coturn - Debian Package Tracker

general

source: coturn (main)
version: 4.6.1-2
maintainer: Debian VoIP Team (archive) (DMD)
uploaders: Oleg Moskalenko [DMD] – Mészáros Mihály [DMD]
arch: any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.5.2-3
oldstable: 4.6.1-1
stable: 4.6.1-2
testing: 4.6.1-2
unstable: 4.6.1-2

versioned links

4.5.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.6.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.6.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

coturn (5 bugs: 0, 4, 1, 0)

action needed

Marked for autoremoval on 21 May: #1129267, #1134577 high

Version 4.6.1-2 of coturn is marked for autoremoval from testing on Thu 21 May 2026. It is affected by #1129267, #1134577. You should try to prevent the removal by fixing these RC bugs.

Created: 2026-05-06 Last update: 2026-05-18 09:01

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg.c. On ARM64 architectures (AArch64) with strict alignment enforcement, this causes a SIGBUS signal that immediately kills the turnserver process. An unauthenticated remote attacker can crash any ARM64 coturn deployment by sending a single crafted UDP packet. This vulnerability is fixed in 4.10.0.