Mageia 2020-0483: minidlna security update | LinuxSecurity.com

What Are You Looking For?

Popular Tags

Contribute
MGASA-2020-0483 - Updated minidlna packages fix security vulnerabilities

Publication date: 31 Dec 2020
URL: https://advisories.mageia.org/MGASA-2020-0483.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-12695,
     CVE-2020-28926

It was discovered that minidlna does not forbid the acceptance of a
subscription request with a delivery URL on a different network segment than
the fully qualified event-subscription URL, aka the CallStranger issue
(CVE-2020-12695).

Minidlna before versions 1.3.0 allows remote code execution. Sending a
malicious UPnP HTTP request to the miniDLNA service using HTTP chunked
encoding can lead to a signedness bug resulting in a buffer overflow in calls
to memcpy/memmove (CVE-2020-28926).

References:
- https://bugs.mageia.org/show_bug.cgi?id=27755
- https://www.debian.org/security/2020/dsa-4806
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28926

SRPMS:
- 7/core/minidlna-1.2.1-3.1.mga7

Mageia 2020-0483: minidlna security update

It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscript...

Summary

It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695).
Minidlna before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove (CVE-2020-28926).

References

- https://bugs.mageia.org/show_bug.cgi?id=27755

- https://www.debian.org/security/2020/dsa-4806

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28926

Resolution

MGASA-2020-0483 - Updated minidlna packages fix security vulnerabilities

SRPMS

- 7/core/minidlna-1.2.1-3.1.mga7

Severity
Publication date: 31 Dec 2020
URL: https://advisories.mageia.org/MGASA-2020-0483.html
Type: security
CVE: CVE-2020-12695, CVE-2020-28926

News

Advisories

HOWTOs

Features

A Complete Guide to Security Automation & Reporting Using Open Source Tools
How to Check if Your Linux System is Infected with a Virus
Security Considerations for Azure Linux & Windows Subsystem for Linux Users
Admins Receive Automated Linux Patch Management & Improved Security with ManageEngine Endpoint Central
Linux Malware: The Truth About This Growing Threat [Updated]

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy