USN-4542-1: MiniUPnPd vulnerabilities

25 September 2020

Several security issues were fixed in MiniUPnPd.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • miniupnpd - UPnP and NAT-PMP daemon for gateway routers

Details

It was discovered that MiniUPnPd did not properly validate callback
addresses. A remote attacker could possibly use this issue to expose
sensitive information. (CVE-2019-12107)

It was discovered that MiniUPnPd incorrectly handled unpopulated user XML
input. An attacker could possibly use this issue to cause MiniUPnPd to
crash, resulting in a denial of service. (CVE-2019-12108, CVE-2019-12109)

It was discovered that MiniUPnPd incorrectly handled an empty description
when port mapping. An attacker could possibly use this issue to cause
MiniUPnPd to crash, resulting in a denial of service. (CVE-2019-12110)

It was discovered that MiniUPnPd did not properly parse certain PCP
requests. An attacker could possibly use this issue to cause MiniUPnPd to
crash, resulting in a denial of service. (CVE-2019-12111)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04

In general, a standard system update will make all the necessary changes.