forked from pool/coturn
2e3a9bf2d5
New
* No more dependency on prometheus-client-c
* HTTPS support for prometheus client (optional)
* TLS support for redis - now compatible with managed redis
(optional).
* Rate limiting "401 Unauthorized" responses - reduces
reflection attacks off the coturn server. This is an
experimental feature - not fully tested on production scale
deployment and massive DDoS attacks. New prometheus counters
should help shed some light on real life behavior and
performance. The feature is off by default.
What's Changed
* validate hmackey length in sqlite_get_user_key before hex
decode.
* Add out-of-tree patch to restore deprecated OpenSSL 1.1.1.
* Add optional TLS transport for Redis connections.
* Fix relay threads override.
* Flush prometheus hot-path counters once per second to kill
lock contention.
* fix signed-char index out-of-bounds read in base64_decode.
* Build Prometheus exporter from vendored local sources.
* Prom https.
* Fix realm quota data race and warnings.
* Add per-source rate-limiting of UDP 401 Unauthorized responses
OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=53
641 lines
27 KiB
Plaintext
641 lines
27 KiB
Plaintext
-------------------------------------------------------------------
|
|
Mon Jun 22 14:04:26 UTC 2026 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 4.14.0
|
|
New
|
|
* No more dependency on prometheus-client-c
|
|
* HTTPS support for prometheus client (optional)
|
|
* TLS support for redis - now compatible with managed redis
|
|
(optional).
|
|
* Rate limiting "401 Unauthorized" responses - reduces
|
|
reflection attacks off the coturn server. This is an
|
|
experimental feature - not fully tested on production scale
|
|
deployment and massive DDoS attacks. New prometheus counters
|
|
should help shed some light on real life behavior and
|
|
performance. The feature is off by default.
|
|
What's Changed
|
|
* validate hmackey length in sqlite_get_user_key before hex
|
|
decode.
|
|
* Add out-of-tree patch to restore deprecated OpenSSL 1.1.1.
|
|
* Add optional TLS transport for Redis connections.
|
|
* Fix relay threads override.
|
|
* Flush prometheus hot-path counters once per second to kill
|
|
lock contention.
|
|
* fix signed-char index out-of-bounds read in base64_decode.
|
|
* Build Prometheus exporter from vendored local sources.
|
|
* Prom https.
|
|
* Fix realm quota data race and warnings.
|
|
* Add per-source rate-limiting of UDP 401 Unauthorized responses
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 15 13:43:28 UTC 2026 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 4.13.1
|
|
* null-terminate server_name in stun_is_challenge_response_str.
|
|
* Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks.
|
|
* Auto-deny coturn's own database backend endpoints as relay
|
|
peers.
|
|
* Deny link-local / ULA / site-local relay peers by default.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 14 11:46:35 UTC 2026 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 4.13.0
|
|
* Wrap atomic everywhere.
|
|
* Fix sendmmsg stride bug in multiplex-peer UDP batch flush.
|
|
* Reap TURN permissions/channels via a per-thread sweep instead
|
|
of per-object timers.
|
|
* Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO
|
|
batching.
|
|
* Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
|
|
* Restrict recvmmsg fast path to shared fan-in sockets
|
|
(make --udp-recvmmsg useful standalone).
|
|
* Enable --udp-recvmmsg by default on Linux.
|
|
* Security hardening: port parsing, admin brute-force throttle,
|
|
credential log redaction, constant-time compare, OAuth bounds
|
|
checks, permission cap (#1932).
|
|
* Add continuous latency mode to stunclient.
|
|
* Fix test_redis_format link failure.
|
|
* Fix configure MANPREFIX typo.
|
|
* Fix missing sqlite3 dependendcy.
|
|
* Fix UDP receive buffer ownership.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 25 09:16:38 UTC 2026 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 4.12.0
|
|
* Update khash to the latest version (#1919).
|
|
* Update readme to match latest changes (#1920).
|
|
* Update docs for drop-invalid-packets and
|
|
response-origin-only-with-rfc5780.
|
|
* Multiplexpeer (#1916).
|
|
* Fix TTL/TOS type conversion (#1915).
|
|
* turnutils_uclient: sender thread pool + UDP-GSO send batching +
|
|
recv_pps reporting (#1913).
|
|
* Fix memory leak introduced by recvmmsg path (#1912).
|
|
* turnutils_uclient: multi-threaded listener (recv) pool.
