openSUSE has issued an advisory on December 4:
The issues are fixed upstream in 1.3.0.
Debian has issued an advisory for this on December 7:
Patches available from Debian
Patched package uploaded for Mageia 7.
Updated minidlna package fixes security vulnerabilities:
* It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695).
* MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove (CVE-2020-28926).
Updated packages in core/updates_testing:
Installed and tested without issues.
Tested using VLC on Mageia 7, VLC on Android and a TV with WebOS. No issues noticed.
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q minidlna
$ systemctl status minidlna.service
● minidlna.service - MiniDLNA is a DLNA/UPnP-AV server software
Loaded: loaded (/usr/lib/systemd/system/minidlna.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-12-31 01:44:57 WET; 5s ago
Main PID: 9662 (minidlnad)
Tasks: 2 (limit: 4684)
└─9662 /usr/sbin/minidlnad -S
dez 31 01:44:58 marte minidlnad: getifaddr.c:338: info: Enabling interface 10.0.0.1/255.0.0.0
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.