From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-3169-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id C4713158099
	for <garchives@archives.gentoo.org>; Sat, 25 Nov 2023 10:22:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id AEE2F2BC15A;
	Sat, 25 Nov 2023 10:22:31 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id D33C72BC039
	for <gentoo-announce@lists.gentoo.org>; Sat, 25 Nov 2023 10:22:15 +0000 (UTC)
Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165])
	by smtp.gentoo.org (Postfix) with ESMTP id 501CD34072E
	for <gentoo-announce@lists.gentoo.org>; Sat, 25 Nov 2023 10:22:15 +0000 (UTC)
Received: from [172.18.0.3] (unknown [172.18.0.3])
	by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 377B68C6A5
	for <gentoo-announce@lists.gentoo.org>; Sat, 25 Nov 2023 10:22:15 +0000 (UTC)
Subject: [gentoo-announce] [ GLSA 202311-12 ] MiniDLNA: Multiple Vulnerabilities
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="pgp-sha512"; boundary="===============1792097745841797294=="
From: glsamaker@gentoo.org
To: gentoo-announce@lists.gentoo.org
Reply-To: security@gentoo.org
Date: Sat, 25 Nov 2023 10:22:14 -0000
Message-ID: <170090773522.7.6784034488806034052@eaa400207d9c>
X-Archives-Salt: 652d666b-b5e8-4806-940c-980ecd3fa3ff
X-Archives-Hash: 87ae46d0c131242c20f201a302fe9ea7

--===============1792097745841797294==
Content-Type: text/plain; charset="utf-8"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 202311-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: MiniDLNA: Multiple Vulnerabilities
     Date: November 25, 2023
     Bugs: #834642, #907926
       ID: 202311-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in MiniDLNA, the worst of
which could lead to remove code execution.

Background
==========

MiniDLNA is a simple media server software, with the aim of being fully
compliant with DLNA/UPnP-AV clients.

Affected packages
=================

Package            Vulnerable    Unaffected
-----------------  ------------  ------------
net-misc/minidlna  < 1.3.3       >= 1.3.3

Description
===========

Multiple vulnerabilities have been discovered in MiniDLNA. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MiniDLNA users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-misc/minidlna-1.3.3"

References
==========

[ 1 ] CVE-2022-26505
      https://nvd.nist.gov/vuln/detail/CVE-2022-26505
[ 2 ] CVE-2023-33476
      https://nvd.nist.gov/vuln/detail/CVE-2023-33476

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5
--===============1792097745841797294==
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmVhytcACgkQFMQkOaVy
+9kh/A/+PnqEEv9j2rM22DP3RTPkXqN2PWVjHm9/CH8SFC7fkJxVX80qJv2vAJNG
TPf5fB8RArshJ1r32D/V7TcAOGT+ZZu4Jho71bBMvEe/tlj7Ai2JrdCv9/h9CO0G
c+ZQfSgKN08Bp/XuXi4wQl6Sylg/oY3AkRBWMav2lmjnDRgdWIAoqrsY9iJgSlqs
mV2mk/329ZyYclPaKgkZgXlPRgcjdLZEEWp0mRXYcHWGyq1R+wLF2dkZ8agBFhkG
ZZGi4ijHzhUXM0TDdsHnbiN3IuC54dr9o20bjjQNWckh6N2FcIXmJtypc++rALiU
jl1aLnVxTmfBTiCfTSt8ZZ63cnnQBAnnhGGhfwfoN9c+mV01hQcFrtw884bBIJ8k
iUcXcBfgEiuG2jFdfI+CM2/v3uKB1SzrlwSeWyBxMRzH30W1QRr8Tcs9HY4+SiN+
hX/JPcM3RetFYjFI5sj6jkiE5CKEZwBJumym2eQnpQe021n28Il4VpVX/lDy9V+C
Rg86UIwqWE5PLSBYtA3uCQEeq2r9EoHG4kitXd/PWVk2aNfIomrIK097++u38DEa
AFcPh/rH4JGMtGpA1D5JZ0LH0iRQGNhUEcH+ZJlCYWpvEBsjYHf5cc0uZrSmmexO
MOZEZC1kjv9k60/VPP1saYXa2mmjtPHTPvgiyQoegZgyg1zrovU=
=mgyx
-----END PGP SIGNATURE-----

--===============1792097745841797294==--