** Description changed: - SRU request. + Security Update and/or SRU request for 14.04. + + There are security fixes to this package in Debian (1.8.20140523-4, in + 15.04+) that fix several CVEs and postinst failures (1.8.20130730-3, in + 14.10+) . Unfortunately it is not clear precisely which CVEs the Debian + security updates resolve. + + I found these issues when a user reported they couldn't start the + daemon. I initially fixed the postinst issue locally then discovered + Debian had updated the package already, and then discovered the + additional fixes for security vulnerabilities. + + Due to the Debian packages also including some unrelated fixes I'm unclear as to what the best approach is. + I've asked for guidance in #ubuntu-devel and rbasak gave useful input but it comes down to whether a security update would take the Debian package as-is or want to split out the various specific fixes. + + That looks like quite a lot of involved work to me. I only worked on the + postinst issue to solve it for a user who reported it in #ubuntu. + + ----- [Impact] - There are typos in the postinst script that cause garbage to be written + * MiniUPnPd is vulnerable to DNS rebinding attacks + + * DoS: typos in the postinst script that cause garbage to be written to "/etc/default/miniupnpd" resulting in the service failing to start. [Test Case] Install the package and try to start it. It will fail. "/etc/default/miniupnpd" will contain garbled content due to the bug. A valid example file exists in the package at /usr/share/doc/miniupnpd/examples/miniupnpd.default + Installing the package from 15.04 or 15.10 resolve the issues. + [Regression Potential] - Non. Changes ensure a valid 'default' file is written and permit the - daemon to start. + Small to Non. postinst changes ensure a valid 'default' file is written + and permit the daemon to start. Fixes from upstream prevent DNS + rebinding attacks. - ----- - I found these when a user reported they couldn't start the daemon. It turns out these were fixed in Debian and are available in 14.10, 15.04 and 15.10. + These were fixed in Debian and are available in 15.04+. - A backport to Trusty would solve this and several other issues. + [References] + + security: CVEs http://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-24263/Miniupnp-Project-Miniupnpd.html + + security: see Debian bug #772644 + + postinst: see Debian bug #726915 + + see also Debian changelog: http://metadata.ftp- + master.debian.org/changelogs//main/m/miniupnpd/miniupnpd_1.8.20140523-4_changelog
** Summary changed: - postinst script writes garbage to /etc/default/miniupnpd + Security vulnerabilities and postinst generating garbage ** Changed in: miniupnpd (Ubuntu Trusty) Status: New => Triaged ** Changed in: miniupnpd (Ubuntu Trusty) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1468938 Title: Security vulnerabilities and postinst generating garbage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/miniupnpd/+bug/1468938/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs