Make coturn only call setgroups, when it actually needs to privdrop. In
the nixos module we already run coturn as an unprivileged user, which
means we don't need to provide access to the setgroups syscall in the
first place.
In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
with structuredAttrs lists will be bash arrays which cannot be exported
which will be a issue with some patches and some wrappers like cc-wrapper
this makes it clearer that NIX_CFLAGS_COMPILE must be a string as lists
in env cause a eval failure
Coturn uses SQL databases to store authentication credentials. Most users of coturn are going to expect sqlite support, since that's the default db
Without this being available during build, the default configure script disabled SQLite support, providing a coturn on NixOS that does not behave in the default manner.
Workaround build failure on -fno-common toolchains like upstream
gcc-10. Otherwise build fails as:
ld: ...-libprom-0.1.1/include/prom_collector_registry.h:37: multiple definition of
`PROM_COLLECTOR_REGISTRY_DEFAULT'; ...-libprom-0.1.1/include/prom_collector_registry.h:37: first defined here
Version 4.5.2 'dan Eider':
- fix null pointer dereference in case of out of memory. (thanks to Thomas Moeller for the report)
- merge PR 517 (by wolmi)
* add prometheus metrics
- merge PR 637 (by David Florness)
* Delete trailing whitespace in example configuration files
- merge PR 631 (by Debabrata Deka)
* Add architecture ppc64le to travis build
- merge PR 627 (by Samuel)
* Fix misleading option in doc (prometheus)
- merge PR 643 (by tupelo-schneck)
* Allow RFC6062 TCP relay data to look like TLS
- merge PR 655 (by plinss)
* Add support for proxy protocol V1
- merge PR 618 (by Paul Wayper)
* Print full date and time in logs
* Add new options: "new-log-timestamp" and "new-log-timestamp-format"
- merge PR 599 (by Cédric Krier)
* Do not use FIPS and remove hardcode OPENSSL_VERSION_NUMBER with LibreSSL
- update Docker mongoDB and fix with workaround the missing systemctl
- merge PR 660 (by Camden Narzt)
* fix compilation on macOS Big Sur
- merge PR 546 (by jelmd)
* Add ACME redirect url
- merge PR 551 (by jelmd)
* support of --acme-redirect <URL>
- merge PR 672 further acme fixes (by jemld)
* fix acme security, redundancy, consistency
- Disable binding request logging to avoid DoS attacks. (Breaking change!)
* Add new --log-binding option to enable binding request logging
- Fix stale-nonce documentation. Resolves 604
- Version number is changed to semver 2.0
- Merge PR 288 (by Hristo Venev)
* pkg-config, and various cleanups in configure file
- Add systemd notification for better systemd integration
- Fix Issue 621 (by ycaibb)
* Fix: Null pointer dereference on tcp_client_input_handler_rfc6062data function
- Fix Issue 600 (by ycaibb)
* Fix: use-after-free vulnerability on write_to_peerchannel function
- Fix Issue 601 (by ycaibb)
* Fix: use-after-free vulnerability on write_client_connection function
- Little refactoring prometheus
* Fix c++ support
* Simplify (as agreed in Issue 666)
* Remove session id/allocation labels
* Remove per session metrics. We should later add more counters.
- Fix CVE-2020-26262 (credits: Enable-Security)
* Fix ipv6 ::1 loopback check
* Not allow allocate peer address 0.0.0.0/8 and ::/128
* For more details see the github security advisory:
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
Fixes: CVE-2020-6061, CVE-2020-6062
An exploitable heap overflow vulnerability exists in the way CoTURN
4.5.1.1 web server parses POST requests. A specially crafted HTTP
POST request can lead to information leaks and other misbehavior.
An attacker needs to send an HTTPS request to trigger this vulnerability.
An exploitable denial-of-service vulnerability exists in the way
CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
HTTP POST request can lead to server crash and denial of service.
An attacker needs to send an HTTP request to trigger this vulnerability.
Semi-automatic update. These checks were performed:
- built on NixOS
- ran `/nix/store/70pa0xb505v9glp792ldfq66ifjbrk5i-coturn-4.5.0.7/bin/turnserver -h` got 0 exit code
- ran `/nix/store/70pa0xb505v9glp792ldfq66ifjbrk5i-coturn-4.5.0.7/bin/turnserver -h` and found version 4.5.0.7
- ran `/nix/store/70pa0xb505v9glp792ldfq66ifjbrk5i-coturn-4.5.0.7/bin/turnadmin -h` got 0 exit code
- ran `/nix/store/70pa0xb505v9glp792ldfq66ifjbrk5i-coturn-4.5.0.7/bin/turnadmin --help` got 0 exit code
- ran `/nix/store/70pa0xb505v9glp792ldfq66ifjbrk5i-coturn-4.5.0.7/bin/turnutils_natdiscovery help` got 0 exit code
- found 4.5.0.7 with grep in /nix/store/70pa0xb505v9glp792ldfq66ifjbrk5i-coturn-4.5.0.7
- found 4.5.0.7 in filename of file in /nix/store/70pa0xb505v9glp792ldfq66ifjbrk5i-coturn-4.5.0.7
The old forms presumably predates, or were made in ignorance of,
`let inherit`. This way is better style as the scoping as more lexical,
something which Nix can (or might already!) take advantage of.