Bug#954379: marked as done (coturn: Make `/etc/turnserver.conf` non-worldreadable)

Tue, 12 Jan 2021 00:36:20 -0800 

Your message dated Tue, 12 Jan 2021 08:33:31 +0000
with message-id <[email protected]>
and subject line Bug#954379: fixed in coturn 4.5.2-1
has caused the Debian Bug report #954379,
regarding coturn: Make `/etc/turnserver.conf` non-worldreadable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
954379: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954379
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: coturn
Version: 4.5.1.1-1.1
Severity: normal

Dear Debian folks,
Currently, the Debian package seems to install the configuration file as world-readable. 

    $ ls -l /etc/turnserver.conf

    -rw-r--r-- 1 root root 328 Mar 18 16:02 /etc/turnserver.conf
The upstream package installation only install `/etc/turnserver.conf.example`.
If a user sets up a static secret in the configuration file, the access modes should probably be restricted to root only, shouldn’t they? 


Kind regards,

Paul

--- End Message ---
--- Begin Message --- 
Source: coturn
Source-Version: 4.5.2-1
Done: Mészáros Mihály <[email protected]>

We believe that the bug you reported is fixed in the latest version of
coturn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mészáros Mihály <[email protected]> (supplier of updated coturn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 11 Jan 2021 20:05:38 +0100
Source: coturn
Architecture: source
Version: 4.5.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Mészáros Mihály <[email protected]>
Closes: 904415 930097 934513 954379 964009
Changes:
 coturn (4.5.2-1) unstable; urgency=high
 .
   * [49df393] New upstream release (4.5.2)
     - fix null pointer dereference in case of out of memory.(by Thomas Moeller)
     - merge PR #517 (by wolmi)
       add prometheus metrics
     - merge PR #637 (by David Florness)
       Delete trailing whitespace in example configuration files
     - merge PR #631 (by Debabrata Deka)
       Add architecture ppc64le to travis build
     - merge PR #627 (by Samuel)
       Fix misleading option in doc (prometheus)
     - merge PR #643 (by tupelo-schneck)
       Allow RFC6062 TCP relay data to look like TLS
     - merge PR #655 (by plinss)
       Add support for proxy protocol V1
     - merge PR #618 (by Paul Wayper)
       Print full date and time in logs
       Add new options:
       "new-log-timestamp" and "new-log-timestamp-format"
     - merge PR #599 (by Cédric Krier)
       Do not use FIPS and remove hardcode OPENSSL_VERSION_NUMBER with LibreSSL
     - update Docker mongoDB and fix with workaround the missing systemctl
     - merge PR #660 (by Camden Narzt)
       fix compilation on macOS Big Sur
     - merge PR #546 #551 #672 (by jelmd)
       Add support of --acme-redirect <URL>
       fix acme security, redundancy, consistency
     - Disable binding request logging to avoid DoS attacks.(Breaking change!)
       Add new --log-binding option to enable binding request logging
     - Fix stale-nonce documentation. Resolves #604
     - Version numbering is changed to semver 2.0
     - Merge PR #288 (by Hristo Venev)
       pkg-config, and various cleanups in configure file
     - Add systemd notification for better systemd integration
     - Fix Issue #621 (by ycaibb)
       Null pointer dereference on tcp_client_input_handler_rfc6062data function
     - Fix Issue #600 (by ycaibb)
       use-after-free vulnerability on write_to_peerchannel function
     - Fix Issue #601 (by ycaibb)
       use-after-free vulnerability on write_client_connection function
     - Little refactoring prometheus
       Fix c++ support
       Simplify (as agreed in Issue #666)
       Remove session id/allocation labels
       Remove per session metrics. We should later add more counters.
     - Fix CVE-2020-26262 (credits: Enable-Security)
       Fix ipv6 ::1 loopback check
       Not allow allocate peer address 0.0.0.0/8 and ::/128
       For more details see the github security advisory:
       https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
   * [f0c1753] Change coturn service type to systemd notify (Closes: #934513)
   * [f9b9547] Add libsystemd-dev to build dependency
   * [5a811b1] Update watch version to 4
   * [c0a645e] Update Debian Standards to 4.5.1
   * [e429100] Patch not-needed to forwarded to upstream
   * [bc56267] Add pkg-config to build dependency
   * [bd98206] Postrm remove dir /var/lib/turn
   * [8c58afe] Change sqlite db permissions.
     Change owner to turnserver:turnserver and mode 660 (Closes: #930097)
   * [b9a4a8b] Change config file permissions.
     Change owner to root:turnserver and mode 640 (Closes: #954379)
   * [3e85092] init.d script drop root privileges (Closes: 904415)
   * [24eb87a] Add info about binding privileged ports (Closes: #964009)
   * [136a8a2] Disable pid file creation
Checksums-Sha1:
 8f5890ba73bdd97bc9a7bea9f5f20e93c31aa7bc 2195 coturn_4.5.2-1.dsc
 ba9f6eabe786be74d9ef11568792db3596643bff 444865 coturn_4.5.2.orig.tar.gz
 6676a474fac977099a30dff9b314b724be76088f 13600 coturn_4.5.2-1.debian.tar.xz
 702385bfb94a58196aa06203c81e5c6b5f63c364 7394 coturn_4.5.2-1_amd64.buildinfo
Checksums-Sha256:
 e6db8f33ec5576eb4912166681613324178e576b1265963d47647ec90e77d2d2 2195 
coturn_4.5.2-1.dsc
 1cbef88cd4ab0de0d4d7011f4e7eaf39a344b485e9a272f3055eb53dd303b6e1 444865 
coturn_4.5.2.orig.tar.gz
 ce96f97cea9ca7ae05b46480c1a0f63b2e8bd7d6a3e7341d7832828ea3f5ba28 13600 
coturn_4.5.2-1.debian.tar.xz
 5c2fe746c86741595c46b47842c0aa87bb849e4fd79250023602601e24b57ea6 7394 
coturn_4.5.2-1_amd64.buildinfo
Files:
 72cbd8b7e092ab365e4c30a3657eaf17 2195 net optional coturn_4.5.2-1.dsc
 d1091dccdae057ab790715bdc8c4bc9c 444865 net optional coturn_4.5.2.orig.tar.gz
 ea6a87f5e311aefb69d86fa1117ca289 13600 net optional 
coturn_4.5.2-1.debian.tar.xz
 2b093f9da04ea613dc6634a9eef87453 7394 net optional 
coturn_4.5.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAl/9WowACgkQOsj3Fkd+
2yMRbA/+IxtVUVyCoUhP9K83NzHjL3/41y8VOH+jTT4VIwCSFiTyQ+86leoXxsrA
54xulBHrJ6Y9lNoOI4w42G0pnYeP2Sy0nRkp86bcENH8oon/DjL0mkBOSs8Inky5
E3h/mw7TqWvsD+yuy8NVXLq3ZT4azmKzHJMWswAJW1FBBGiQVFYtCbA/8wLOyZRJ
+vSsuGTLsYplvtbbyeXlpmuqYJAPwGJJFgYmamz0GbuvWIKJATCZ8ceoRtzZiOw+
nwcH6zofgoVGNtlcIED+iE4vICaFvc+UC21fQ5RBdAyXnGAw58tQlX3NIZrkxcS/
Yu4mrtdN3prG2+o1DP+VCCBOBx/4F15t1bdOojL7vIoKNbKEirNDxledtx7uoq3Y
RrW1l2uwCnPZU4/aJKAIlUW/d6PjcwZ3OrW3b+3OCmXcoVZLc24Du3p2NDngLVdD
95ifjE7+xN1zVViKr14yfyGxtqFW+jT2yBSuVxRBCRNnjeujfPWLKetYG2AnpjYM
CKKAs21w8b8cGkKa35XqHrj1bD6n9h8lzcMj9+S/mdxxc38L94VsSWr50V8TDiYS
s2OBV5WTKA555CuoMDRNC1ghA9aoeZFMYmLl9lOLrYcc75BcQ89X0vAbkgVARsi6
Pd0ygZA6QEDX9ZPcjtlogev+yRfYuqd3nvvCNx3ef9yBewXOmD4=
=rQ3e
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to