MGASA-2021-0087

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0087.html

Import Source

https://advisories.mageia.org/MGASA-2021-0087.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2021-0087

Related

CVE-2020-26262

Published

2021-02-19T10:27:54Z

Modified

2021-02-19T09:46:39Z

Summary

Updated coturn package fixes a security vulnerability

Details

When sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a malicious user would be able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either [::1] or [::] as the peer address (CVE-2020-26262).

If updating is not possible, the setting --denied-peer-ip=0.0.0.0 can mitigate this issue.

The coturn package has been patched to fix this issue.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

MGASA-2021-0087

Affected packages