From patchwork Thu Apr 22 07:29:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?J=C3=B6rg_Krause?= X-Patchwork-Id: 1469038 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="key not found in DNS" header.d=embedded.rocks header.i=@embedded.rocks header.a=rsa-sha256 header.s=default header.b=zVsz8Yt8; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQpw51B83z9sWD for ; Thu, 22 Apr 2021 17:29:38 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 6E1A340517; Thu, 22 Apr 2021 07:29:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhkWUnWnJxRU; Thu, 22 Apr 2021 07:29:34 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id C5DC940145; Thu, 22 Apr 2021 07:29:33 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id D1D4C1BF352 for ; Thu, 22 Apr 2021 07:29:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id C13B4404B5 for ; Thu, 22 Apr 2021 07:29:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=embedded.rocks Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z93KAj5airCm for ; Thu, 22 Apr 2021 07:29:30 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.141]) by smtp4.osuosl.org (Postfix) with ESMTPS id E54FC40376 for ; Thu, 22 Apr 2021 07:29:29 +0000 (UTC) Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id C7087240027 for ; Thu, 22 Apr 2021 09:29:26 +0200 (CEST) Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4FQpvp14t9z6tmJ for ; Thu, 22 Apr 2021 09:29:25 +0200 (CEST) Authentication-Results: mail.embedded.rocks (amavisd-new); dkim=pass reason="pass (just generated, assumed good)" header.d=embedded.rocks DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embedded.rocks; h=content-transfer-encoding:content-type:content-type :mime-version:x-mailer:message-id:date:date:subject:subject:from :from:received:received; s=default; t=1619076564; x=1619681365; bh=SNBHXhqB4VNkujs+uifZCCpmq0KSu/0PyyNb8/mI3rk=; b=zVsz8Yt8WW/5 E4Qu0tGpG57ys9Dprxr7YrgTXn0Tv3C0yFEfUGtCuGSr9SMatdVk4n9tIE/nNWw6 /YoYsZ7AVga++wSCGaVEke2LdyfOWLUtQ+DI/D/mzA1pX1Z6e07fAKbirhvvBTUW HnLbp8zNUw/738h0koL+THsHB0kze/UWrKHLKysEDEcM9O6zzN8SPcPC4QpsEpE+ vOWZ158MeocOGAwRh0cGxNo9UUwp0Bo5p9qz/5XpeFaY0IbdtubzxiCtZrDB6GyT gN4guS6mcA2mXvh+XYhOrKkUqTkbnv4bODSEOrKG6VqcW53GjC26vPVsbbbGdeCo j1MAEKylUg== Received: from mail.embedded.rocks ([127.0.0.1]) by localhost (mail.embedded.rocks [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id F9WFLPMLZFAn; Thu, 22 Apr 2021 09:29:24 +0200 (CEST) Received: from nzxt.fritz.box (port-92-195-42-18.dynamic.as20676.net [92.195.42.18]) (Authenticated sender: joerg.krause@embedded.rocks) by mail.embedded.rocks (Postfix) with ESMTPSA; Thu, 22 Apr 2021 09:29:24 +0200 (CEST) From: =?utf-8?q?J=C3=B6rg_Krause?= To: buildroot@buildroot.org Date: Thu, 22 Apr 2021 07:29:22 +0000 Message-Id: <20210422072922.63604-1-joerg.krause@embedded.rocks> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/1] package/libupnp: security bump to version 1.14.6 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The server part of pupnp (libupnp) appears to be vulnerable to DNS-rebinding attacks because it does not check the value of the `Host` header. Fixes CVE-2021-29462 https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg Signed-off-by: Jörg Krause --- package/libupnp/libupnp.hash | 2 +- package/libupnp/libupnp.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libupnp/libupnp.hash b/package/libupnp/libupnp.hash index 8923d46f5f..e4858fdc8a 100644 --- a/package/libupnp/libupnp.hash +++ b/package/libupnp/libupnp.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 227ffa407be6b91d4e42abee1dd27e4b8d7e5ba8d3d45394cca4e1eadc65149a libupnp-1.14.5.tar.bz2 +sha256 3168f676352e2a6e45afd6ea063721ed674c99f555394903fbd23f7f54f0a503 libupnp-1.14.6.tar.bz2 sha256 c8b99423cad48bb44e2cf52a496361404290865eac259a82da6d1e4331ececb3 COPYING diff --git a/package/libupnp/libupnp.mk b/package/libupnp/libupnp.mk index f79d169dc8..e8ece46542 100644 --- a/package/libupnp/libupnp.mk +++ b/package/libupnp/libupnp.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBUPNP_VERSION = 1.14.5 +LIBUPNP_VERSION = 1.14.6 LIBUPNP_SOURCE = libupnp-$(LIBUPNP_VERSION).tar.bz2 LIBUPNP_SITE = \ http://downloads.sourceforge.net/project/pupnp/release-$(LIBUPNP_VERSION)