SQL injection security problem discovered

143 views
Skip to first unread message

Oleg Moskalenko

unread,
Jun 30, 2015, 1:27:21 AM6/30/15
to turn-server-project...@googlegroups.com
To those who are using Coturn and rfc5766-turn-server for production purposes:

Do not forget to upgrade to the latest versions (4.4.5.3 and 3.2.5.8).  Those releases contain important security fixes for the SQL injection problem.

The problem was discovered and reported by:

Alex Inführ, Cure53 (https://cure53.de/)
Mario Heiderich, Cure53 (https://cure53.de/)

Oleg

Tomasz G

unread,
Jun 30, 2015, 2:58:39 AM6/30/15
to turn-server-project...@googlegroups.com
upgraded

Jo Yum

unread,
Jun 30, 2015, 11:45:46 AM6/30/15
to turn-server-project...@googlegroups.com
Oleg,

Is there an easy way to upgrade Coturn for CentOS 6.6 ?

Other than uninstalling and reinstalling.

Thank you.

Jo Yum

unread,
Jun 30, 2015, 7:33:49 PM6/30/15
to turn-server-project...@googlegroups.com
Oleg,

I installed Coturn 4.4.5.2 on CentOS 6.6 like this:

tar xvfz turnserver-4.4.5.2.tar.gz
cd turnserver-4.4.5.2/
./configure
make
make install

Coturn 4.4.5.2 is working fine on CentOS 6.6 ... but given the SQL injection issue, I want to upgrade.

What's the procedure for upgrading CentOS 6.6 to Coturn 4.4.5.3 ?

Thank you

Oleg Moskalenko

unread,
Jun 30, 2015, 7:45:37 PM6/30/15
to Jo Yum, turn-server-project...@googlegroups.com
Save your turnserver.conf file (in /etc or /usr/local/etc, depending
on your system). Uninstall Coturn. I am almost sure that it will not
remove the database. Then install again. Then restore the
turnserver.conf in the same place.

Oleg
> --
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> turn-server-project-rfc57...@googlegroups.com.
> To post to this group, send email to
> turn-server-project...@googlegroups.com.
> Visit this group at
> http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
> For more options, visit https://groups.google.com/d/optout.

Warren McDonald

unread,
Jul 10, 2015, 9:11:21 PM7/10/15
to turn-server-project...@googlegroups.com
Hi Oleg,

does the SQL injection probelm impact on systems using non-sql db Redis?

Cheers,

Warren 

Oleg Moskalenko

unread,
Jul 10, 2015, 9:16:46 PM7/10/15
to Warren McDonald, turn-server-project...@googlegroups.com
Hi Warren

no, only SQL databases are affected (MySQL, PostgreSQL, SQLite).

Regards,
Oleg
Reply all
Reply to author
Forward
0 new messages