1 |
type: security |
2 |
subject: Updated minidlna packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2020-12695 |
5 |
- CVE-2020-28926 |
6 |
src: |
7 |
7: |
8 |
core: |
9 |
- minidlna-1.2.1-3.1.mga7 |
10 |
description: | |
11 |
It was discovered that minidlna does not forbid the acceptance of a |
12 |
subscription request with a delivery URL on a different network segment than |
13 |
the fully qualified event-subscription URL, aka the CallStranger issue |
14 |
(CVE-2020-12695). |
15 |
|
16 |
Minidlna before versions 1.3.0 allows remote code execution. Sending a |
17 |
malicious UPnP HTTP request to the miniDLNA service using HTTP chunked |
18 |
encoding can lead to a signedness bug resulting in a buffer overflow in calls |
19 |
to memcpy/memmove (CVE-2020-28926). |
20 |
references: |
21 |
- https://bugs.mageia.org/show_bug.cgi?id=27755 |
22 |
- https://www.debian.org/security/2020/dsa-4806 |
23 |
ID: MGASA-2020-0483 |