Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-454-1 minissdpd

Debian Security Advisory

DLA-454-1 minissdpd -- LTS security update

Date Reported:

03 May 2016

Affected Packages:

minissdpd

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-3178, CVE-2016-3179.

More information:

The minissdpd daemon contains a improper validation of array index vulnerability (CWE-129) when processing requests sent to the Unix socket at /var/run/minissdpd.sock the Unix socket can be accessed by an unprivileged user to send invalid request causes an out-of-bounds memory access that crashes the minissdpd daemon.

For Debian 7 Wheezy, these issues have been fixed in minissdpd version 1.1.20120121-1+deb7u1