFbO34Z3x 5d6s1KP0DYljdDgJxq6z/fm8Hs9/8hgXPiaksd2Vt/vRqW8n8ou0XgNyrTqszhYd FHrOO4yocoUuz3LkcsNiynNNRpMcntwjahaC3V2C6l0poXRBboB25mCVcVfDjOde wKqdXE6hWCheQ4CSLnIGkmTv3MoeA2nhYpzH5jgT2zweiSl9f+Hh+QpJ3vAYNAXc 8KJx70FoPAOhxH244B4X11rPa3zy9TiWB8UGP3+uupGfnffmGDm0TdahapqWtynZ TVQqp1kcTQlmhIk/7AIYFp74k1nUtbLkXd54aEURMXdpIMRrlmo= =0reJ -----END PGP SIGNATURE-----