|
|
* examples/turnserver.conf: update description of cli option.
|
|
* turnutils_uclient: Linux recvmmsg receive path + larger
|
|
SO_RCVBUF (#1910).
|
|
* Add UDP-GSO send path (--udp-gso) (#1907).
|
|
* turnutils_peer: Linux fast path with drain loop,
|
|
recvmmsg/sendmmsg, U… (#1908).
|
|
* Relay recvmmsg (#1906).
|
|
* fuzzing: use hex escapes for HTTP EOH dictionary entry.
|
|
* Sync turnserver man page with current CLI options (#1903).
|
|
* Remove stale --ne option from turnserver --help (#1904).
|
|
* Restore CodeQL permissions, category, and manual build mode.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 5 12:48:47 UTC 2026 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 4.11.0
|
|
* Filc harness and pointer typedefs (#1896).
|
|
* Load generator mode in turnutils_uclient (#1894).
|
|
* Cache hot lookups in TURN data-path handlers (#1893).
|
|
* Inline get_ioa_addr_len() in the header (#1891).
|
|
* Trim two redundant checks from per-packet relay hot path.
|
|
* Hoist turn_server_get_engine() out of per-packet hot path.
|
|
* Add fuzz coverage for integrity helpers (#1888).
|
|
* Add deterministic challenge-response builder to FuzzStun.
|
|
* Seed address-mapping table in fuzz initializer (#1885).
|
|
* Unblock fuzz coverage for is_http and rare STUN attributes.
|
|
* HTTP parsing fixes (#1882).
|
|
* Out of bound HTTP detection in parser (#1877).
|
|
* Delete log line per relay thread on start (#1876).
|
|
* Add Unity-based unit test scaffolding (#1875).
|
|
* Drop udp_relay_servers_number config and clean up dead UDP
|
|
id-space (#1874).
|
|
* Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux.
|
|
* Pin session origin only after MESSAGE-INTEGRITY validates.
|
|
* Abort on malformed allowed/denied-peer-ip at startup (#1872).
|
|
* Fix format-string injection in Redis DB driver (#1870).
|
|
* Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 14 12:31:23 UTC 2026 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 4.10.0
|
|
* Skip response buffer allocation for STUN indications.
|
|
* WebRTC Auth optimization path (#1860).
|
|
* Fix null pointer dereferences in post_parse() (#1859).
|
|
* Extend seed corpus (#1858).
|
|
* Add Linux-only `recvmmsg` receive path for DTLS/UDP listener.
|
|
* Fix Linux build warnings (#1853).
|
|
* perf: remove mutex from per-thread super_memory allocator.
|
|
* Keep only NEV_UDP_SOCKET_PER_THREAD network engine.
|
|
* Fix stack buffer overflow in OAuth token decoding.
|
|
* Update config and Readme files about deprecated TLSv1/1.1.
|
|
* perf: eliminate mutex and reduce copies on auth message
|
|
dispatch (#1843).
|
|
* perf: replace mutex_bps with lock-free atomics for bandwidth
|
|
tracking.
|
|
* Fix uint16_t truncation overflow in stun_get_message_len_str()
|
|
causes (#1844).
|
|
* fix: restore RFC 3489 (old STUN) backward compatibility broken
|
|
since 4.7.0 (#1839).
|
|
* Change port identifiers to use uint16_t (#1752).
|
|
* Fixes: run_tests.sh and no db (#1834).
|
|
* Add session usage reporting callback to TURN database driver.
|
|
* Initialize variables before use (#1832).
|
|
* Replace perror with logging (#1831).
|
|
* CLI interface is disabled by default.
|
|
* Disable reason string in response messages to reduce
|
|
amplification factor.
|
|
* Perf: improve worst case scenario optimization.
|
|
* Fix compilation warnings (#1822).
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 13 23:01:27 UTC 2026 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
Fixes for CVE-2026-27624 (boo#1258847) and CVE-2025-69217 (boo##1255744)
|
|
|
|
- Update to version 4.9.0
|
|
* Multiple security fixes.
|
|
* Fix to Web Admin password check.
|
|
* Cleanup of deprecated openssl APIs.
|
|
* Fix for CVE-2026-27624: bypass localhost and IP range block
|
|
using IPv4-mapped IPv6. boo#1258847
|
|
- Update to version 4.8.0
|
|
* Faster packet validation on listener threads to improve
|
|
handling of DDoS attacks.
|
|
* Make socket buffer size configurable with sock-buf-size.
|
|
* Address memory leaks and potential crashes.
|
|
* Improve random number usage to address CVE-2025-69217.
|
|
boo#1255744
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Nov 23 09:17:14 UTC 2025 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 4.7.0
|
|
* Breaking changes in order to get to sane defaults for improved
|
|
security by default
|
|
+ Support for openssl 1.1.1 and 3.x only.
|
|
+ Cleanup deprecated options - if your scripts have them
|
|
turnserver will fail to start.
|
|
+ Reverse SOFTWARE_ATTRIBUTE_OPT to avoid inverse logic - now
|
|
need to explicitly enable it.
|
|
+ Deprecate response-origin-only-with-rfc5780.
|
|
+ Invert no-stun-backward-compatibility to be default on.
|
|
* TLSv1 and TLSv1_1 are now optional (no need to turn them off).
|
|
* Minor bug fixes and regressions.
|
|
* Improved support for modern version of prometheus.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 12 13:54:59 UTC 2025 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Upgrade to coturn 4.6.3
|
|
* Release highlights:
|
|
- Multiple memory fixes
|
|
- New drain feature
|
|
- Better support for new versions of Redis
|
|
- Add support for raw public keys
|
|
|
|
* Complete change list
|
|
- Add clang-tidy, include-what-you-use, and msvc-analyzer github actions
|
|
- Add CodeQL workflow
|
|
- added missing function prototype of turn_random_number()
|
|
- Added sessionID to some log lines
|
|
- added support for amazon linux and renamed tests.yml
|
|
- added warnings for prometheus apt unavailability
|
|
- Add github action that runs tests with compiler sanitizers
|
|
- Additional refactoring of ns_turn_allocation.* to address security
|
|
scanner concerns
|
|
- Add MariaDB support to README.md
|
|
- Add new Drain feature
|
|
- Add prometheus setting suggestions on turn.conf in example folder
|
|
- Address clang-tidy warnings in db files
|
|
- Address some build issues introduced by api changes
|
|
- Add support for raw public keys
|
|
- Add the InsertBraces command for clang-format to ensure that all
|
|
conditionals always have braces
|
|
- Add warning and disable web admin if no-tls option used
|
|
- Adjust wording in cmake message when prometheous cannot be found.
|
|
- Allow authenticating with a username to redis
|
|
- Always run lint, regardless of branch
|
|
- Avoid nullptr dereference of server variable in various functions
|
|
- avoid potential nullptr derefernence in udp_create_server_socket
|
|
- Avoid read-past-end of string in get_bold_admin_title
|
|
- Avoid writing potentially uninitialized data to aes_128 key file
|
|
- changed variables in stunclient.c to bool
|
|
- Change minimal required cmake version to 3.16
|
|
- Change printf() to TURN_LOG_FUNC() for --no-stdout-log
|
|
- Change the various map functions to return bool instead of
|
|
inconsistantly return 0, 1, or -1
|
|
- Check allocation results in add_static_user_account
|
|
- Check the result of calloc in handle_logon_request
|
|
- Check the result of malloc in del_alt_server
|
|
- Check the result of malloc in mongo_set_realm_option_one
|
|
- Check the result of malloc in send_message_to_redis
|
|
- Check the result of malloc in string_list_add
|
|
- Check the result of realloc and calloc in ch_map_get
|
|
- CMake: Declare the variable nearby
|
|
- configure: data files shouldn't be executable
|
|
- defined a magic number for stun fingerprinting
|
|
- Delete dead code
|
|
- Delete unused variable
|
|
- Doc: add flowchart
|
|
- Easy installation of coturn on AWS
|
|
- Fix buffer overflow in generate_enc_password with increase rsalt by 2
|
|
- Fix build with libressl 3.6+
|
|
- Fix clang-format lint warnings
|
|
- Fix cli auth
|
|
- Fix Cmake find issue in libevent
|
|
- Fix cmake find prometheus(fix #1304)
|
|
- Fix compiler warnings from continuous integration
|
|
- Fix const during free warning in rfc5769check app
|
|
- Fix error of make command in Cygwin environment
|
|
- Fix formatting to fix lint error
|
|
- Fix lint complaint about comment
|
|
- Fix lint errors
|
|
- Fix linting error in mainrelay.c
|
|
- Fix make lint
|
|
- Fix memcpy len checks stun_is_challenge_response_str
|
|
- Fix memleak in pgsql_reread_realms
|
|
- Fix memory leak in netengine.c
|
|
- Fix memory leak in rfc5769check.c
|
|
- Fix memory leak on http_server.c
|
|
- Fix mingw build
|
|
- Fix missing strncpy in fix_stun_check_message_integrity_str
|
|
- Fix msvc analyzer error on goto label on rfc5769check
|
|
- Fix nodejs/glibc problem with old container images.
|
|
- Fix no-tls warning typo
|
|
- Fix potential null passed to function expecting nonnull
|
|
- Fix recursive call in delete alternate server
|
|
- Fix return correct error code for `create_relay_connection` in case
|
|
of `RESERVATION-TOKEN` failure
|
|
- Fix rpm version scripts
|
|
- Fix run cmake.yml in any github action
|
|
- Fix typos
|
|
- Fix ubuntu 16 build with GH action checkout version to v3
|
|
- Implement custom prometheus http handler
|
|
- Include what you use
|
|
- Install openssl-1.1.1 on amazonlinux:2 instead of openssl-1.0.1
|
|
- malloc now allocates space for string terminator
|
|
- Memset user_db before reading conf file, not after
|
|
- Missing session ID in coturn logs for denied IP - 1330
|
|
- Move the hiredis_libevent2 code from common to relay
|
|
- Only set MHD_USE_DUAL_STACK if IPv6 is available
|
|
- Print version only, no extra lines
|
|
- Reduce ifdefs in code: TURN_NO_PROMETHEUS
|
|
- Refactor: peer_input_handle
|
|
- Reformat code
|
|
- Remove unimplemented test folder reference from CMakeLists.txt
|
|
- Replace HeapAlloc with malloc
|
|
- Replace srand/rand with srandom/random
|
|
- Return a 400 response to HTTP requests
|
|
- Run all of the CI except for Docker builds on any change
|
|
- Simplify macOS detection macros
|
|
- Simplify workflow for codeql
|
|
- strncpy doesn't return size_t
|
|
- ubuntu build dependencies extracted to composite actions
|
|
- Update FlowChart
|
|
- Update libtelnet
|
|
- Update lukka/run
|
|
- Update SQLite.md
|
|
- Update turnserver.conf Example about listening-ip
|
|
- Update turnserver.spec
|
|
- Update version in vcpkg.json
|
|
- Use active CPU number instead of total number
|
|
- Use bool, instead of int, for the functions in ns_turn_msg.c
|
|
- Use bool over int for the turnutils_uclient program
|
|
- Use calloc where appropriate, avoid memset when normal buffer
|
|
initialization works
|
|
- Windows: Only attempt to bind when the network interface is up
|
|
- workflow tidying
|
|
|
|
- Rebased coturn-turnserver_conf.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 15 16:14:52 UTC 2024 - Adam Majer <amajer@suse.com>
|
|
|
|
- Don't hard require systemd -- not needed in containers
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 26 11:05:41 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
- Use %autosetup macro. Allows to eliminate the usage of deprecated
|
|
PatchN.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 13 18:49:29 UTC 2023 - chris@computersalat.de
|
|
|
|
- Update coturn-turnserver_conf.patch
|
|
* Fix comment for listening-ip
|
|
- enable 'verbose' log to see listening IPs and more, not just
|
|
server start/stop
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 9 07:19:06 UTC 2023 - chris@computersalat.de
|
|
|
|
- add coturn-turnserver_conf.patch
|
|
* to have a meaningful turnserver.conf.default
|
|
- create a ready-to-run turnserver.conf
|
|
- fix logrotate script
|
|
- Update README.SUSE for Let's Encrypt Certificates
|
|
- move certs to /etc/coturn/tls
|
|
- Update apparmor profile
|
|
- rework sysusers.d config file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 2 05:19:33 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>
|
|
|
|
- Update to 4.6.2
|
|
* Make sure microhttpd starts using epoll if supported
|
|
* Add sessioncount to prometheus metrics
|
|
* Add STUN request/response/error prometheus counters
|
|
* Cleanup logs on turnserver start
|
|
* Fix duplicate stdout log output
|
|
* Log threadId to logs to aid in multi-threaded debugging
|
|
* Optional build info compiled into turnserver binary
|
|
* Fix arguments expansion in docker-entrypoint.sh
|
|
* Santise database connection strings before printing to log
|
|
* Support Windows MSVC
|
|
* Add configuration option for TLS 1.3 ciphersuites
|
|
* Improve openssl3 and FIPS support
|
|
* Use single SSL_CTX for TLS and DTLS support
|
|
* Update openssl API use to non-deprecated version
|
|
* Set string bytes to null to prevent random origin
|
|
* Fix memory corruption on socket close
|
|
* Fix packet backlog fifo that processed packets in reverse
|
|
order in some scenarios
|
|
* Fix off-by-one when terminating gcm_nonce
|
|
* Fixes to Redis memleaks and socketleaks
|
|
* Fix malformed response to mobility refresh request
|
|
* Fuzzing support
|
|
* Ignore raw UDP if no_udp is enabled
|
|
* Better detect availability of SCTP protocol
|
|
- Drop coturn-no-FIPS-140-mode.patch, fixed upstream, see
|
|
https://github.com/coturn/coturn/issues/1170
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 6 17:09:44 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>
|
|
|
|
- Add coturn-no-FIPS-140-mode.patch, fixes build against OpenSSL 3.0
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 4 12:27:54 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
- Version 4.6.1
|
|
- Fix memory corruption on socket close (#1113)
|
|
- Version 4.6.0
|
|
- merge PR #967 (eakraly)
|
|
* fix small issues reported by cppcheck
|
|
- merge PR #974 (eakraly)
|
|
* fix long log line printing
|
|
- merge PR #973 (eakraly)
|
|
* Print turnserver version with --version
|
|
- merge PR #972 (eakraly)
|
|
* do not write outside of a buffer in admin interface
|
|
- merge PR #970 (eakraly)
|
|
* fix uclient certificate loading bug
|
|
- merge PR #971 (eakraly)
|
|
* fix duplicate TCP flag in run_tests.sh script
|
|
- merge PR #962 (huhaipeng)
|
|
* fix turn session leak
|
|
- merge PR #963 (eakraly)
|
|
* Document dependency of new-log-timestamp-format on new-log-timestamp
|
|
- merge PR #951 (steffen-moser)
|
|
* Enable compilation of coturn on Solaris 11.4
|
|
- merge PR #949 (eakraly)
|
|
* First step to re-enable compilation with OpenSSL 1.0.x
|
|
- merge PR #949 (eakraly)
|
|
* Fix cmake build on macOS
|
|
- merge PR #942 (eakraly)
|
|
* Disable SSL renegotiation
|
|
- merge PR #792 (yfaker)
|
|
* Fix user quota release #786
|
|
- merge PR #829 (fancycode)
|
|
* add more info to redis allocation status
|
|
- merge PR #938 (eakraly)
|
|
* update turnserver.conf comment
|
|
- merge PR #773 (haseebq)
|
|
* fix performance regression
|
|
- merge PR #773 (korayvt)
|
|
* add syslog facility config
|
|
- merge PR #897 (unicode-it)
|
|
* add support for dual-stack prom listener
|
|
- merge PR #984 (rozhuk-im)
|
|
* fix build with libressl 3.4.0+
|
|
- merge PR #926 (ggarber)
|
|
* add ci tests workflow
|
|
- merge PR #934 (neocat)
|
|
* show error on invalid config
|
|
- merge PR #787 (dsmeytis)
|
|
* add new prom allocations metric
|
|
- merge PR #869 (micmac1)
|
|
* don't link in libintl
|
|
- merge PR #895 (alexnedo)
|
|
* fix access to freed memory
|
|
- merge PR #919 (sysvinit)
|
|
* configurable prom username labels
|
|
- merge PR #840 (sysvinit)
|
|
* configurable prometheus listener port
|
|
- merge PR #870 (micmac1)
|
|
* fix build mariadb connector
|
|
- merge PR #851 (freedomben)
|
|
* fix README typo
|
|
- merge PR #877 (davel)
|
|
* correct doc typo
|
|
- merge PR #755(moznuy) and #825(by argggh)
|
|
* fix sqlite3_shutdown and sqlite3_config race
|
|
- merge PR #826 (by giavac)
|
|
* prom server better
|
|
- merge PR #684 (by brevilo)
|
|
* Define OPENSSL_VERSION_1_1_1 on systems where it doesn't (yet) exist
|
|
* Regression in 4.5.2 that cause issues in openssl version < 1.1.1.
