cvrf2cusa/cvrf/2021/cvrf-openEuler-SA-2021-1272.xml

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
	<DocumentTitle xml:lang="en">An update for gupnp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2</DocumentTitle>
	<DocumentType>Security Advisory</DocumentType>
	<DocumentPublisher Type="Vendor">
		<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
		<IssuingAuthority>openEuler security committee</IssuingAuthority>
	</DocumentPublisher>
	<DocumentTracking>
		<Identification>
			<ID>openEuler-SA-2021-1272</ID>
		</Identification>
		<Status>Final</Status>
		<Version>1.0</Version>
		<RevisionHistory>
			<Revision>
				<Number>1.0</Number>
				<Date>2021-07-24</Date>
				<Description>Initial</Description>
			</Revision>
		</RevisionHistory>
		<InitialReleaseDate>2021-07-24</InitialReleaseDate>
		<CurrentReleaseDate>2021-07-24</CurrentReleaseDate>
		<Generator>
			<Engine>openEuler SA Tool V1.0</Engine>
			<Date>2021-07-24</Date>
		</Generator>
	</DocumentTracking>
	<DocumentNotes>
		<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">gupnp security update</Note>
		<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for gupnp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.</Note>
		<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">GUPnP is an elegant, object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. It provides the same set of features as libupnp,but shields the developer from most of UPnP&apos;s internals.

Security Fix(es):

An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim&apos;s browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.(CVE-2021-33516)</Note>
		<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for gupnp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.

openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
		<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
		<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">gupnp</Note>
	</DocumentNotes>
	<DocumentReferences>
		<Reference Type="Self">
			<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1272</URL>
		</Reference>
		<Reference Type="openEuler CVE">
			<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-33516</URL>
		</Reference>
		<Reference Type="Other">
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-33516</URL>
		</Reference>
	</DocumentReferences>
	<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
		<Branch Type="Product Name" Name="openEuler">
			<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
			<FullProductName ProductID="openEuler-20.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">openEuler-20.03-LTS-SP2</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="aarch64">
			<FullProductName ProductID="gupnp-devel-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-devel-1.2.4-1.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-debugsource-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debugsource-1.2.4-1.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-1.2.4-1.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-debuginfo-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debuginfo-1.2.4-1.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-devel-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-devel-1.2.4-1.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-debugsource-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-debugsource-1.2.4-1.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-1.2.4-1.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-debuginfo-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-debuginfo-1.2.4-1.oe1.aarch64.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="noarch">
			<FullProductName ProductID="gupnp-help-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-help-1.2.4-1.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="gupnp-help-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-help-1.2.4-1.oe1.noarch.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="src">
			<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-1.2.4-1.oe1.src.rpm</FullProductName>
			<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-1.2.4-1.oe1.src.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="x86_64">
			<FullProductName ProductID="gupnp-debuginfo-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debuginfo-1.2.4-1.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-1.2.4-1.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-devel-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-devel-1.2.4-1.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-debugsource-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">gupnp-debugsource-1.2.4-1.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-debuginfo-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-debuginfo-1.2.4-1.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-1.2.4-1.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-devel-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-devel-1.2.4-1.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="gupnp-debugsource-1.2.4-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">gupnp-debugsource-1.2.4-1.oe1.x86_64.rpm</FullProductName>
		</Branch>
	</ProductTree>
	<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim&apos;s browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.</Note>
		</Notes>
		<ReleaseDate>2021-07-24</ReleaseDate>
		<CVE>CVE-2021-33516</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP1</ProductID>
				<ProductID>openEuler-20.03-LTS-SP2</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>8.1</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>gupnp security update</Description>
				<DATE>2021-07-24</DATE>
				<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1272</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
</cvrfdoc>