Bug 8974 - libupnp new security issues fixed upstream in 1.6.18
: libupnp new security issues fixed upstream in 1.6.18
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/536065/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-05 19:15 CET by David Walser
Modified: 2013-02-06 23:28 CET (History)
6 users (show)

See Also:
Source RPM: libupnp-1.6.17-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-05 19:15:15 CET
Debian has issued an advisory on February 1:
http://www.debian.org/security/2013/dsa-2614

Mageia 2 is also affected.
Comment 1 David Walser 2013-02-06 00:36:16 CET
Ahh, I just noticed Guillaume updated this in Cauldron yesterday.
Comment 2 David Walser 2013-02-06 01:14:38 CET
Patched package uploaded for Mageia 2.

Patch added in Mageia 1 SVN.

Advisory:
========================

Updated libupnp packages fix security vulnerabilities:

The Portable SDK for UPnP Devices libupnp library contains multiple buffer
overflow vulnerabilities. Devices that use libupnp may also accept UPnP
queries over the WAN interface, therefore exposing the vulnerabilities to
the internet (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
http://www.kb.cert.org/vuls/id/922681
http://www.debian.org/security/2013/dsa-2614
========================

Updated packages in core/updates_testing:
========================
libupnp6-1.6.15-1.1.mga2
libthreadutil6-1.6.15-1.1.mga2
libixml2-1.6.15-1.1.mga2
libupnp-devel-1.6.15-1.1.mga2

from libupnp-1.6.15-1.1.mga2.src.rpm
Comment 3 Dave Hodgins 2013-02-06 03:00:34 CET
Testing complete on Mageia 2 i586 and x86-64.

No poc, so just testing that amule runs with the updates installed.

Could someone from the sysadmin team push the srpm
libupnp-1.6.15-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated libupnp packages fix security vulnerabilities:

The Portable SDK for UPnP Devices libupnp library contains multiple buffer
overflow vulnerabilities. Devices that use libupnp may also accept UPnP
queries over the WAN interface, therefore exposing the vulnerabilities to
the internet (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
http://www.kb.cert.org/vuls/id/922681
http://www.debian.org/security/2013/dsa-2614

https://bugs.mageia.org/show_bug.cgi?id=8974
Comment 4 Thomas Backlund 2013-02-06 23:28:02 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037

Note You need to log in before you can comment on or make changes to this bug.