[Buildroot] [PATCH 1/3] package/libupnp18: security bump to version 1.14.0

Arnout Vandecappelle arnout at mind.be
Sun Aug 30 18:34:06 UTC 2020



On 21/08/2020 22:41, Fabrice Fontaine wrote:
> Fix CallStranger a.k.a. CVE-2020-12695 as well as CVE-2020-13848

 Again, although this bump indeed fixes those issues, it's a feature version
bump so I'm not sure if it can be called "security bump".

 In addition, the libupnp18 package exists because of API incompatibility with
1.6. Are we sure that this problem doesn't repeat itself for 1.14?

 Regards,
 Arnout

> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
>  package/libupnp18/libupnp18.hash | 6 +++---
>  package/libupnp18/libupnp18.mk   | 2 +-
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/libupnp18/libupnp18.hash b/package/libupnp18/libupnp18.hash
> index ba9ce1bcdf..cd693ef0eb 100644
> --- a/package/libupnp18/libupnp18.hash
> +++ b/package/libupnp18/libupnp18.hash
> @@ -1,5 +1,5 @@
> -# From https://sourceforge.net/projects/pupnp/files/pupnp/libupnp-1.8.7/libupnp-1.8.7.tar.bz2.sha1
> -sha1  2ea3011180c58b0584f0cb73cc8e685a0a1c4ec8  libupnp-1.8.7.tar.bz2
> +# From https://sourceforge.net/projects/pupnp/files/pupnp/libupnp-1.14.0/libupnp-1.14.0.tar.bz2.sha1
> +sha1  b14cff9ddd7cfe7f0e4bf552387122a31770f51f  libupnp-1.14.0.tar.bz2
>  # Locally computed:
> -sha256  e38c69b2b67322e67cd53680db9b02c7c1f720a47a3cd626fd89d57d2dca93b8  libupnp-1.8.7.tar.bz2
> +sha256  ecb23d4291968c8a7bdd4eb16fc2250dbacc16b354345a13342d67f571d35ceb  libupnp-1.14.0.tar.bz2
>  sha256  c8b99423cad48bb44e2cf52a496361404290865eac259a82da6d1e4331ececb3  COPYING
> diff --git a/package/libupnp18/libupnp18.mk b/package/libupnp18/libupnp18.mk
> index f17a1a720d..fb6c548c47 100644
> --- a/package/libupnp18/libupnp18.mk
> +++ b/package/libupnp18/libupnp18.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBUPNP18_VERSION = 1.8.7
> +LIBUPNP18_VERSION = 1.14.0
>  LIBUPNP18_SOURCE = libupnp-$(LIBUPNP18_VERSION).tar.bz2
>  LIBUPNP18_SITE = http://downloads.sourceforge.net/project/pupnp/pupnp/libupnp-$(LIBUPNP18_VERSION)
>  LIBUPNP18_CONF_ENV = ac_cv_lib_compat_ftime=no
> 


More information about the buildroot mailing list