openSUSE has issued an advisory on December 4: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/A2GHF3UJM6D2JSKELXMJY57IRWK3PJM3/ The issues are fixed upstream in 1.3.0.
Debian has issued an advisory for this on December 7: https://www.debian.org/security/2020/dsa-4806
Status comment: (none) => Patches available from Debian
Patched package uploaded for Mageia 7. Advisory: ======================== Updated minidlna package fixes security vulnerabilities: * It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695). * MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove (CVE-2020-28926). References: https://www.debian.org/security/2020/dsa-4806 https://nvd.nist.gov/vuln/detail/CVE-2020-28926 https://nvd.nist.gov/vuln/detail/CVE-2020-12695 ======================== Updated packages in core/updates_testing: ======================== minidlna-1.2.1-3.1.mga7 from minidlna-1.2.1-3.1.mga7.src.rpm
Assignee: jani.valimaa => qa-bugsCC: (none) => mrambo
Installed and tested without issues. Tested using VLC on Mageia 7, VLC on Android and a TV with WebOS. No issues noticed. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q minidlna minidlna-1.2.1-3.1.mga7 $ systemctl status minidlna.service ● minidlna.service - MiniDLNA is a DLNA/UPnP-AV server software Loaded: loaded (/usr/lib/systemd/system/minidlna.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-12-31 01:44:57 WET; 5s ago Main PID: 9662 (minidlnad) Tasks: 2 (limit: 4684) Memory: 5.9M CGroup: /system.slice/minidlna.service └─9662 /usr/sbin/minidlnad -S dez 31 01:44:58 marte minidlnad[9662]: getifaddr.c:338: info: Enabling interface 10.0.0.1/255.0.0.0
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Validating. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0483.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED