Bug#699351: linux-gd obsolete and lubupnp4

[VALETTE Eric OLNC/OLPS]

On 02/02/2013 01:30 AM, Scott Howard wrote: retitle 699351 linux-igd follows old UPnP IGD V1 spec thanks On Thu, Jan 31, 2013 at 3:32 AM, VALETTE Eric OLNC/OLPS <eric2.vale...@orange.com> wrote: Look at the CVE that have been filled regarding libupnp6 and the associated bugs. Thanks - they have been fixed in libupnp4 [1]. I've renamed the bug appropriately. I do not know enough about UPnP IGD V1 versus V2 [2] to have an opinion about whether this is an RC bug or not, so I'll leave that for the security team or someone more qualified. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699459 [2] http://upnp.org/sdcps-and-certification/standards/sdcps/ Fine for me. Thanks. PS : Security wise, UPNP IGD 2 is more strict to prevent a device to open a  port to a different IP than itself. The bug that make SSDP available on the WAN side is also problematic in the IGD V1 version. You shall not rely on the firewall to block incoming WAN packet but not listen to the WAN interface for SSDP... -- eric -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org