Doesn't the following patch apply ? https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78
I think it applies properly on all release since at least 1.5, maybe even before. Le 22/10/2015 23:52, Thomas Goirand a écrit : > On 10/22/2015 10:10 AM, miniupnp wrote: >> Hello, >> >> as you may have noticed, the vulnerability has already been fixed. >> Changelog.txt entry is : >> /2015/09/15:// >> // Fix buffer overflow in igd_desc_parse.c/IGDstartelt()// >> // Discovered by Aleksandar Nikolic of Cisco Talos// >> / >> The last source code releases on http://miniupnp.free.fr/files/ : >> miniupnpc-1.9.20150917.tar.gz >> miniupnpc-1.9.20151008.tar.gz >> are both fixed. >> >> all previous releases are vulnerable. >> >> Regards, >> >> Thomas > Hi Thomas, > > As you know, we need a minimal fix backported for the current version in > Debian Stable. Could you send a patch for that version? The version in > Jessie is: 1.9.20140610. I can upgrade the Sid/Testing version to last > upstream release though. > > Cheers, > > Thomas Goirand (zigo) >