Bug 201231 - [PATCH] net/turnserver: update to 4.4.5.3 (Fixes security vulnerability)
Summary: [PATCH] net/turnserver: update to 4.4.5.3 (Fixes security vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ports Security Team
URL: https://groups.google.com/forum/#!top...
Keywords: easy, patch, security
Depends on:
Blocks:
 
Reported: 2015-06-30 19:44 UTC by Bradley T. Hughes
Modified: 2015-07-07 02:48 UTC (History)
6 users (show)

See Also:
mom040267: maintainer-feedback+
koobs: merge-quarterly?

Attachments
patch (1.92 KB, text/plain)
2015-06-30 19:44 UTC, Bradley T. Hughes 		no flags Details
poudriere testport log (53.32 KB, text/plain)
2015-06-30 19:44 UTC, Bradley T. Hughes 		no flags Details
security/vuxml for turnserver (1.21 KB, patch)
2015-07-02 03:17 UTC, Jason Unovitch 		junovitch: maintainer-approval? (ports-secteam)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bradley T. Hughes freebsd_committer freebsd_triage 2015-06-30 19:44:21 UTC 
Created attachment 158202 [details]
patch

Update to the latest upstream release. Attached are a patch (as a git commit) to the port and a poudriere testport log.
Comment 1 Bradley T. Hughes freebsd_committer freebsd_triage 2015-06-30 19:44:52 UTC 
Created attachment 158203 [details]
poudriere testport log
Comment 2 mom040267 2015-06-30 23:29:33 UTC 
This is an important security upgrade that fixes SQL injection problem. I approve that patch.

Thanks
Oleg
Comment 3 Johannes Jost Meixner freebsd_committer freebsd_triage 2015-07-01 06:51:48 UTC 
I'll take it.
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-07-01 07:55:41 UTC 
A commit references this bug:

Author: xmj
Date: Wed Jul  1 07:55:17 UTC 2015
New revision: 391034
URL: https://svnweb.freebsd.org/changeset/ports/391034

Log:
  net/turnserver: update to 4.4.5.3

  Upstream announcement:

    IMPORTANT: coturn-4.4.5.3 issued with SQL injection security hole fixed
    The new version features:

    - Third-party authorization STUN attributes adjusted according to the
      values assigned by IANA;
    - SQL injection security hole fixed;
    - Amazon EC2 AMI security strengthened.

    The upgrade is a MUST for all production systems.

  PR:	201231
  Submitted by:	Bradley T. Hughes <bradleythughes@fastmail.com>
  Approved by:	maintainer <mom040267@gmail.com>

Changes:
  head/net/turnserver/Makefile
  head/net/turnserver/distinfo
  head/net/turnserver/pkg-plist
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2015-07-01 08:11:29 UTC 
Pending VuXML and MFH
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2015-07-01 16:12:49 UTC 
Over to ports-secteam since xmj's bit is in safekeeping for the moment.
Comment 7 Jason Unovitch freebsd_committer freebsd_triage 2015-07-02 03:17:01 UTC 
Created attachment 158244 [details]
security/vuxml for turnserver

tentative VuXML for review to document issue based on 4.4.5.3 changelog and supplemented by mailing list discussion on topic.

== Validation 

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml


# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit turnserver-4.4.5.2
turnserver-4.4.5.2 is vulnerable:
turnserver -- SQL injection vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/543b5939-2067-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit turnserver-4.4.5.3
0 problem(s) in the installed packages found.
Comment 8 commit-hook freebsd_committer freebsd_triage 2015-07-07 02:46:23 UTC 
A commit references this bug:

Author: feld
Date: Tue Jul  7 02:45:24 UTC 2015
New revision: 391487
URL: https://svnweb.freebsd.org/changeset/ports/391487

Log:
  Document SQL Injection in turnserver

  PR:		201231

Changes:
  head/security/vuxml/vuln.xml
Comment 9 Mark Felder freebsd_committer freebsd_triage 2015-07-07 02:48:53 UTC 
MFH to 2015Q2 not needed anymore; this update is in the new 2015Q3 branch

Thanks for your hard work providing these solid vuxml entries, Jason