Описание
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| wpa | fixed | 2:2.9.0-16 | package | |
| gupnp | fixed | 1.2.3-1 | package | |
| gupnp | fixed | 1.0.5-0+deb10u1 | buster | package |
| minidlna | fixed | 1.2.1+dfsg-3 | package | |
| pupnp | not-affected | package | ||
| pupnp-1.8 | removed | package | ||
| pupnp-1.8 | ignored | bookworm | package | |
| pupnp-1.8 | no-dsa | bullseye | package | |
| pupnp-1.8 | no-dsa | buster | package | |
| libupnp | removed | package | ||
| libupnp | no-dsa | stretch | package |
Примечания
https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
https://sourceforge.net/p/minidlna/git/ci/06ee114731612462eb1eb1266f0431ccf59269d2 (v1_3_0)
https://github.com/pupnp/pupnp/commit/5f76bf2858dd601bd985bf37a1db9f262c0ff7bf (release-1.14.0)
https://github.com/pupnp/pupnp/commit/7b3f0f5f497f9f493c82307af495b87fa9ebdacb (release-1.14.0)
EPSS
Связанные уязвимости
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
EPSS