openSUSE 16 Security Update : coturn (openSUSE-SU-2026:21184-1)

medium Nessus Plugin ID 324885

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21184-1 advisory.

Changes in coturn:

- Update to version 4.14.0 New
* No more dependency on prometheus-client-c
* HTTPS support for prometheus client (optional)
* TLS support for redis - now compatible with managed redis (optional).
* Rate limiting 401 Unauthorized responses - reduces reflection attacks off the coturn server. This is an experimental feature - not fully tested on production scale deployment and massive DDoS attacks. New prometheus counters should help shed some light on real life behavior and performance. The feature is off by default.
What's Changed
* validate hmackey length in sqlite_get_user_key before hex decode.
* Add out-of-tree patch to restore deprecated OpenSSL 1.1.1.
* Add optional TLS transport for Redis connections.
* Fix relay threads override.
* Flush prometheus hot-path counters once per second to kill lock contention.
* fix signed-char index out-of-bounds read in base64_decode.
* Build Prometheus exporter from vendored local sources.
* Prom https.
* Fix realm quota data race and warnings.
* Add per-source rate-limiting of UDP 401 Unauthorized responses

- Update to version 4.13.1
* null-terminate server_name in stun_is_challenge_response_str.
* Canonicalize all IPv4-in-IPv6 encodings before peer-IP checks.
* Auto-deny coturn's own database backend endpoints as relay peers.
* Deny link-local / ULA / site-local relay peers by default.

- Update to version 4.13.0
* Wrap atomic everywhere.
* Fix sendmmsg stride bug in multiplex-peer UDP batch flush.
* Reap TURN permissions/channels via a per-thread sweep instead of per-object timers.
* Add --udp-sendmmsg-log to observe egress sendmmsg/UDP-GSO batching.
* Expose recvmmsg/sendmmsg UDP batch sizes as Prometheus metrics
* Restrict recvmmsg fast path to shared fan-in sockets (make --udp-recvmmsg useful standalone).
* Enable --udp-recvmmsg by default on Linux.
* Security hardening: port parsing, admin brute-force throttle, credential log redaction, constant-time compare, OAuth bounds checks, permission cap (#1932).
* Add continuous latency mode to stunclient.
* Fix test_redis_format link failure.
* Fix configure MANPREFIX typo.
* Fix missing sqlite3 dependendcy.
* Fix UDP receive buffer ownership.

- Update to version 4.12.0
* Update khash to the latest version (#1919).
* Update readme to match latest changes (#1920).
* Update docs for drop-invalid-packets and response-origin-only-with-rfc5780.
* Multiplexpeer (#1916).
* Fix TTL/TOS type conversion (#1915).
* turnutils_uclient: sender thread pool + UDP-GSO send batching + recv_pps reporting (#1913).
* Fix memory leak introduced by recvmmsg path (#1912).
* turnutils_uclient: multi-threaded listener (recv) pool.
* examples/turnserver.conf: update description of cli option.
* turnutils_uclient: Linux recvmmsg receive path + larger SO_RCVBUF (#1910).
* Add UDP-GSO send path (--udp-gso) (#1907).
* turnutils_peer: Linux fast path with drain loop, recvmmsg/sendmmsg, U (#1908).
* Relay recvmmsg (#1906).
* fuzzing: use hex escapes for HTTP EOH dictionary entry.
* Sync turnserver man page with current CLI options (#1903).
* Remove stale --ne option from turnserver --help (#1904).
* Restore CodeQL permissions, category, and manual build mode.

- Update to version 4.11.0
* Filc harness and pointer typedefs (#1896).
* Load generator mode in turnutils_uclient (#1894).
* Cache hot lookups in TURN data-path handlers (#1893).
* Inline get_ioa_addr_len() in the header (#1891).
* Trim two redundant checks from per-packet relay hot path.
* Hoist turn_server_get_engine() out of per-packet hot path.
* Add fuzz coverage for integrity helpers (#1888).
* Add deterministic challenge-response builder to FuzzStun.
* Seed address-mapping table in fuzz initializer (#1885).
* Unblock fuzz coverage for is_http and rare STUN attributes.
* HTTP parsing fixes (#1882).
* Out of bound HTTP detection in parser (#1877).
* Delete log line per relay thread on start (#1876).
* Add Unity-based unit test scaffolding (#1875).
* Drop udp_relay_servers_number config and clean up dead UDP id-space (#1874).
* Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux.
* Pin session origin only after MESSAGE-INTEGRITY validates.
* Abort on malformed allowed/denied-peer-ip at startup (#1872).
* Fix format-string injection in Redis DB driver (#1870).
* Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC.

