On 02/02/2013 01:30 AM, Scott Howard
wrote:
Fine for me. Thanks.retitle 699351 linux-igd follows old UPnP IGD V1 spec thanksOn Thu, Jan 31, 2013 at 3:32 AM, VALETTE Eric OLNC/OLPS <eric2.vale...@orange.com> wrote:Look at the CVE that have been filled regarding libupnp6 and the associated bugs.Thanks - they have been fixed in libupnp4 [1]. I've renamed the bug appropriately. I do not know enough about UPnP IGD V1 versus V2 [2] to have an opinion about whether this is an RC bug or not, so I'll leave that for the security team or someone more qualified. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699459 [2] http://upnp.org/sdcps-and-certification/standards/sdcps/ PS : Security wise, UPNP IGD 2 is more strict to prevent a device to open a port to a different IP than itself. The bug that make SSDP available on the WAN side is also problematic in the IGD V1 version. You shall not rely on the firewall to block incoming WAN packet but not listen to the WAN interface for SSDP... -- eric-- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org |
- Bug#699351: linux-gd obsolete and lubupnp4 Scott Howard
- Bug#699351: linux-gd obsolete and lubupnp4 VALETTE Eric OLNC/OLPS
- Bug#699351: linux-gd obsolete and lubu... Scott Howard
- Bug#699351: linux-gd obsolete and lubu... Scott Howard
- Processed: Re: Bug#699351: linux-g... Debian Bug Tracking System
- Bug#699351: linux-gd obsolete and ... VALETTE Eric OLNC/OLPS