Bug 201231
| Summary: | [PATCH] net/turnserver: update to 4.4.5.3 (Fixes security vulnerability) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Bradley T. Hughes <bhughes> | ||||||||
| Component: | Individual Port(s) | Assignee: | Ports Security Team <ports-secteam> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Some People | CC: | delphij, feld, junovitch, mom040267, ports-secteam, xmj | ||||||||
| Priority: | --- | Keywords: | easy, patch, security | ||||||||
| Version: | Latest | Flags: | mom040267:
maintainer-feedback+
koobs: merge-quarterly? |
||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| URL: | https://groups.google.com/forum/#!topic/turn-server-project-rfc5766-turn-server/Dj3MmgyZX1o | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 158203 [details]
poudriere testport log
This is an important security upgrade that fixes SQL injection problem. I approve that patch. Thanks Oleg I'll take it. A commit references this bug: Author: xmj Date: Wed Jul 1 07:55:17 UTC 2015 New revision: 391034 URL: https://svnweb.freebsd.org/changeset/ports/391034 Log: net/turnserver: update to 4.4.5.3 Upstream announcement: IMPORTANT: coturn-4.4.5.3 issued with SQL injection security hole fixed The new version features: - Third-party authorization STUN attributes adjusted according to the values assigned by IANA; - SQL injection security hole fixed; - Amazon EC2 AMI security strengthened. The upgrade is a MUST for all production systems. PR: 201231 Submitted by: Bradley T. Hughes <bradleythughes@fastmail.com> Approved by: maintainer <mom040267@gmail.com> Changes: head/net/turnserver/Makefile head/net/turnserver/distinfo head/net/turnserver/pkg-plist Pending VuXML and MFH Over to ports-secteam since xmj's bit is in safekeeping for the moment. Created attachment 158244 [details] security/vuxml for turnserver tentative VuXML for review to document issue based on 4.4.5.3 changelog and supplemented by mailing list discussion on topic. == Validation # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit turnserver-4.4.5.2 turnserver-4.4.5.2 is vulnerable: turnserver -- SQL injection vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/543b5939-2067-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit turnserver-4.4.5.3 0 problem(s) in the installed packages found. A commit references this bug: Author: feld Date: Tue Jul 7 02:45:24 UTC 2015 New revision: 391487 URL: https://svnweb.freebsd.org/changeset/ports/391487 Log: Document SQL Injection in turnserver PR: 201231 Changes: head/security/vuxml/vuln.xml MFH to 2015Q2 not needed anymore; this update is in the new 2015Q3 branch Thanks for your hard work providing these solid vuxml entries, Jason |
Created attachment 158202 [details] patch Update to the latest upstream release. Attached are a patch (as a git commit) to the port and a poudriere testport log.