forked from coturn/coturn
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
37 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,41 @@ | ||
| 27/09/2018 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]> | ||
| Version 4.5.0.9 'dan Eider': | ||
| Version 4.5.1.0 'dan Eider': | ||
| Consider to change config file after upgrade, because it contains not backward compatible breaking changes! | ||
| - Security fixes | ||
| Many thanks to Nicolas Edet (Cisco) who reported all of the following issues!! | ||
| * DB/SQL injection in stun realm. Fix: add extra string validation. | ||
| * DB/SQL injection in web-admin interface lack of admin user validation. | ||
| Fix: add extra string validation. | ||
| * Fix for earlier unsafe default settings: | ||
| o HTTPS administrator interface should be disabled by default | ||
| It could be enbled with "web-admin" option. | ||
| o Default configuration allowed earlier forwarding traffic | ||
| from an external interface to loopback interface. Now it | ||
| has been changed and option name is also changed! | ||
|
|
||
| !!BREAKING change!! Don't forget to change config!! | ||
| "no-loopback-peers" replaced by "allow-loopback-peers" | ||
|
|
||
| o Unauthenticated telnet admin interface runs on the | ||
| loopback interface, which can be accessed by exploiting the | ||
| loopback relay that was enabled by default. | ||
| - Admin portal does not list TCP session ( reported and fixed by Nicolas Edet ) | ||
| - Fix memory leak in read_config_file (by Thibaut Ackermann) | ||
| - Add a release helper script. | ||
| - Web Admin interface use own listener (it is disableb by default) | ||
|
|
||
| !!BREAKING change!! Don't forget to change/review config!! | ||
|
|
||
| * Add new option "web-admin-ip" to set listener ip. By default (127.0.0.1) | ||
| * Add new option "web-admin-port" to set webadmin listen port | ||
| * Add new option "web-admin-listen-on-workers" to change back to earlier | ||
| behaviour and listen web admin on all worker processes and ports. | ||
| - Not allow to start server if "allow-loopback-peers" set without "cli-password" | ||
|
|
||
| !!BREAKING change!! Don't forget to change config!! | ||
|
|
||
| Added a warning if cli-password is empty or missing, but allow-loopback-peers | ||
| set, and so loopback allocation is enalbed. | ||
|
|
||
| 27/09/2018 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]> | ||
| Version 4.5.0.8 'dan Eider': | ||
|
|
||