Register | Log in

pupnp-1.8

Choose email to subscribe with

general

source: pupnp-1.8 (main)
version: 1:1.8.4-2
maintainer: James Cowgill (DMD)
arch: all any
std-ver: 4.2.1
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:1.8.4-2
oldstable: 1:1.8.4-2
stable: 1:1.8.4-2

versioned links

1:1.8.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libixml10
libupnp-dev
libupnp-doc
libupnp13

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

Created: 2022-07-04 Last update: 2023-07-20 18:00

4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:

CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

Created: 2023-06-11 Last update: 2023-06-11 06:30

4 low-priority security issues in bullseye low

There are 4 open security issues in bullseye.

4 issues left for the package maintainer to handle:

CVE-2020-12695: (needs triaging) The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: (needs triaging) Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: (needs triaging) A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: (needs triaging) The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-07-29 00:00

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:

CVE-2020-12695: (needs triaging) The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: (needs triaging) Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: (needs triaging) A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: (needs triaging) The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2023-07-29 00:00

news

[2023-07-28] Removed 1:1.8.4-2 from unstable (Debian FTP Masters)
[2023-07-21] pupnp-1.8 REMOVED from testing (Debian testing watch)
[2018-11-08] pupnp-1.8 1:1.8.4-2 MIGRATED to testing (Debian testing watch)
[2018-11-05] Accepted pupnp-1.8 1:1.8.4-2 (source) into unstable (James Cowgill)
[2018-10-27] Accepted pupnp-1.8 1:1.8.4-1 (source) into experimental (James Cowgill)
[2017-12-27] Accepted pupnp-1.8 1:1.8.3-3 (source amd64 all) into experimental, experimental (James Cowgill)
[2017-12-23] Accepted pupnp-1.8 1:1.8.3-2 (source) into experimental (James Cowgill)
[2017-11-21] Accepted pupnp-1.8 1:1.8.3-1 (source) into experimental (James Cowgill)
[2017-09-29] pupnp-1.8 1:1.8.2-3 MIGRATED to testing (Debian testing watch)
[2017-09-23] Accepted pupnp-1.8 1:1.8.2-3 (source) into unstable (James Cowgill)
[2017-09-04] pupnp-1.8 1:1.8.2-2 MIGRATED to testing (Debian testing watch)
[2017-08-29] Accepted pupnp-1.8 1:1.8.2-2 (source) into unstable (James Cowgill)
[2017-08-28] Accepted pupnp-1.8 1:1.8.2-1 (source amd64 all) into unstable, unstable (James Cowgill)
[2017-06-20] pupnp-1.8 1:1.8.1-1 MIGRATED to testing (Debian testing watch)
[2017-05-26] Accepted pupnp-1.8 1:1.8.1-1 (source) into unstable (James Cowgill)
[2017-04-10] Accepted pupnp-1.8 1:1.8.0-3 (source) into unstable (James Cowgill)
[2017-04-05] Accepted pupnp-1.8 1:1.8.0-2 (source) into unstable (James Cowgill)
[2017-04-04] Accepted pupnp-1.8 1:1.8.0-1 (source amd64 all) into unstable, unstable (James Cowgill)

bugs [bug history graph]

all: 0

links

homepage
buildd: logs, cross
popcon
browse source code
edit tags
other distros
security tracker
debci

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing