Your message dated Sat, 12 Dec 2020 20:32:08 +0000
with message-id <[email protected]>
and subject line Bug#976595: fixed in minidlna 1.2.1+dfsg-2+deb10u1
has caused the Debian Bug report #976595,
regarding minidlna: CVE-2020-28926
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
976595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976595
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: minidlna
Version: 1.2.1+dfsg-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.2.1+dfsg-1
Hi,
The following vulnerability was published for minidlna.
CVE-2020-28926[0]:
| ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code
| execution. Sending a malicious UPnP HTTP request to the miniDLNA
| service using HTTP chunked encoding can lead to a signedness bug
| resulting in a buffer overflow in calls to memcpy/memmove.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-28926
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28926
[1]
https://sourceforge.net/p/minidlna/git/ci/9fba41008adebc1da0f4f6c6e27ae422ace3fe4a
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: minidlna
Source-Version: 1.2.1+dfsg-2+deb10u1
Done: Alexander GQ Gerasiov <[email protected]>
We believe that the bug you reported is fixed in the latest version of
minidlna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander GQ Gerasiov <[email protected]> (supplier of updated minidlna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Dec 2020 20:21:18 +0300
Source: minidlna
Binary: minidlna minidlna-dbgsym
Architecture: source amd64
Version: 1.2.1+dfsg-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Alexander GQ Gerasiov <[email protected]>
Changed-By: Alexander GQ Gerasiov <[email protected]>
Description:
minidlna - lightweight DLNA/UPnP-AV server targeted at embedded systems
Closes: 976594 976595
Changes:
minidlna (1.2.1+dfsg-2+deb10u1) buster-security; urgency=high
.
* Add 0011-upnphttp-Disallow-negative-HTTP-chunk-lengths.patch
CVE-2020-28926 (Closes: #976595).
* Add 0012-upnphttp-Validate-SUBSCRIBE-callback-URL.patch
CVE-2020-12695 (Closes: #976594).
Checksums-Sha1:
74230032c27929524d4257a3aec6a43880d641ac 1738 minidlna_1.2.1+dfsg-2+deb10u1.dsc
a25d04d2b93e0a1467113e55adcd57591b1da887 157380 minidlna_1.2.1+dfsg.orig.tar.xz
89f829e76eaf436195b57425d76d3d189917352d 26032
minidlna_1.2.1+dfsg-2+deb10u1.debian.tar.xz
7f08ea865085ab8030e4405b4a776d08004378fc 287104
minidlna-dbgsym_1.2.1+dfsg-2+deb10u1_amd64.deb
f3ef20be109415372eda143d4d1b474a2c62fe31 8912
minidlna_1.2.1+dfsg-2+deb10u1_amd64.buildinfo
46c287c5f5c77d6745b551f181160eed0e0c17c3 151356
minidlna_1.2.1+dfsg-2+deb10u1_amd64.deb
Checksums-Sha256:
724a0e23f30958fd7a73405e586cf3b65cdb482683a2f42bae787311dc34ba58 1738
minidlna_1.2.1+dfsg-2+deb10u1.dsc
72f688c4dd0412fb7a9389bf4ade3bad773924eae9cb31f510440414af3785a0 157380
minidlna_1.2.1+dfsg.orig.tar.xz
c6c885584758c4989c87dccaac7337f83f26c70b1fb7ac5ba82cf04ce8d0d3b2 26032
minidlna_1.2.1+dfsg-2+deb10u1.debian.tar.xz
bab3ccb80c52cc8d6335ba9f4487b18c9f13ea8b78fff971e31f70af1c8bb6b2 287104
minidlna-dbgsym_1.2.1+dfsg-2+deb10u1_amd64.deb
09a7101d610ba3d04a08f7494f41dc3abf09e14e3a6e8cf2f6f9f53df6c04235 8912
minidlna_1.2.1+dfsg-2+deb10u1_amd64.buildinfo
82b25675abac7c845b461b722fb6718f8644e52367bce2a12573fe16cb4821bf 151356
minidlna_1.2.1+dfsg-2+deb10u1_amd64.deb
Files:
ed60ae77ef2d38ee782f4ba2efb32338 1738 net optional
minidlna_1.2.1+dfsg-2+deb10u1.dsc
e80278115a6a4cf75fd5524f8f0ee5dc 157380 net optional
minidlna_1.2.1+dfsg.orig.tar.xz
895248eaf9990d418c9ec368d609ce6a 26032 net optional
minidlna_1.2.1+dfsg-2+deb10u1.debian.tar.xz
5869a93a4fce992daee48588b14230d2 287104 debug optional
minidlna-dbgsym_1.2.1+dfsg-2+deb10u1_amd64.deb
94aa10bd12d6f59afc7e3c2cd0ccb0cb 8912 net optional
minidlna_1.2.1+dfsg-2+deb10u1_amd64.buildinfo
75bd5a9b58a31f502d37152f1797504c 151356 net optional
minidlna_1.2.1+dfsg-2+deb10u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQFCBAEBCgAsFiEEBLWdkN98wqvNSbrqyofp6CqsM/EFAl/NM94OHGdxQGRlYmlh
bi5vcmcACgkQyofp6CqsM/Hl0Qf/fv7AcYJRfPhMJNf5Z4kJJCWGpCivRyRjn8FY
AfCNMOuSjPzRrRmgaTdYoFU9fMhcSUK69w4cF+gJvQ3pWez4WzKvJZB5N8HjwTPZ
sRPlijBZ4lEpcRKWLNzpKHLrC9nldUYRWm1FV55eVL2S5JiMkWnHhHuLvBFo1r/G
lEqN5kosYAqVJLCP5CXJqyPT2djwyVAWJ5skCccmQw53SjlDdtcKb019KpWbh1ro
GJ/u3VubQsNjaa3NgUaIoac/jnvvcgMy9uk5/z97za25TLtuiRXIVOCs8Y13WKJv
Qr2JWy0t6fZqMUbHWtzTXn2aZqPpj6ywFPeWk7jpOGaqX6aKCA==
=lTUF
-----END PGP SIGNATURE-----
--- End Message ---
