On 10/22/2015 10:10 AM, miniupnp wrote: > Hello, > > as you may have noticed, the vulnerability has already been fixed. > Changelog.txt entry is : > /2015/09/15:// > // Fix buffer overflow in igd_desc_parse.c/IGDstartelt()// > // Discovered by Aleksandar Nikolic of Cisco Talos// > / > The last source code releases on http://miniupnp.free.fr/files/ : > miniupnpc-1.9.20150917.tar.gz > miniupnpc-1.9.20151008.tar.gz > are both fixed. > > all previous releases are vulnerable. > > Regards, > > Thomas
Hi Thomas, As you know, we need a minimal fix backported for the current version in Debian Stable. Could you send a patch for that version? The version in Jessie is: 1.9.20140610. I can upgrade the Sid/Testing version to last upstream release though. Cheers, Thomas Goirand (zigo)
