USN-4722-1: ReadyMedia (MiniDLNA) vulnerabilities

Releases

• Ubuntu 20.10
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• minidlna - lightweight DLNA/UPnP-AV server targeted at embedded systems

Details

It was discovered that ReadyMedia (MiniDLNA) allowed subscription requests with
a delivery URL on a different network segment than the fully qualified event-
subscription URL. An attacker could use this to hijack smart devices and cause
denial of service attacks. (CVE-2020-12695)

It was discovered that ReadyMedia (MiniDLNA) allowed remote code execution.
A remote attacker could send a malicious UPnP HTTP request to the service
using HTTP chunked encoding and cause a denial of service.
(CVE-2020-28926)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.10

• minidlna - 1.2.1+dfsg-2ubuntu0.1

Ubuntu 20.04

• minidlna - 1.2.1+dfsg-1ubuntu0.20.04.1

Ubuntu 18.04

• minidlna - 1.2.1+dfsg-1ubuntu0.18.04.1

Ubuntu 16.04

• minidlna - 1.1.5+dfsg-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-12695
• CVE-2020-28926

Related notices

• USN-4494-1: libgupnp-1.2-dev, libgupnp-doc, gir1.2-gupnp-1.2, gupnp, libgupnp-1.2-0
• USN-4734-1: wpagui, wpasupplicant, wpasupplicant-udeb, wpa, hostapd
• USN-4734-2: wpagui, wpasupplicant, wpasupplicant-udeb, wpa, hostapd