From ${URL} : A heap buffer overflow vulnerability was found in libupnp. This vulnerability might allow for a wide range of impacts, from denial of service to remote code execution. Upstream bug: https://sourceforge.net/p/pupnp/bugs/133/ CVE assignment: http://seclists.org/oss-sec/2016/q4/200 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is fixed in 1.6.21 and also #589136 if you haven't stabled that yet. Ready for stable as the patch is small.
(In reply to Ian Whyman (thev00d00) from comment #1) > This is fixed in 1.6.21 and also #589136 if you haven't stabled that yet. Sorry, I don't understand your reference to bug 589136. CVE-2016-8863 is not addressed in that bug and the version we call stable in bug 589136 (v1.6.20) does not include the fix. @ Arches, please test and mark stable: =net-libs/libupnp-1.6.21
@Thomas To clarify I meant that if an arch has yet to stabilise 1.6.20 they can just jump to 1.6.21 as it includes both fixes - meaning they can "kill 2 birds with one stone" so to speak.
amd64 stable
x86 stable
sparc stable
arm stable
Stable for HPPA.
ppc stable
Stable on alpha.
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA request filed.
This issue was resolved and addressed in GLSA 201701-52 at https://security.gentoo.org/glsa/201701-52 by GLSA coordinator Aaron Bauman (b-man). @maintainer(s), please cleanup.
Old versions dropped from tree. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6aa2e769e864701c8cc7d5953ae4819f2aca985
(In reply to Ian Whyman (thev00d00) from comment #14) > Old versions dropped from tree. > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=b6aa2e769e864701c8cc7d5953ae4819f2aca985 Thank you!
