On 5/21/19 8:06 AM, Chris Lamb wrote: > Package: minissdpd > Version: 1.2.20130907-3+deb8u1 > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerability was published for minissdpd. > > CVE-2019-12106[0]: > | The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and > | 1.5 allows a remote attacker to crash the process due to a Use After > | Free vulnerability. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-12106 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12106 > > > Regards, >
Hi Chris & the security team, The version in Sid / Buster isn't affected, as version 1.5.20190210 from upstream already has the patch (ie: *pp = p->next). The security tracker seems to know about it already. Chris, thanks for your proposal to update Stretch, I very much appreciate it. Cheers, Thomas Goirand (zigo)
