Detections
Analytics

Fedora 42 : coturn (2026-dfa8ea5809)

high Nessus Plugin ID 315106

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-dfa8ea5809 advisory.

 # Coturn 4.11.0

 - Fix prometheus response memory leak introduced in 4.10.0
 - Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC
 - Fix format-string injection in Redis DB driver
 - Abort on malformed allowed/denied-peer-ip at startup
 - Pin session origin only after MESSAGE-INTEGRITY validates
 - Fix build failure: define `_GNU_SOURCE` for `recvmmsg()` on Linux
 - Drop `udp_relay_servers_number` config and clean up dead UDP id-space
 - Add Unity-based unit test scaffolding
 - Delete log line per relay thread on start
 - Out of bound HTTP detection in parser
 - Extend STUN client fuzz builder coverage
 - Extend fuzzing coverage and enable local fuzzing in a container
 - Cover all public `stun_buffer.c` wrappers in FuzzStunClient
 - HTTP parsing fixes
 - Unblock fuzz coverage for is_http and rare STUN attributes
 - Seed address-mapping table in fuzz initializer
 - Add deterministic challenge-response builder to FuzzStun
 - Add fuzz coverage for integrity helpers
 - Hoist `turn_server_get_engine()` out of per-packet hot path
 - Inline `addr_cpy()` in the header
 - Trim two redundant checks from per-packet relay hot path
 - Inline `get_ioa_addr_len()` in the header
 - Cache hot lookups in TURN data-path handlers
 - Load generator mode in `turnutils_uclient`
 - Filc harness and pointer typedefs

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected coturn package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2026-dfa8ea5809

Plugin Details

Severity: High

ID: 315106

File Name: fedora_2026-dfa8ea5809.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 5/17/2026

Updated: 5/17/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:coturn, cpe:/o:fedoraproject:fedora:42

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/9/2026

Vulnerability Publication Date: 5/9/2026

Reference Information