Your message dated Sat, 04 Jul 2026 15:47:26 +0000
with message-id <[email protected]>
and subject line Bug#1134334: fixed in miniupnpd 2.3.9-2+deb13u1
has caused the Debian Bug report #1134334,
regarding miniupnpd: CVE-2026-5720
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1134334: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134334
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: miniupnpd
Version: 2.3.9-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for miniupnpd.

CVE-2026-5720[0]:
| miniupnpd contains an integer underflow vulnerability in SOAPAction
| header parsing that allows remote attackers to cause a denial of
| service or information disclosure by sending a malformed SOAPAction
| header with a single quote. Attackers can trigger an out-of-bounds
| memory read by exploiting improper length validation in
| ParseHttpHeaders(), where the parsed length underflows to a large
| unsigned value when passed to memchr(), causing the process to scan
| memory far beyond the allocated HTTP request buffer.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-5720
    https://www.cve.org/CVERecord?id=CVE-2026-5720
[1] 
https://github.com/miniupnp/miniupnp/commit/a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: miniupnpd
Source-Version: 2.3.9-2+deb13u1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
miniupnpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated miniupnpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Jun 2026 15:18:31 +0300
Source: miniupnpd
Architecture: source
Version: 2.3.9-2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Thomas Goirand <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1134334
Changes:
 miniupnpd (2.3.9-2+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-5720: integer underflow in SOAPAction header parsing
     (Closes: #1134334)
Checksums-Sha1:
 a429e58249c00e15a731b7da25bf2ad46616de5e 2452 miniupnpd_2.3.9-2+deb13u1.dsc
 dd5e07d383055d9c47060cd52f5ce85888ad76fc 302607 miniupnpd_2.3.9.orig.tar.gz
 689762cb0a4ef65106d5f00db9f852cd4728d4fb 801 miniupnpd_2.3.9.orig.tar.gz.asc
 b63a6bd6dc6a3bf1287d4eca5e4a2fbb3d1710d9 30404 
miniupnpd_2.3.9-2+deb13u1.debian.tar.xz
Checksums-Sha256:
 b4cd07cb19d7bbbb0cc66024fe5a1b19344c933cce7b5a1a3c65ff10c3cc4d33 2452 
miniupnpd_2.3.9-2+deb13u1.dsc
 66cb3c3d697ab2bb3a61d3c48628166d6ba328d7c2dbeb95898fdf2a3202af7b 302607 
miniupnpd_2.3.9.orig.tar.gz
 eca1aab6167297cfeec67b67f23edd16cb832257b2fcab18590177aaab8cab4d 801 
miniupnpd_2.3.9.orig.tar.gz.asc
 3cd3553113bb96ff06946cdd7cf6d0e3ae7f2d435143bed907394cbed93207e6 30404 
miniupnpd_2.3.9-2+deb13u1.debian.tar.xz
Files:
 e3ee63354bda18bac82d44450112d6f9 2452 net optional 
miniupnpd_2.3.9-2+deb13u1.dsc
 cbcb2efe6102ef959b75655ee845f6d0 302607 net optional 
miniupnpd_2.3.9.orig.tar.gz
 03f06b10906419147a9ba0dea9208fce 801 net optional 
miniupnpd_2.3.9.orig.tar.gz.asc
 3cc44588c970363a1b3fc1f24322fc68 30404 net optional 
miniupnpd_2.3.9-2+deb13u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo2iAEACgkQiNJCh6LY
mLHKJQ//d/SanPQ9i/jee/L+syHOm5/32//8wpE3dn9sjBQrq4gU0wulxP8WlTfa
wijzkHEy4hOu+6w2WDfPivUChrbeq3SI/Z/ISZKrIVBINnxYUOt4DjNu3LrmXeBS
wQkiZYRzS2N6hfH4jalcWu/4eiP7BccP9eDTgtd89xjA449lQuvdYo+FKuertWBJ
/rP59HmAofmn2Vn6smAKCrI20nSiCr+7K/kUPrRkGLNdtyW+uTJ9/R2rYMc5hHg6
k53dE0gms5JFA4hLBDeRZdoFcxYo5RGnSWwYOFEM3K9Cxl3bBErTDAnvFtH+n6Q8
zbVIF/Ihm4QNf8HnYUXQCm8XdShjKTnxbMRnH0dXaZrO2f00wwTC5Fj7LaRcVi7m
Xnxe0z7F2wnFaxx3RG/Dj1tbHWlHpg9UulUUHx4SJiq8yPB4gTFDJomhNUC12KYG
Sw9Ac+w45myYeX08cwbu+EuCUHzn+E1ypU6KWQu4DbJw8gcDeemPxym2j4ua/Aee
0AuVtLtqaNtpfT81xdRt/uG9cRrI2TXn4pSVFHzrgr8ZITWMjmrAmd06Tk7ZzVMM
GAbaI9TNJ/C9RbWCp1JvkZhUGc7scvICEKfeUi7yA7ceRl64DQlnnt8sv6NymUXC
Nkz+M1rxhyYzIPhAiGt9VLddQIeqFbi+bza5aTcqkLKGcK4Gq8Y=
=GVVB
-----END PGP SIGNATURE-----

Attachment: pgpjgIS0tmgET.pgp
Description: PGP signature


--- End Message ---

Reply via email to