|
|
- typo fix in prometheus (by fcecagno)
|
|
- merge PR #687 (by Wuelber Castillo)
|
|
* Add hash algorithm for hmackey value to redis userdb schema docs
|
|
- replace keep-address-family with allocation-default-address-family (keep-address-family deprecated and will be removed!!)
|
|
- merge PR #703 (by j4zzc4t)
|
|
* Restore no_stdout_log behavior
|
|
- merge PR #727 (by JoKoT3)
|
|
* Support older mysql client version in configure
|
|
- merge PR #721 (by KangLin)
|
|
* Add to support cmake
|
|
- merge PR #717 (by marcoschum)
|
|
* Fix typo in turnserver.conf
|
|
- merge PR #704 (by hills)
|
|
* Packaging scripts can miss out on these errors (exit code)
|
|
- merge PR #679 (by rubo77)
|
|
* Readme.turnserver: how to run server as a daemon
|
|
- merge PR #739 (by hills)
|
|
* SSL reload has hidden bugs which cause crashes
|
|
- Fix regression in PR #739
|
|
- Try to mitigate STUN amplification attatck
|
|
* Add new option --no-rfc5780 to force disable RFC8750
|
|
* Add new option --no-stun-backward-compatibility
|
|
Disable handling old STUN Binding requests and disable
|
|
MAPPED-ADDRESS attribute in binding response (use only the
|
|
XOR-MAPPED-ADDRESS)
|
|
* Add new option --response-origin-only-with-rfc5780
|
|
Add RESPONSE_ORIGIN attribute only if rfc5780 is enabled
|
|
* Don't send SOFTWARE attribute if --no-software-attribute set on (BREAKING CHANGE)
|
|
- merge PR #767 (by ggalperi)
|
|
* fix for log_binding (regression)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 19 19:25:35 UTC 2022 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
|
|
|
|
- Drop @privileged SystemCallFilter, can prevent service from starting (status=31/SYS)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 18 14:55:57 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
- Dropped harden_coturn.service.patch because systemd units are
|
|
created from own source anyway and are proven to work
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 15 12:11:35 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 30 11:55:53 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Added hardening to systemd service(s). Added patch(es):
|
|
* harden_coturn.service.patch
|
|
Modified:
|
|
* coturn.service
|
|
* coturn@.service
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 11 10:27:20 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Version 4.5.2
|
|
* Fix for CVE-2020-26262 (boo#1180764)
|
|
- Fix ipv6 ::1 loopback check
|
|
- Not allow allocate peer address 0.0.0.0/8 and ::/128
|
|
- For more details see the github security advisory:
|
|
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
|
|
|
|
* fix null pointer dereference in case of out of memory.
|
|
* Fix: Null pointer dereference on tcp_client_input_handler_rfc6062data function
|
|
* Fix: use-after-free vulnerability on write_to_peerchannel function
|
|
* Fix: use-after-free vulnerability on write_client_connection function
|
|
|
|
* add prometheus metrics
|
|
* Delete trailing whitespace in example configuration files
|
|
* Add architecture ppc64le to travis build
|
|
* Fix misleading option in doc (prometheus)
|
|
* Allow RFC6062 TCP relay data to look like TLS
|
|
* Add support for proxy protocol V1
|
|
* Print full date and time in logs
|
|
* Add new options: "new-log-timestamp" and "new-log-timestamp-format"
|
|
* Do not use FIPS and remove hardcode OPENSSL_VERSION_NUMBER with LibreSSL
|
|
* Add ACME redirect url
|
|
* support of --acme-redirect <URL>
|
|
* fix acme security, redundancy, consistency
|
|
* Add new --log-binding option to enable binding request logging
|
|
* Fix stale-nonce documentation
|
|
* Version number is changed to semver 2.0
|
|
* pkg-config, and various cleanups in configure file
|
|
* Add systemd notification for better systemd integration
|
|
* Fix c++ support
|
|
* Remove session id/allocation labels
|
|
* Remove per session metrics. We should later add more counters.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 27 15:42:09 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
|
|
|
- AppArmor profile has ABI 3.0 and some minor changes
|
|
- Modified systemd unit:
|
|
* do not use daemon mode
|
|
* Type=simple
|
|
* added security settings
|
|
- added multi-instance systemd unit
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 19 10:48:41 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
|
|
|
|
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 30 07:54:01 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Version 4.5.1.3:
|
|
* Remove reference to SSLv3: gh#coturn/coturn#566
|
|
* Ignore MD5 for BoringSSL: gh#coturn/coturn#579
|
|
* STUN response buffer not initialized properly; he issue found and
|
|
reported gh#coturn/coturn#583 by Felix Dörre all credits belongs to
|
|
him. CVE-2020-4067, boo#1173510
|
|
|
|
- Let coturn allow binding to ports below 1024 per default
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 4 12:58:39 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Extended Readme.SUSE with description on how to bind to ports below 1024
|
|
- Fixes and enhancements in service-file
|
|
- /etc/sysconfig/coturn defaults now to not show software's version to the public
|
|
|
|
- Version 4.5.1.2:
|
|
* Do not display empty CLI passwd alert if CLI is not enabled
|
|
* Removed several functions: gh#coturn/coturn#359
|
|
* Fix webadmin IP permission and possible SQL-injections: gh#coturn/coturn#386
|
|
* Fix Mongo driver crash on invalid connection string: gh#coturn/coturn#390
|
|
* enhanced fread return length check: gh#coturn/coturn#392
|
|
* disconnect database gracefully: #367
|
|
* Using SSL_get_version method for BoringSSL compatibility:
|
|
turn_session_info->tls_method returns real TLS version:
|
|
gh#coturn/coturn#382
|
|
* Added systemd service example: gh#coturn/coturn#276
|
|
* Add bandwidth usage reporting packet/bandwidth usage by peers:
|
|
gh#coturn/coturn#284
|
|
* Modifying configure to enable compile with private libraries:
|
|
gh#coturn/coturn#381
|
|
* Append to log files rather than overriding them: gh#coturn/coturn#417
|
|
* Updated incorrect string length check for 'ssh': gh#coturn/coturn#442
|
|
* Fix Dockerfile for latest Debian: gh#coturn/coturn#449
|
|
* CVE-2020-6061, CVE-2020-6062: specially crafted HTTP POST request can lead
|
|
to heap overflow which can result in information leak:
|
|
gh#coturn/coturn#489
|
|
* STUN input validation: gh#coturn/coturn#472
|
|
* Allow MD5 in FIPS mode: gh#coturn/coturn#398
|
|
* update travis config ubuntu/mac images
|
|
* added null check for second char: gh#coturn/coturn#466
|
|
* compiler warning fixes: gh#coturn/coturn#470
|
|
* Fix a memory leak when an SHATYPE isn't supported: gh#coturn/coturn#471
|
|
* fix compiler warning comparison between signed and unsigned integer expressions
|
|
* fix compiler warning string truncation
|
|
* change Diffie Hellman default key length from 1066 to 2066
|
|
* drop of supplementary group IDs: gh#coturn/coturn#522
|
|
* Unify spelling of Coturn: gh#coturn/coturn#514
|
|
* Rename "prod" config option to "no-software-attribute": gh#coturn/coturn#506
|
|
gh#coturn/coturn#478
|
|
* change sql data dir in docker-compose-all.yml: gh#coturn/coturn#516
|
|
* add flags to disable periodic use of dynamic tables: gh#coturn/coturn#525
|
|
|
|
* fix typos and grammar: gh#coturn/coturn#463, gh#coturn/coturn#488
|
|
* Update README.docker: gh#coturn/coturn#475
|
|
* fix config extension in README.docker: gh#coturn/coturn#519
|
|
* Code beautifications: gh#coturn/coturn#327, gh#coturn/coturn#455,
|
|
gh#coturn/coturn#513
|
|
|
|
- Removed patches now included in upstream: coturn-4.5.1.0-append-log.patch,
|
|
coturn-4.5.1.1-cve-2020-6061.patch, coturn-4.5.1.1-cve-2020-6062.patch and
|
|
coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 14 18:38:59 UTC 2020 - lars@linux-schulserver.de
|
|
|
|
- added apparmor profile (coturn-apparmor-usr.bin.turnserver)
|
|
- fix executable permissions in devel package by using defattr
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Apr 12 05:47:04 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Use pkgconfig(systemd) for packaging
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 11 20:17:07 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Shorten description by stripping the long list of all RFCs.
|
|
- Drop %defattr; use %autosetup.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 9 10:57:37 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Initial release of coturn 4.5.1.1
|