pupnp-1.8 - Debian Package Tracker

general

source: pupnp-1.8 (main)
version: 1:1.8.4-2
maintainer: James Cowgill (DMD)
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1:1.8.4-2
stable: 1:1.8.4-2
testing: 1:1.8.4-2
unstable: 1:1.8.4-2

versioned links

1:1.8.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libixml10
libupnp-dev
libupnp-doc
libupnp13 (3 bugs: 1, 2, 0, 0)

action needed

A new upstream version is available: 1.14.5 high

A new upstream version 1.14.5 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2021-09-25 15:03

Multiarch hinter reports 1 issue(s) high

There are issues with the multiarch metadata for this package.

libupnp-dev conflicts on /usr/include/upnp/upnpconfig.h on armel, armhf, i386, mipsel <-> amd64, arm64, mips64el, and 2 more

Created: 2018-11-06 Last update: 2021-09-25 13:30

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

Created: 2021-02-19 Last update: 2021-08-15 00:00

4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:

CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

Created: 2021-08-15 Last update: 2021-08-15 00:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2021-08-14 Last update: 2021-09-25 19:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1:1.8.4-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 8a610cb462363c39472cff5b76eb24c395834920
Author: James Cowgill <jcowgill@debian.org>
Date:   Mon Nov 12 18:08:46 2018 +0000

    d/tests: Replace ADTTMP with AUTOPKGTEST_TMP

commit 7b9a8e6ea4e4fb67b3775585ad4b5c41351b6cfe
Author: James Cowgill <jcowgill@debian.org>
Date:   Mon Nov 12 22:48:38 2018 +0000

    d/control: Drop Multi-Arch: same from libupnp-dev
    
    The file "upnpconfig.h" differs between 32-bit and 64-bit architectures.

commit b18310196f659876ad7688f65e73def988a0b783
Author: James Cowgill <jcowgill@debian.org>
Date:   Mon Nov 12 17:51:54 2018 +0000

    d/changelog: New entry

Created: 2018-11-15 Last update: 2021-09-20 05:42

4 low-priority security issues in buster low

There are 4 open security issues in buster.

4 issues left for the package maintainer to handle:

CVE-2020-12695: (needs triaging) The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: (needs triaging) Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: (needs triaging) A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: (needs triaging) The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-08-15 00:00

4 low-priority security issues in bullseye low

There are 4 open security issues in bullseye.

4 issues left for the package maintainer to handle:

CVE-2020-12695: (needs triaging) The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVE-2020-13848: (needs triaging) Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2021-28302: (needs triaging) A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
CVE-2021-29462: (needs triaging) The Portable SDK for UPnP Devices is an SDK for development of UPnP device and control point applications. The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2021-08-15 00:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2021-08-18 14:02

news

[rss feed]

[2018-11-08] pupnp-1.8 1:1.8.4-2 MIGRATED to testing (Debian testing watch)
[2018-11-05] Accepted pupnp-1.8 1:1.8.4-2 (source) into unstable (James Cowgill)
[2018-10-27] Accepted pupnp-1.8 1:1.8.4-1 (source) into experimental (James Cowgill)
[2017-12-27] Accepted pupnp-1.8 1:1.8.3-3 (source amd64 all) into experimental, experimental (James Cowgill)
[2017-12-23] Accepted pupnp-1.8 1:1.8.3-2 (source) into experimental (James Cowgill)
[2017-11-21] Accepted pupnp-1.8 1:1.8.3-1 (source) into experimental (James Cowgill)
[2017-09-29] pupnp-1.8 1:1.8.2-3 MIGRATED to testing (Debian testing watch)
[2017-09-23] Accepted pupnp-1.8 1:1.8.2-3 (source) into unstable (James Cowgill)
[2017-09-04] pupnp-1.8 1:1.8.2-2 MIGRATED to testing (Debian testing watch)
[2017-08-29] Accepted pupnp-1.8 1:1.8.2-2 (source) into unstable (James Cowgill)
[2017-08-28] Accepted pupnp-1.8 1:1.8.2-1 (source amd64 all) into unstable, unstable (James Cowgill)
[2017-06-20] pupnp-1.8 1:1.8.1-1 MIGRATED to testing (Debian testing watch)
[2017-05-26] Accepted pupnp-1.8 1:1.8.1-1 (source) into unstable (James Cowgill)
[2017-04-10] Accepted pupnp-1.8 1:1.8.0-3 (source) into unstable (James Cowgill)
[2017-04-05] Accepted pupnp-1.8 1:1.8.0-2 (source) into unstable (James Cowgill)
[2017-04-04] Accepted pupnp-1.8 1:1.8.0-1 (source amd64 all) into unstable, unstable (James Cowgill)

bugs [bug history graph]

all: 6 7
RC: 1
I&N: 5 6
M&W: 0
F&P: 0
patch: 1

links

homepage
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:1.8.4-2ubuntu2
patches for 1:1.8.4-2ubuntu2