{"id":"MGASA-2020-0483","summary":"Updated minidlna packages fix security vulnerabilities","details":"It was discovered that minidlna does not forbid the acceptance of a\nsubscription request with a delivery URL on a different network segment than\nthe fully qualified event-subscription URL, aka the CallStranger issue\n(CVE-2020-12695).\n\nMinidlna before versions 1.3.0 allows remote code execution. Sending a\nmalicious UPnP HTTP request to the miniDLNA service using HTTP chunked\nencoding can lead to a signedness bug resulting in a buffer overflow in calls\nto memcpy/memmove (CVE-2020-28926).\n","modified":"2026-04-16T00:11:17.456016338Z","published":"2020-12-31T14:32:44Z","upstream":["CVE-2020-12695","CVE-2020-28926"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0483.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27755"},{"type":"WEB","url":"https://www.debian.org/security/2020/dsa-4806"}],"affected":[{"package":{"name":"minidlna","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/minidlna?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.1-3.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0483.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}