Ubuntu Security Notice 4542-1 - It was discovered that MiniUPnPd did not properly validate callback addresses. A remote attacker could possibly use this issue to expose sensitive information. It was discovered that MiniUPnPd incorrectly handled unpopulated user XML input. An attacker could possibly use this issue to cause MiniUPnPd to crash, resulting in a denial of service. It was discovered that MiniUPnPd incorrectly handled an empty description when port mapping. An attacker could possibly use this issue to cause MiniUPnPd to crash, resulting in a denial of service. Various other issues were also addressed.
5f401d4817df46c6520b1c3e03a9adef27a1742a79f51c3dd5ffd8c3f11a254d
==========================================================================
Ubuntu Security Notice USN-4542-1
September 25, 2020
miniupnpd vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in MiniUPnPd.
Software Description:
- miniupnpd: UPnP and NAT-PMP daemon for gateway routers
Details:
It was discovered that MiniUPnPd did not properly validate callback
addresses. A remote attacker could possibly use this issue to expose
sensitive information. (CVE-2019-12107)
It was discovered that MiniUPnPd incorrectly handled unpopulated user XML
input. An attacker could possibly use this issue to cause MiniUPnPd to
crash, resulting in a denial of service. (CVE-2019-12108, CVE-2019-12109)
It was discovered that MiniUPnPd incorrectly handled an empty description
when port mapping. An attacker could possibly use this issue to cause
MiniUPnPd to crash, resulting in a denial of service. (CVE-2019-12110)
It was discovered that MiniUPnPd did not properly parse certain PCP
requests. An attacker could possibly use this issue to cause MiniUPnPd to
crash, resulting in a denial of service. (CVE-2019-12111)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
miniupnpd 1.8.20140523-4.1+deb9u2build0.16.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4542-1
CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110,
CVE-2019-12111
Package Information:
https://launchpad.net/ubuntu/+source/miniupnpd/1.8.20140523-4.1+deb9u2build0.16.04.1