HotFix: for 3 Vulnerability

For more details see:
- CVE-2018-4056 - coTURN Administrator Web Portal SQL injection vulnerability
- CVE-2018-4058 - coTURN TURN server unsafe loopback forwarding default configuration vulnerability
- CVE-2018-4059 - coTURN server unsafe telnet admin portal default configuration vulnerability

These patches address hotfix the 3 CVE above.
* Disable-Web-admin-interface-due-Security-Vulnerability.patch
It disables hardcocded web admin interface until 4.5.1.0 where it will be fixed correctly.
* Disable-loopback-peers-due-Vulnerability.patch
Disable by default loopback-peer functionality.
* empty-cli-password-not-allowed-disable-telnet-cli.patch
Disable telnet cli if the cli-password is empty.

debian/patches/0001-Disable-Web-admin-interface-due-Security-Vulnerabili.patch

@@ -0,0 +1,25 @@
+From: =?utf-8?b?TcOpc3rDoXJvcyBNaWjDoWx5?= <[email protected]>
+Date: Thu, 10 Jan 2019 09:58:18 +0100
+Subject: Disable Web admin interface due Security Vulnerability.
+
+---
+ src/server/ns_turn_server.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c
+index 791d207..e4a4476 100644
+--- a/src/server/ns_turn_server.c
++++ b/src/server/ns_turn_server.c
+@@ -4534,6 +4534,12 @@ static int read_client_connection(turn_turnserver *server,
+ 		SOCKET_TYPE st = get_ioa_socket_type(ss->client_socket);
+ 		if(is_stream_socket(st)) {
+ 			if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh))) {
++
++				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,  "HTTPS connection has been disabled due Vulnerability in the Web interface !!!\n", __FUNCTION__);
++				ss->to_be_closed = 1;
++				return 0;
++
++
+ 				const char *proto = "HTTP";
+ 				ioa_network_buffer_data(in_buffer->nbh)[ioa_network_buffer_get_size(in_buffer->nbh)] = 0;
+ 				if(st==TLS_SOCKET) {

debian/patches/0002-Disable-loopback-peers-due-Vulnerability.patch

@@ -0,0 +1,21 @@
+From: =?utf-8?b?TcOpc3rDoXJvcyBNaWjDoWx5?= <[email protected]>
+Date: Thu, 10 Jan 2019 10:00:36 +0100
+Subject: Disable loopback peers due Vulnerability.
+
+---
+ src/apps/relay/mainrelay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
+index 28a9152..7f24c8c 100644
+--- a/src/apps/relay/mainrelay.c
++++ b/src/apps/relay/mainrelay.c
+@@ -113,7 +113,7 @@ DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1,
+ NEV_UNKNOWN, 
+ { "Unknown", "UDP listening socket per session", "UDP thread per network endpoint", "UDP thread per CPU core" },
+ //////////////// Relay servers //////////////////////////////////
+-LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,0,"",
++LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,1,"",
+ 0,NULL,0,NULL,DEFAULT_GENERAL_RELAY_SERVERS_NUMBER,0,
+ ////////////// Auth server /////////////////////////////////////
+ "","",0,

debian/patches/0003-empty-cli-password-not-allowed-disable-telnet-cli.patch

@@ -0,0 +1,25 @@
+From: =?utf-8?b?TcOpc3rDoXJvcyBNaWjDoWx5?= <[email protected]>
+Date: Thu, 14 Dec 2017 13:01:56 +0100
+Subject: empty cli-password not allowed=>disable telnet cli
+
+Adds a warning to set a cli-password and disable telnet cli interface.
+---
+ src/apps/relay/mainrelay.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
+index 7f24c8c..2e57217 100644
+--- a/src/apps/relay/mainrelay.c
++++ b/src/apps/relay/mainrelay.c
+@@ -1977,6 +1977,11 @@ int main(int argc, char **argv)
+ 		exit(-1);
+ 	}
+ 
++	if(cli_password[0]==0) {
++		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!\n");
++		use_cli = 0;
++	}
++
+ 	if(!use_lt_credentials && !anon_credentials) {
+ 		if(turn_params.default_users_db.ram_db.users_number) {
+ 			TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: you specified long-term user accounts, (-u option) \n	but you did not specify the long-term credentials option\n	(-a or --lt-cred-mech option).\n 	I am turning --lt-cred-mech ON for you, but double-check your configuration.\n");

debian/patches/series

@@ -0,0 +1,3 @@
+0001-Disable-Web-admin-interface-due-Security-Vulnerabili.patch
+0002-Disable-loopback-peers-due-Vulnerability.patch
+0003-empty-cli-password-not-allowed-disable-telnet-cli.patch