Debian Security Advisory

DSA-4829-1 coturn -- security update

Date Reported:
11 Jan 2021
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-26262.
More information:

A flaw was discovered in coturn, a TURN and STUN server for VoIP. By default coturn does not allow peers on the loopback addresses (127.x.x.x and ::1). A remote attacker can bypass the protection via a specially crafted request using a peer address of and trick coturn in relaying to the loopback interface. If listening on IPv6 the loopback interface can also be reached by using either [::1] or [::] as the address.

For the stable distribution (buster), this problem has been fixed in version

We recommend that you upgrade your coturn packages.

For the detailed security status of coturn please refer to its security tracker page at: