Bug 201231 - [PATCH] net/turnserver: update to 4.4.5.3 (Fixes security vulnerability)
Summary: [PATCH] net/turnserver: update to 4.4.5.3 (Fixes security vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ports Security Team
URL: https://groups.google.com/forum/#!top...
Keywords: easy, patch, security
Depends on:
Blocks:
 
Reported: 2015-06-30 19:44 UTC by Bradley T. Hughes
Modified: 2015-07-07 02:48 UTC (History)
6 users (show)

See Also:
mom040267: maintainer-feedback+
koobs: merge-quarterly?


Attachments
patch (1.92 KB, text/plain)
2015-06-30 19:44 UTC, Bradley T. Hughes
no flags Details
poudriere testport log (53.32 KB, text/plain)
2015-06-30 19:44 UTC, Bradley T. Hughes
no flags Details
security/vuxml for turnserver (1.21 KB, patch)
2015-07-02 03:17 UTC, Jason Unovitch
junovitch: maintainer-approval? (ports-secteam)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bradley T. Hughes freebsd_committer 2015-06-30 19:44:21 UTC
Created attachment 158202 [details]
patch

Update to the latest upstream release. Attached are a patch (as a git commit) to the port and a poudriere testport log.
Comment 1 Bradley T. Hughes freebsd_committer 2015-06-30 19:44:52 UTC
Created attachment 158203 [details]
poudriere testport log
Comment 2 mom040267 2015-06-30 23:29:33 UTC
This is an important security upgrade that fixes SQL injection problem. I approve that patch.

Thanks
Oleg
Comment 3 Johannes Jost Meixner freebsd_committer 2015-07-01 06:51:48 UTC
I'll take it.
Comment 4 commit-hook freebsd_committer 2015-07-01 07:55:41 UTC
A commit references this bug:

Author: xmj
Date: Wed Jul  1 07:55:17 UTC 2015
New revision: 391034
URL: https://svnweb.freebsd.org/changeset/ports/391034

Log:
  net/turnserver: update to 4.4.5.3

  Upstream announcement:

    IMPORTANT: coturn-4.4.5.3 issued with SQL injection security hole fixed
    The new version features:

    - Third-party authorization STUN attributes adjusted according to the
      values assigned by IANA;
    - SQL injection security hole fixed;
    - Amazon EC2 AMI security strengthened.

    The upgrade is a MUST for all production systems.

  PR:	201231
  Submitted by:	Bradley T. Hughes <bradleythughes@fastmail.com>
  Approved by:	maintainer <mom040267@gmail.com>

Changes:
  head/net/turnserver/Makefile
  head/net/turnserver/distinfo
  head/net/turnserver/pkg-plist
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2015-07-01 08:11:29 UTC
Pending VuXML and MFH
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2015-07-01 16:12:49 UTC
Over to ports-secteam since xmj's bit is in safekeeping for the moment.
Comment 7 Jason Unovitch freebsd_committer 2015-07-02 03:17:01 UTC
Created attachment 158244 [details]
security/vuxml for turnserver

tentative VuXML for review to document issue based on 4.4.5.3 changelog and supplemented by mailing list discussion on topic.

== Validation 

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml


# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit turnserver-4.4.5.2
turnserver-4.4.5.2 is vulnerable:
turnserver -- SQL injection vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/543b5939-2067-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit turnserver-4.4.5.3
0 problem(s) in the installed packages found.
Comment 8 commit-hook freebsd_committer 2015-07-07 02:46:23 UTC
A commit references this bug:

Author: feld
Date: Tue Jul  7 02:45:24 UTC 2015
New revision: 391487
URL: https://svnweb.freebsd.org/changeset/ports/391487

Log:
  Document SQL Injection in turnserver

  PR:		201231

Changes:
  head/security/vuxml/vuln.xml
Comment 9 Mark Felder freebsd_committer 2015-07-07 02:48:53 UTC
MFH to 2015Q2 not needed anymore; this update is in the new 2015Q3 branch

Thanks for your hard work providing these solid vuxml entries, Jason