704a018aae
Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability.
33 lines
893 B
Nix
33 lines
893 B
Nix
{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }:
|
|
|
|
stdenv.mkDerivation rec {
|
|
pname = "coturn";
|
|
version = "4.5.1.1";
|
|
|
|
src = fetchFromGitHub {
|
|
owner = "coturn";
|
|
repo = "coturn";
|
|
rev = version;
|
|
sha256 = "12x604lgva1d3g4wvl3f66rdj6lkjk5cqr0l3xas33xgzgm13pwr";
|
|
};
|
|
|
|
buildInputs = [ openssl libevent ];
|
|
|
|
patches = [
|
|
./pure-configure.patch
|
|
(fetchpatch {
|
|
name = "CVE-2020-6061+6062.patch";
|
|
url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch";
|
|
sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2";
|
|
})
|
|
];
|
|
|
|
meta = with stdenv.lib; {
|
|
homepage = "https://coturn.net/";
|
|
license = with licenses; [ bsd3 ];
|
|
description = "A TURN server";
|
|
platforms = platforms.all;
|
|
broken = stdenv.isDarwin; # 2018-10-21
|
|
maintainers = [ maintainers.ralith ];
|
|
};
|
|
}
|