Debian has issued an advisory on February 1: http://www.debian.org/security/2013/dsa-2614 Mageia 2 is also affected.
CC: (none) => n54
Ahh, I just noticed Guillaume updated this in Cauldron yesterday.
CC: (none) => guillomovitchVersion: Cauldron => 2
Patched package uploaded for Mageia 2. Patch added in Mageia 1 SVN. Advisory: ======================== Updated libupnp packages fix security vulnerabilities: The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965 http://www.kb.cert.org/vuls/id/922681 http://www.debian.org/security/2013/dsa-2614 ======================== Updated packages in core/updates_testing: ======================== libupnp6-1.6.15-1.1.mga2 libthreadutil6-1.6.15-1.1.mga2 libixml2-1.6.15-1.1.mga2 libupnp-devel-1.6.15-1.1.mga2 from libupnp-1.6.15-1.1.mga2.src.rpm
CC: (none) => fundawangAssignee: fundawang => qa-bugs
Severity: normal => critical
Testing complete on Mageia 2 i586 and x86-64. No poc, so just testing that amule runs with the updates installed. Could someone from the sysadmin team push the srpm libupnp-1.6.15-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated libupnp packages fix security vulnerabilities: The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965 http://www.kb.cert.org/vuls/id/922681 http://www.debian.org/security/2013/dsa-2614 https://bugs.mageia.org/show_bug.cgi?id=8974
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED