diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-04-29 01:11:43 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-04-29 12:53:16 +0200 |
commit | 704a018aaea16e044c1adf33accce6be2884911d (patch) | |
tree | aa191febc29ec12603b2e3296cdadbe5d28db99a /pkgs/servers | |
parent | a8b60a8567b8665665c04b3bad6e7d0f3b5b26b1 (diff) |
coturn: apply patch for CVE-2020-6061/6062
Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability.
Diffstat (limited to 'pkgs/servers')
-rw-r--r-- | pkgs/servers/coturn/default.nix | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/pkgs/servers/coturn/default.nix b/pkgs/servers/coturn/default.nix index 24dc256ba69f7..51502c3fd97ff 100644 --- a/pkgs/servers/coturn/default.nix +++ b/pkgs/servers/coturn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, openssl, libevent }: +{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }: stdenv.mkDerivation rec { pname = "coturn"; @@ -13,7 +13,14 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libevent ]; - patches = [ ./pure-configure.patch ]; + patches = [ + ./pure-configure.patch + (fetchpatch { + name = "CVE-2020-6061+6062.patch"; + url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch"; + sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2"; + }) + ]; meta = with stdenv.lib; { homepage = "https://coturn.net/"; |