Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1988
libupnp security update
9 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libupnp
Publisher: Debian
Operating System: Linux variants
Debian GNU/Linux 8
Impact/Access: Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13848
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2238
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libupnp check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : libupnp
Version : 1.6.19+git20141001-1+deb8u2
CVE ID : CVE-2020-13848
Debian Bug : 962282
libupnp, the portable SDK for UPnP Devices allows remote attackers to
cause a denial of service (crash) via a crafted SSDP message due to a
NULL pointer dereference in the functions FindServiceControlURLPath
and FindServiceEventURLPath in genlib/service_table/service_table.c.
This crash can be triggered by sending a malformed SUBSCRIBE or
UNSUBSCRIBE using any of the attached files.
For Debian 8 "Jessie", this problem has been fixed in version
1.6.19+git20141001-1+deb8u2.
We recommend that you upgrade your libupnp packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7d78UACgkQhj1N8u2c
KO9Uqg//ep4riyzeth3AoPZTqe1kVbCP6crL3YeWxNH5rSRcqI9Z2S2VZMwObsM3
NYeYTn5gR4R+h4PFY6UjcZnkNbIby43eG2C5AWvAhncdajG2B6y+h6QLeoMHVkq2
JkIalLNRRGHiu4nSxPv9ISkaEbxAQ+Cl+JFj/koBx/wpbl8ubwil5A1HfRLteC9K
IuE6B5J+iYMQaQYlsXgnF+2jJ35UHy/OykDv047N4HXo/NaEgOTq/dr+EdKXTuHc
FTuvvRcOWYhv91YahWrHEl/lYsFBXyMCoEtxZVE5BMQvMe5x8AuLCdBughsKa1f5
bxywXvUBQiG+1tBuavsFFnhsz4PjdxKa3WjtzK+Tm+dB4pjbI+aVxrHynUcKQz8W
NA4Cu9QP06Cyn27JwMuIfjuzISzIZRYVHcYP0gBjt0oyfwQh6dqUOVpY5H2/0bbB
iXD+f4JLN0a5bES5erPG1FqiqdrCTcOgCPtiSy+siCo66inp8SukOG3cnhWchuF5
JgaTQ4nRytn/XljZbhVrELEwB2QIzIbgCXVCWrix/AUJ1UKTj1rxX5HTzqzlld3Y
EwyrqDHpz5vOxQmediIq3xe+wBcRbaxFsCwRGIQJQS23ogzxF+Z4qSg+1KdPRzLe
dPLJRTfpbuJzHQIv1RdgF9GvlkXPOqqQ+C1/RFuAu+Rp7ECXzVE=
=HQLu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXt7VMeNLKJtyKPYoAQhZiA//YDpdThKOJYCdMluKAzgAuOOjdFp7mJyj
q2CiJZGK+viIPAQBfrHbpGKD0hMyrzpLJL4J3eAqhFD6BvUasOlE5wUhHhuEPW0p
3RrwgZDfjhHxskHBN5URsb73AuVSmfHfyGjiL6BO3I/FJaCUwO24jSer68ZXqNYc
j6VXyTMybikqog2/Yly4BypyGlce/GygcVtZrSHJ0jkX/BRTCtrFhMHQ/EC/Uvt/
vhMce9KNFk5dlxRXIq76LlsU8TVrN2+e3OtB8Cy8FZnF1VuYSUXrTZ5ldd1B9QoK
RUyz4wRBnS9xphuC1Hfl+02bkvNXM6dZur3kwte6QIGFDP9rUUtJFb9DcmFvBKZZ
PgAVkrZurlPKp+syuU464zr3e3mxQ9Bzt4vqArypRVscZJySWGe2WycAZdkIET+2
/R5tSXBJ159puMrHkPYlWKtxnvhkjnnw6TULXLpCyukIZjlxmlWNWEOZnRoWOP5V
2x52emb3n5GwW0klUvQ82jSCCgo4M7Dp8eqq7DcgVYIGkVVRCA5iiWcEvBxDHAK0
HYbu1GrApSZG0lL+COVL3oNniuaEnsSyQL0B0Cij+ho1YAEWPeAn2Fe0qL1ve4eH
o2VWCB6BBIsco/zBQ+L2c9zX4Q7fo+mY5fBIowZFovOEWPwW4DmZKkAKodA/rNnm
KSZ42Al6jB8=
=m6l3
-----END PGP SIGNATURE-----