nixpkgs/pkgs/servers/coturn/default.nix
Martin Weinelt 704a018aae
coturn: apply patch for CVE-2020-6061/6062
Fixes: CVE-2020-6061, CVE-2020-6062

An exploitable heap overflow vulnerability exists in the way CoTURN
4.5.1.1 web server parses POST requests. A specially crafted HTTP
POST request can lead to information leaks and other misbehavior.
An attacker needs to send an HTTPS request to trigger this vulnerability.

An exploitable denial-of-service vulnerability exists in the way
CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
HTTP POST request can lead to server crash and denial of service.
An attacker needs to send an HTTP request to trigger this vulnerability.
2020-04-29 12:53:16 +02:00

33 lines
893 B
Nix

{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }:
stdenv.mkDerivation rec {
pname = "coturn";
version = "4.5.1.1";
src = fetchFromGitHub {
owner = "coturn";
repo = "coturn";
rev = version;
sha256 = "12x604lgva1d3g4wvl3f66rdj6lkjk5cqr0l3xas33xgzgm13pwr";
};
buildInputs = [ openssl libevent ];
patches = [
./pure-configure.patch
(fetchpatch {
name = "CVE-2020-6061+6062.patch";
url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch";
sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2";
})
];
meta = with stdenv.lib; {
homepage = "https://coturn.net/";
license = with licenses; [ bsd3 ];
description = "A TURN server";
platforms = platforms.all;
broken = stdenv.isDarwin; # 2018-10-21
maintainers = [ maintainers.ralith ];
};
}