Summary: | <net-libs/libupnpp-0.19.4: CallStranger vulnerability (CVE-2020-12695) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | stasibear |
Priority: | Normal | Flags: | nattka:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
net-libs/libupnpp-0.19.4 *
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 729302 |
Description
Sam James
2020-06-27 20:57:26 UTC
Please bump to 0.19.2. Ping. Please let us know if you're unable to patch this right now. A few newer versions are in tree now, can we stabilize any of them? The stable version currently depends on a vulnerable libupnp and blocks its cleanup for bug 727170. Sanity check failed:
> net-libs/libupnpp-0.19.4
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
> net-libs/libnpupnp
> depend amd64 stable profile default/linux/amd64/17.1 (14 total)
> net-libs/libnpupnp
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
> net-libs/libnpupnp
> rdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
> net-libs/libnpupnp
Unable to check for sanity:
> no match for package: net-libs/libupnpp-0.19.4
I've stabilized the newer version that doesn't have problematic dependency. Sorry this wasn't on my radar at all. I missed a lot of emails from earlier in the year, and I see that security bugs aren't assigned to the maintainer. (In reply to Erik Mackdanz from comment #6) > I've stabilized the newer version that doesn't have problematic dependency. > > Sorry this wasn't on my radar at all. I missed a lot of emails from earlier > in the year, and I see that security bugs aren't assigned to the maintainer. No worries! In case you missed this too, there's a new way to check these things: https://packages.gentoo.org/maintainer/stasibear@gentoo.org/security Unable to check for sanity:
> no match for package: net-libs/libupnpp-0.19.4
Super, I've got that bookmarked, thanks. Unable to check for sanity:
> no match for package: net-libs/libupnpp-0.19.4
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9e63e733a8923dd407353df0c0ad852cf13b5ad commit c9e63e733a8923dd407353df0c0ad852cf13b5ad Author: Erik Mackdanz <stasibear@gentoo.org> AuthorDate: 2021-08-03 21:03:09 +0000 Commit: Erik Mackdanz <stasibear@gentoo.org> CommitDate: 2021-08-03 21:03:09 +0000 net-libs/libupnpp: bump to 0.21.0 Closes: https://bugs.gentoo.org/729946 Signed-off-by: Erik Mackdanz <stasibear@gentoo.org> Package-Manager: Portage-3.0.20, Repoman-3.0.3 net-libs/libupnpp/Manifest | 1 + net-libs/libupnpp/libupnpp-0.21.0.ebuild | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) No, please don't close security bugs with Closes: tags. We can noglsa this one anyway though. All done! |