Updated minidlna packages fix security vulnerabilitiesPublication date: 31 Dec 2020
Affected Mageia releases : 7
CVE: CVE-2020-12695 , CVE-2020-28926
It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695). Minidlna before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove (CVE-2020-28926).