Re: CVE-2020-12695 & libupnp13

To: Lyndon Brown <jnqnfe@gmail.com>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: CVE-2020-12695 & libupnp13
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 21 Feb 2021 20:48:35 +0100
Message-id: <[🔎] YDK5ExTCBpnEfD3t@eldamar.lan>
Mail-followup-to: Lyndon Brown <jnqnfe@gmail.com>, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] e7c42ae4061a848110f0a50b76fc6cebd23ead9d.camel@gmail.com>
References: <[🔎] e7c42ae4061a848110f0a50b76fc6cebd23ead9d.camel@gmail.com>

Hi,

On Sun, Feb 21, 2021 at 04:08:15AM +0000, Lyndon Brown wrote:
> CVE-2020-12695 does not track libupnp13 (pupnp).
> 
> I noticed that the upstream v1.14 changelog entry includes work towards
> addressing this CVE, whilst the version shipped in Debian testing/sid
> is older (v1.8.4) and the CVE tracking page does not cover it.

Thanks, I have added it to the tracker today.

Note, if the code is not the same in different codebases it is not
always correct to use the same CVE. It looks this is warranted here as
upstream used the same.

So thanks for spotting and notifying us.

Regards,
Salvatore

Reply to:

References:
- CVE-2020-12695 & libupnp13
  - From: Lyndon Brown <jnqnfe@gmail.com>

Prev by Date: External check
Next by Date: External check
Previous by thread: CVE-2020-12695 & libupnp13
Index(es):
- Date
- Thread