MGASA-2020-0483 - Updated minidlna packages fix security vulnerabilities Publication date: 31 Dec 2020 URL: https://advisories.mageia.org/MGASA-2020-0483.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-12695, CVE-2020-28926 It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695). Minidlna before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove (CVE-2020-28926). References: - https://bugs.mageia.org/show_bug.cgi?id=27755 - https://www.debian.org/security/2020/dsa-4806 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28926 SRPMS: - 7/core/minidlna-1.2.1-3.1.mga7