Your message dated Wed, 10 Jun 2026 09:34:43 +0000
with message-id <[email protected]>
and subject line Bug#1129267: fixed in coturn 4.12.0-1
has caused the Debian Bug report #1129267,
regarding coturn: CVE-2026-27624
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129267
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: coturn
Version: 4.6.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for coturn.
CVE-2026-27624[0]:
| Coturn is a free open source implementation of TURN and STUN Server.
| Coturn is commonly configured to block loopback and internal ranges
| using "denied-peer-ip" and/or default loopback restrictions.
| CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and
| "[::]", but IPv4-mapped IPv6 is not covered. When sending a
| "CreatePermission" or "ChannelBind" request with the "XOR-PEER-
| ADDRESS" value of "::ffff:127.0.0.1", a successful response is
| received, even though "127.0.0.0/8" is blocked via "denied-peer-ip".
| The root cause is that, prior to the updated fix implemented in
| version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do
| not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks
| "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not
| "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::",
| but not "::ffff:0.0.0.0." "addr_less_eq()" used by
| "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range
| is AF_INET and the peer is AF_INET6, the comparison returns 0
| without extracting the embedded IPv4. Version 4.9.0 contains an
| updated fix to address the bypass of the fix for CVE-2020-26262.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27624
https://www.cve.org/CVERecord?id=CVE-2026-27624
[1] https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg
[2]
https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: coturn
Source-Version: 4.12.0-1
Done: Christoph Martin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
coturn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Martin <[email protected]> (supplier of updated coturn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Jun 2026 10:29:35 +0200
Source: coturn
Architecture: source
Version: 4.12.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Christoph Martin <[email protected]>
Closes: 1129267 1134577
Changes:
coturn (4.12.0-1) unstable; urgency=high
.
[ Thomas Bartosik ]
* Non-maintainer upload.
* New upstream release.
* Fixes https://bugs.debian.org/1134577 (CVE-2026-40613),
https://bugs.debian.org/1129267 (CVE-2026-27624)
* TLS1.3 support for TURN/TLS
* Drop obsolete patches for openssl <3
* Built with OpenSSL 3.5 (auto-openssl transition)
.
[ Christoph Martin ]
* cleanup source
* add myself to uploaders
* Closes: #1134577
* Closes: #1129267
Checksums-Sha1:
5cb2b1270e9a8aec3ddb03e18595c745106bed57 2256 coturn_4.12.0-1.dsc
605422866a4b9061712fc7413a5552c4cc280d22 651908 coturn_4.12.0.orig.tar.gz
ed223ee17d23015dadc76928fe45f03925633134 14528 coturn_4.12.0-1.debian.tar.xz
3a8eb7bc183c7ee3f06a72a15d3185e12b1ac4a0 7474 coturn_4.12.0-1_amd64.buildinfo
Checksums-Sha256:
6e288ce40b23b3bd1820499b1da9f1d3f917ffcbb4b7518143755371b566b6ff 2256
coturn_4.12.0-1.dsc
5374811d50548e2eb1982c0591a55c79c95d78633c17fd211bef13206087e95b 651908
coturn_4.12.0.orig.tar.gz
39901713ae51a9a9cafb7e37ea46852a25aae763b0ecb7cf8dd20b97fded2ac0 14528
coturn_4.12.0-1.debian.tar.xz
6748a97d911f3bd642c9f6fdd07f355fa1e6fd3bae000f8a7c63e06ef9938960 7474
coturn_4.12.0-1_amd64.buildinfo
Files:
a5515e35af3a262accf47ca726a665c2 2256 net optional coturn_4.12.0-1.dsc
54652667e84889268ac38fba6f071681 651908 net optional coturn_4.12.0.orig.tar.gz
1bdd14c6e57fa850c469d233a368efc8 14528 net optional
coturn_4.12.0-1.debian.tar.xz
05d67986b5ab87a74351a89dc8a3e65d 7474 net optional
coturn_4.12.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEbdFebnsTnCYy4y02kcMUbl2GabQFAmopJpYACgkQkcMUbl2G
abQRqg/+OuRhdIXFXoRQI9/nxfmmlZiF58Ix1M76phQjgu35eCNahuu6wcSiE1f6
pNrRFVvZIT1cY9uQEzWq5p6iDY14SF0CKXHmNCHMAVUrNTZyx56zU1RbYc8s7ElO
92h/mehr0QBToMqlJbzVrpsjIcL9BDjmRzZrRgxPmIqbpb52hmrxEq4ahGUTgHym
+S7tMb8fUNVQAM+8T0VwSGzM1E//Qe99MCD7CGuAyBu2T8shmQ+HKBqFW/npI16n
7nOPEidZhOvWLq4opvCnL2qd8RpnVnOC6R9Q87fJ1b0mSHU9DItWSo7pE6o7DEf6
S5mFvLO+JpD/yJmV+AJmG+dw+5UinhEgfgHpX+wi1WeXGnPIAnbp2HeIFbO34Z3x
5d6s1KP0DYljdDgJxq6z/fm8Hs9/8hgXPiaksd2Vt/vRqW8n8ou0XgNyrTqszhYd
FHrOO4yocoUuz3LkcsNiynNNRpMcntwjahaC3V2C6l0poXRBboB25mCVcVfDjOde
wKqdXE6hWCheQ4CSLnIGkmTv3MoeA2nhYpzH5jgT2zweiSl9f+Hh+QpJ3vAYNAXc
8KJx70FoPAOhxH244B4X11rPa3zy9TiWB8UGP3+uupGfnffmGDm0TdahapqWtynZ
TVQqp1kcTQlmhIk/7AIYFp74k1nUtbLkXd54aEURMXdpIMRrlmo=
=0reJ
-----END PGP SIGNATURE-----
pgp7FQWCoY0JH.pgp
Description: PGP signature
--- End Message ---
