USN-4722-1: ReadyMedia (MiniDLNA) vulnerabilities

04 February 2021

ReadyMedia (MiniDLNA) could be made to crash if it received specially crafted input.

Releases

Packages

  • minidlna - lightweight DLNA/UPnP-AV server targeted at embedded systems

Details

It was discovered that ReadyMedia (MiniDLNA) allowed subscription requests with
a delivery URL on a different network segment than the fully qualified event-
subscription URL. An attacker could use this to hijack smart devices and cause
denial of service attacks. (CVE-2020-12695)

It was discovered that ReadyMedia (MiniDLNA) allowed remote code execution.
A remote attacker could send a malicious UPnP HTTP request to the service
using HTTP chunked encoding and cause a denial of service.
(CVE-2020-28926)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.10
Ubuntu 20.04
Ubuntu 18.04
Ubuntu 16.04

In general, a standard system update will make all the necessary changes.

Related notices