coturn - Debian Package Tracker

general

source: coturn (main)
version: 4.6.1-2
maintainer: Debian VoIP Team (archive) (DMD)
uploaders: Oleg Moskalenko [DMD] – Mészáros Mihály [DMD]
arch: any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.5.2-3
oldstable: 4.6.1-1
stable: 4.6.1-2
unstable: 4.6.1-2

versioned links

4.5.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.6.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.6.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

coturn (7 bugs: 0, 6, 1, 0)

action needed

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

Created: 2026-02-25 Last update: 2026-05-22 18:30

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

Created: 2026-02-25 Last update: 2026-05-22 18:30

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

Created: 2026-02-25 Last update: 2026-05-22 18:30

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

Created: 2026-02-25 Last update: 2026-05-22 18:30

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.

Created: 2026-02-25 Last update: 2026-04-28 19:02

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2026-05-22 Last update: 2026-06-07 14:02

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-05-11 Last update: 2026-06-02 20:33

5 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit e89b5235c95dc38fcc9b399b7d8d22f52a18d749
Merge: 4a1e71a aacaa12
Author: Christoph Martin <chrism@debian.org>
Date:   Tue Jun 2 18:55:32 2026 +0000

    Merge branch 'sysusers' into 'master'
    
    Install and use sysusers.d/tmpfiles.d config files
    
    See merge request pkg-voip-team/coturn!1

commit aacaa12dd745e7104813f65b7042116ba1392716
Author: Luca Boccassi <luca.boccassi@gmail.com>
Date:   Fri May 8 22:53:15 2026 +0100

    Install and use sysusers.d/tmpfiles.d config files
    
    sysusers.d/tmpfiles.d config files allow a package to use
    declarative configuration instead of manually written maintainer
    scripts. This also allows image-based systems to be created
    with /usr/ only, and also allows for factory resetting a system
    and recreating /etc/ on boot.
    
    https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html
    https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html

commit 18ae236ebbcf23d92fee9c00b6ae38dfb5303e13
Author: Luca Boccassi <luca.boccassi@gmail.com>
Date:   Fri May 8 22:51:57 2026 +0100

    Stop deleting system user on remove/purge
    
    This is widely considered bad practice, as the kernel recycles
    UIDs/GIDs. So any potential leftover file/directory can then
    become owned by the next user/group that gets added, with
    unpredictable consequences.

commit 4a1e71a723a12bc9b4f7b9a4025bbf5b11cda98a
Author: Christoph Martin <martin@uni-mainz.de>
Date:   Tue Jun 2 15:34:42 2026 +0200

    add salsa-ci.yml

commit f54b74b623c61e31acf2b182a4f7a763e746ff36
Author: Christoph Martin <martin@uni-mainz.de>
Date:   Mon Jun 1 19:21:11 2026 +0200

    update debian/watch to github for new releases

Created: 2026-06-02 Last update: 2026-06-02 20:33

debian/patches: 1 patch to forward upstream low

Among the 3 debian patches available in version 4.6.1-2 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-04-14 11:03

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.5.1).

Created: 2021-08-18 Last update: 2026-03-31 15:01

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for coturn (- to 4.6.1-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating coturn would introduce bugs in testing: #1129267, #1134577
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/c/coturn.html
- ∙ ∙ Autopkgtest for coturn/4.6.1-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 784 days old (needed 2 days)
- Not considered

news

[rss feed]

[2026-05-23] coturn REMOVED from testing (Debian testing watch)
[2024-05-03] coturn 4.6.1-2 MIGRATED to testing (Debian testing watch)
[2024-04-13] Accepted coturn 4.6.1-2 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2023-02-07] coturn 4.6.1-1 MIGRATED to testing (Debian testing watch)
[2023-02-05] Accepted coturn 4.6.1-1 (source) into unstable (Dominik George)
[2022-06-12] coturn 4.5.2-3.1 MIGRATED to testing (Debian testing watch)
[2022-06-02] Accepted coturn 4.5.2-3.1 (source) into unstable (Nicholas Guriev) (signed by: bage@debian.org)
[2022-05-27] coturn 4.5.2-3 MIGRATED to testing (Debian testing watch)
[2022-05-26] coturn REMOVED from testing (Debian testing watch)
[2022-05-26] coturn REMOVED from testing (Debian testing watch)
[2021-04-20] coturn 4.5.2-3 MIGRATED to testing (Debian testing watch)
[2021-03-30] Accepted coturn 4.5.2-3 (source) into unstable (Mészáros Mihály) (signed by: Ferenc Wágner)
[2021-02-21] coturn 4.5.2-2 MIGRATED to testing (Debian testing watch)
[2021-02-10] Accepted coturn 4.5.2-2 (source) into unstable (Mészáros Mihály) (signed by: Ferenc Wágner)
[2021-02-03] Accepted coturn 4.5.2-1~bpo10+1 (source i386) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Ferenc Wágner)
[2021-01-14] Accepted coturn 4.5.1.1-1.1+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Ferenc Wágner)
[2021-01-14] coturn 4.5.2-1 MIGRATED to testing (Debian testing watch)
[2021-01-12] Accepted coturn 4.5.2-1 (source) into unstable (Mészáros Mihály) (signed by: Ferenc Wágner)
[2021-01-11] Accepted coturn 4.5.0.5-1+deb9u3 (source) into oldstable (Mészáros Mihály) (signed by: Emilio Pozuelo Monfort)
[2021-01-11] Accepted coturn 4.5.1.1-1.1+deb10u2 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Ferenc Wágner)
[2020-11-07] coturn 4.5.1.3-1 MIGRATED to testing (Debian testing watch)
[2020-09-15] coturn REMOVED from testing (Debian testing watch)
[2020-07-08] Accepted coturn 4.5.1.1-1.1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2020-07-03] Accepted coturn 4.5.0.5-1+deb9u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2020-07-02] coturn 4.5.1.3-1 MIGRATED to testing (Debian testing watch)
[2020-07-01] Accepted coturn 4.2.1.2-1+deb8u2 (source amd64) into oldoldstable (Utkarsh Gupta)
[2020-06-29] Accepted coturn 4.5.0.5-1+deb9u2 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2020-06-29] Accepted coturn 4.5.1.1-1.1+deb10u1 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2020-06-29] Accepted coturn 4.5.1.3-1 (source) into unstable (Mészáros Mihály) (signed by: Ferenc Wágner)
[2020-04-22] coturn 4.5.1.1-1.2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 9
RC: 2
I&N: 6
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.6.1-2build2
17 bugs