Bugzilla – Bug 989948
VUL-0: CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default
Last modified: 2017-06-05 01:09:31 UTC
rh#1358612 A vulnerability was found in libupnp. If there's no registered handler for a POST request, the default behaviour is to write it to the filesyste. This allows attacker to store arbitrary data on deployed devices. Fix: https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd References: https://bugzilla.redhat.com/show_bug.cgi?id=1358612 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6255 http://seclists.org/oss-sec/2016/q3/118
bugbot adjusting priority
Submitted version update to 1.6.21, should be binary compatible.
This is an autogenerated message for OBS integration: This bug (989948) was mentioned in https://build.opensuse.org/request/show/498521 42.2 / libupnp
release, done
openSUSE-SU-2017:1485-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1006256,898167,989948 CVE References: CVE-2016-6255,CVE-2016-8863 Sources used: openSUSE Leap 42.2 (src): libupnp-1.6.21-4.3.1