Debian Bug report logs - #983206
[libupnp13] Please update for CVE-2020-12695 & fixes

Package: libupnp13; Maintainer for libupnp13 is James Cowgill <jcowgill@debian.org>; Source for libupnp13 is src:pupnp-1.8 (PTS, buildd, popcon).

Reported by: Lyndon Brown <jnqnfe@gmail.com>

Date: Sun, 21 Feb 2021 04:18:02 UTC

Severity: grave

Tags: bullseye-ignore, fixed-upstream, security, upstream

Found in version pupnp-1.8/1:1.8.4-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, James Cowgill <jcowgill@debian.org>:
Bug#983206; Package libupnp13. (Sun, 21 Feb 2021 04:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Lyndon Brown <jnqnfe@gmail.com>:
New Bug report received and forwarded. Copy sent to James Cowgill <jcowgill@debian.org>. (Sun, 21 Feb 2021 04:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libupnp13
Version: 1:1.8.4-2
Severity: critical

According to the changelog upstream version 1.14.0 includes a security
fix for CVE-2020-12695 (currently not tracked for pupnp in the debian
security tracker).

Please update to 1.14.x. Thanks.

I'm also having trouble getting DLNA working with minidlna on one
system and vlc on another, with little idea so far why it's not
working. Getting an updated libupnp13 with all the fixes they've made
may help eliminate some possible causes.

Information forwarded to debian-bugs-dist@lists.debian.org, James Cowgill <jcowgill@debian.org>:
Bug#983206; Package libupnp13. (Sun, 21 Feb 2021 05:00:02 GMT) (full text, mbox, link).

Acknowledgement sent to Lyndon Brown <jnqnfe@gmail.com>:
Extra info received and forwarded to list. Copy sent to James Cowgill <jcowgill@debian.org>. (Sun, 21 Feb 2021 05:00:02 GMT) (full text, mbox, link).

Message #10 received at 983206@bugs.debian.org (full text, mbox, reply):

On Sun, 21 Feb 2021 04:16:21 +0000 Lyndon Brown <jnqnfe@gmail.com>
wrote:
> I'm also having trouble getting DLNA working with minidlna on one
> system and vlc on another, with little idea so far why it's not
> working. Getting an updated libupnp13 with all the fixes they've made
> may help eliminate some possible causes.

Weird, having spent hours on this, I switched back to vlc after firing
off the email and the remote system was suddenly right there in vlc's
list... I can't explain that. I don't think I'd made any changes since
the last time I checked. Something I did earlier must have fixed it but
with some sort of delay to updating something. I think that the only
big difference to where I started from is no longer having minissdpd on
the server. Interestingly with it now fixed I refreshed the
x.x.x.x:8200 webpage in the browser and noticed the client type field
changed, from 'Unknown' to 'Generic UPnP 1.0'.

Hmm... Well that did not last. A little fiddling, and now it's gone
again and I'm not having any success at getting it back. The client has
also gone back to 'Unknown'. :/

Anyway, please update at least for the CVE, and fingers crossed it may
help with this also.

Added tag(s) security. Request was from Ivo De Decker <ivodd@debian.org> to control@bugs.debian.org. (Sun, 21 Feb 2021 11:33:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 21 Feb 2021 19:51:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, James Cowgill <jcowgill@debian.org>:
Bug#983206; Package libupnp13. (Sat, 17 Jul 2021 20:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Sebastian Ramacher <sramcher@debian.org>:
Extra info received and forwarded to list. Copy sent to James Cowgill <jcowgill@debian.org>. (Sat, 17 Jul 2021 20:51:03 GMT) (full text, mbox, link).

Message #19 received at 983206@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: severity -1 grave
Control: tags -1 bullseye-ignore

On 2021-02-21 04:16:21 +0000, Lyndon Brown wrote:
> Package: libupnp13
> Version: 1:1.8.4-2
> Severity: critical
> 
> According to the changelog upstream version 1.14.0 includes a security
> fix for CVE-2020-12695 (currently not tracked for pupnp in the debian
> security tracker).
> 
> Please update to 1.14.x. Thanks.
> 
> I'm also having trouble getting DLNA working with minidlna on one
> system and vlc on another, with little idea so far why it's not
> working. Getting an updated libupnp13 with all the fixes they've made
> may help eliminate some possible causes.

https://github.com/pupnp/pupnp/commit/7b3f0f5f497f9f493c82307af495b87fa9ebdacb
is part of the fix for CVE-2020-12695 and thus libupnp requires a
transition. That will have to wait for bookworm.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Severity set to 'grave' from 'critical' Request was from Sebastian Ramacher <sramcher@debian.org> to 983206-submit@bugs.debian.org. (Sat, 17 Jul 2021 20:51:03 GMT) (full text, mbox, link).

Added tag(s) bullseye-ignore. Request was from Sebastian Ramacher <sramcher@debian.org> to 983206-submit@bugs.debian.org. (Sat, 17 Jul 2021 20:51:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, James Cowgill <jcowgill@debian.org>:
Bug#983206; Package libupnp13. (Tue, 28 Sep 2021 21:45:06 GMT) (full text, mbox, link).

Acknowledgement sent to Lyndon Brown <jnqnfe@gmail.com>:
Extra info received and forwarded to list. Copy sent to James Cowgill <jcowgill@debian.org>. (Tue, 28 Sep 2021 21:45:06 GMT) (full text, mbox, link).

Message #28 received at 983206@bugs.debian.org (full text, mbox, reply):

With bullseye now released, can we please now progress with the
necessary transition to upgrade and thus address the security issue?

Information forwarded to debian-bugs-dist@lists.debian.org, James Cowgill <jcowgill@debian.org>:
Bug#983206; Package libupnp13. (Wed, 02 Feb 2022 16:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Lyndon Brown <jnqnfe@gmail.com>:
Extra info received and forwarded to list. Copy sent to James Cowgill <jcowgill@debian.org>. (Wed, 02 Feb 2022 16:09:03 GMT) (full text, mbox, link).

Message #33 received at 983206@bugs.debian.org (full text, mbox, reply):

@maintainer Ping.

Information forwarded to debian-bugs-dist@lists.debian.org, James Cowgill <jcowgill@debian.org>:
Bug#983206; Package libupnp13. (Sun, 02 Oct 2022 22:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Lyndon Brown <jnqnfe@gmail.com>:
Extra info received and forwarded to list. Copy sent to James Cowgill <jcowgill@debian.org>. (Sun, 02 Oct 2022 22:21:03 GMT) (full text, mbox, link).

Message #38 received at 983206@bugs.debian.org (full text, mbox, reply):

ping.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 05:37:07 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #983206 [libupnp13] Please update for CVE-2020-12695 & fixes

Debian Bug report logs - #983206
[libupnp13] Please update for CVE-2020-12695 & fixes