SQL injection security problem discovered

[Oleg Moskalenko]

To those who are using Coturn and rfc5766-turn-server for production purposes:

Do not forget to upgrade to the latest versions (4.4.5.3 and 3.2.5.8).  Those releases contain important security fixes for the SQL injection problem.

The problem was discovered and reported by:

Alex Inführ, Cure53 (https://cure53.de/)
Mario Heiderich, Cure53 (https://cure53.de/)

Oleg

[Tomasz G]

upgraded

[Jo Yum]

Oleg,

Is there an easy way to upgrade Coturn for CentOS 6.6 ?

Other than uninstalling and reinstalling.

Thank you.

[Jo Yum]

Oleg,

I installed Coturn 4.4.5.2 on CentOS 6.6 like this:

wget http://turnserver.open-sys.org/downloads/v4.4.5.2/turnserver-4.4.5.2.tar.gz

tar xvfz turnserver-4.4.5.2.tar.gz

cd turnserver-4.4.5.2/

./configure

make

make install

Coturn 4.4.5.2 is working fine on CentOS 6.6 ... but given the SQL injection issue, I want to upgrade.

What's the procedure for upgrading CentOS 6.6 to Coturn 4.4.5.3 ?

Thank you

[Oleg Moskalenko]

Save your turnserver.conf file (in /etc or /usr/local/etc, depending
on your system). Uninstall Coturn. I am almost sure that it will not
remove the database. Then install again. Then restore the
turnserver.conf in the same place.

Oleg

> --
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> turn-server-project-rfc57...@googlegroups.com.
> To post to this group, send email to
> turn-server-project...@googlegroups.com.
> Visit this group at
> http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
> For more options, visit https://groups.google.com/d/optout.

[Warren McDonald]

Hi Oleg,

does the SQL injection probelm impact on systems using non-sql db Redis?

Cheers,

Warren 

[Oleg Moskalenko]

Hi Warren

no, only SQL databases are affected (MySQL, PostgreSQL, SQLite).

Regards,
Oleg