CVE-2020-12695

Priority
Description
The Open Connectivity Foundation UPnP specification before 2020-04-17 does
not forbid the acceptance of a subscription request with a delivery URL on
a different network segment than the fully qualified event-subscription
URL, aka the CallStranger issue.
Notes
Package
Source: wpa (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):needs-triage
Ubuntu 20.10 (Groovy Gorilla):needs-triage
Patches:
Upstream:https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
Upstream:https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
Upstream:https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
More Information

Updated: 2020-07-01 14:22:09 UTC (commit f2a40e02a46fe0d2c9d7b8b97047199f18432424)