- Update to version 4.10.0
* Skip response buffer allocation for STUN indications.
* WebRTC Auth optimization path (#1860).
* Fix null pointer dereferences in post_parse() (#1859).
* Extend seed corpus (#1858).
* Add Linux-only `recvmmsg` receive path for DTLS/UDP listener.
* Fix Linux build warnings (#1853).
* perf: remove mutex from per-thread super_memory allocator.
* Keep only NEV_UDP_SOCKET_PER_THREAD network engine.
* Fix stack buffer overflow in OAuth token decoding.
* Update config and Readme files about deprecated TLSv1/1.1.
* perf: eliminate mutex and reduce copies on auth message dispatch (#1843).
* perf: replace mutex_bps with lock-free atomics for bandwidth tracking.
* Fix uint16_t truncation overflow in stun_get_message_len_str() causes (#1844).
* fix: restore RFC 3489 (old STUN) backward compatibility broken since 4.7.0 (#1839).
* Change port identifiers to use uint16_t (#1752).
* Fixes: run_tests.sh and no db (#1834).
* Add session usage reporting callback to TURN database driver.
* Initialize variables before use (#1832).
* Replace perror with logging (#1831).
* CLI interface is disabled by default.
* Disable reason string in response messages to reduce amplification factor.
* Perf: improve worst case scenario optimization.
* Fix compilation warnings (#1822).

Fixes for CVE-2026-27624 (boo#1258847) and CVE-2025-69217 (boo##1255744)

- Update to version 4.9.0
* Multiple security fixes.
* Fix to Web Admin password check.
* Cleanup of deprecated openssl APIs.
* Fix for CVE-2026-27624: bypass localhost and IP range block using IPv4-mapped IPv6. boo#1258847
- Update to version 4.8.0
* Faster packet validation on listener threads to improve handling of DDoS attacks.
* Make socket buffer size configurable with sock-buf-size.
* Address memory leaks and potential crashes.
* Improve random number usage to address CVE-2025-69217.
boo#1255744

- Update to version 4.7.0
* Breaking changes in order to get to sane defaults for improved security by default
- Support for openssl 1.1.1 and 3.x only.
- Cleanup deprecated options - if your scripts have them turnserver will fail to start.
- Reverse SOFTWARE_ATTRIBUTE_OPT to avoid inverse logic - now need to explicitly enable it.
- Deprecate response-origin-only-with-rfc5780.
- Invert no-stun-backward-compatibility to be default on.
* TLSv1 and TLSv1_1 are now optional (no need to turn them off).
* Minor bug fixes and regressions.
* Improved support for modern version of prometheus.

- Upgrade to coturn 4.6.3
* Release highlights:
- Multiple memory fixes
- New drain feature
- Better support for new versions of Redis
- Add support for raw public keys

* Complete change list
- Add clang-tidy, include-what-you-use, and msvc-analyzer github actions
- Add CodeQL workflow
- added missing function prototype of turn_random_number()
- Added sessionID to some log lines
- added support for amazon linux and renamed tests.yml
- added warnings for prometheus apt unavailability
- Add github action that runs tests with compiler sanitizers
- Additional refactoring of ns_turn_allocation.* to address security scanner concerns
- Add MariaDB support to README.md
- Add new Drain feature
- Add prometheus setting suggestions on turn.conf in example folder
- Address clang-tidy warnings in db files
- Address some build issues introduced by api changes
- Add support for raw public keys
- Add the InsertBraces command for clang-format to ensure that all conditionals always have braces
- Add warning and disable web admin if no-tls option used
- Adjust wording in cmake message when prometheous cannot be found.
- Allow authenticating with a username to redis
- Always run lint, regardless of branch
- Avoid nullptr dereference of server variable in various functions
- avoid potential nullptr derefernence in udp_create_server_socket
- Avoid read-past-end of string in get_bold_admin_title
- Avoid writing potentially uninitialized data to aes_128 key file
- changed variables in stunclient.c to bool
- Change minimal required cmake version to 3.16
- Change printf() to TURN_LOG_FUNC() for --no-stdout-log
- Change the various map functions to return bool instead of inconsistantly return 0, 1, or -1
- Check allocation results in add_static_user_account
- Check the result of calloc in handle_logon_request
- Check the result of malloc in del_alt_server
- Check the result of malloc in mongo_set_realm_option_one
- Check the result of malloc in send_message_to_redis
- Check the result of malloc in string_list_add
- Check the result of realloc and calloc in ch_map_get
- CMake: Declare the variable nearby
- configure: data files shouldn't be executable
- defined a magic number for stun fingerprinting
- Delete dead code
- Delete unused variable
- Doc: add flowchart
- Easy installation of coturn on AWS
- Fix buffer overflow in generate_enc_password with increase rsalt by 2
- Fix build with libressl 3.6+
- Fix clang-format lint warnings
- Fix cli auth
- Fix Cmake find issue in libevent
- Fix cmake find prometheus(fix #1304)
- Fix compiler warnings from continuous integration
- Fix const during free warning in rfc5769check app
- Fix error of make command in Cygwin environment
- Fix formatting to fix lint error
- Fix lint complaint about comment
- Fix lint errors
- Fix linting error in mainrelay.c
- Fix make lint
- Fix memcpy len checks stun_is_challenge_response_str
- Fix memleak in pgsql_reread_realms
- Fix memory leak in netengine.c
- Fix memory leak in rfc5769check.c
- Fix memory leak on http_server.c
- Fix mingw build
- Fix missing strncpy in fix_stun_check_message_integrity_str
- Fix msvc analyzer error on goto label on rfc5769check
- Fix nodejs/glibc problem with old container images.
- Fix no-tls warning typo
- Fix potential null passed to function expecting nonnull
- Fix recursive call in delete alternate server
- Fix return correct error code for `create_relay_connection` in case of `RESERVATION-TOKEN` failure
- Fix rpm version scripts
- Fix run cmake.yml in any github action
- Fix typos
- Fix ubuntu 16 build with GH action checkout version to v3
- Implement custom prometheus http handler
- Include what you use
- Install openssl-1.1.1 on amazonlinux:2 instead of openssl-1.0.1
- malloc now allocates space for string terminator
- Memset user_db before reading conf file, not after
- Missing session ID in coturn logs for denied IP - 1330
- Move the hiredis_libevent2 code from common to relay
- Only set MHD_USE_DUAL_STACK if IPv6 is available
- Print version only, no extra lines
- Reduce ifdefs in code: TURN_NO_PROMETHEUS
- Refactor: peer_input_handle
- Reformat code
- Remove unimplemented test folder reference from CMakeLists.txt
- Replace HeapAlloc with malloc
- Replace srand/rand with srandom/random
- Return a 400 response to HTTP requests
- Run all of the CI except for Docker builds on any change
- Simplify macOS detection macros
- Simplify workflow for codeql
- strncpy doesn't return size_t
- ubuntu build dependencies extracted to composite actions
- Update FlowChart
- Update libtelnet
- Update lukka/run
- Update SQLite.md
- Update turnserver.conf Example about listening-ip
- Update turnserver.spec
- Update version in vcpkg.json
- Use active CPU number instead of total number
- Use bool, instead of int, for the functions in ns_turn_msg.c
- Use bool over int for the turnutils_uclient program
- Use calloc where appropriate, avoid memset when normal buffer initialization works
- Windows: Only attempt to bind when the network interface is up
- workflow tidying

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected coturn, coturn-devel and / or coturn-utils packages.

See Also

https://bugzilla.suse.com/1255744

https://bugzilla.suse.com/1258847

https://www.suse.com/security/cve/CVE-2025-69217

https://www.suse.com/security/cve/CVE-2026-27624

Plugin Details

Severity: Medium

ID: 324885

File Name: openSUSE-2026-21184-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/2/2026

Updated: 7/2/2026

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.19

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-27624

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:coturn, p-cpe:/a:novell:opensuse:coturn-devel, p-cpe:/a:novell:opensuse:coturn-utils, cpe:/o:novell:opensuse:16.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 12/30/2025

Reference Information

CVE: CVE-2025-69217, CVE-2026-27624