107 lines
6.1 KiB
XML
107 lines
6.1 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for gupnp is now available for openEuler-20.03-LTS-SP1</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2022-1768</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2022-07-22</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2022-07-22</InitialReleaseDate>
|
|
<CurrentReleaseDate>2022-07-22</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2022-07-22</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">gupnp security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for gupnp is now available for openEuler-20.03-LTS-SP1.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">GUPnP is an elegant, object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. It provides the same set of features as libupnp,but shields the developer from most of UPnP's internals.
|
|
|
|
Security Fix(es):
|
|
|
|
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.(CVE-2020-12695)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for gupnp is now available for openEuler-20.03-LTS-SP1.
|
|
|
|
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">gupnp</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1768</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-12695</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-12695</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="aarch64">
|
|
<FullProductName ProductID="gupnp-devel-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-devel-1.2.4-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="gupnp-debugsource-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debugsource-1.2.4-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-1.2.4-1.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="gupnp-debuginfo-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debuginfo-1.2.4-1.oe1.aarch64.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="gupnp-help-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-help-1.2.4-1.oe1.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-1.2.4-1.oe1.src.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="x86_64">
|
|
<FullProductName ProductID="gupnp-debuginfo-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debuginfo-1.2.4-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-1.2.4-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="gupnp-devel-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-devel-1.2.4-1.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="gupnp-debugsource-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debugsource-1.2.4-1.oe1.x86_64.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-07-22</ReleaseDate>
|
|
<CVE>CVE-2020-12695</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>High</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>7.5</BaseScore>
|
|
<Vector>AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>gupnp security update</Description>
|
|
<DATE>2022-07-22</DATE>
|
|
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1768</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |