Security fix releases GUPnP 1.0.7 and GUPnP 1.2.5

Hello everyone,
GUPnP 1.0.7 and GUPnP 1.2.5 fix a potential DNS rebind issue.
An impact of this would be that for example a user could be tricked into opening a malicious web page that could scan the local network for UPnP media servers and download the user’s shared files, or, if enabled, even delete them.
Upgrade to 1.2.5 (or where that is not possible, 1.0.7) is strongly recommended.
GUPnP 1.2.5 is also a maintainence release containing a number of fixes, noted below:
GUPnP 1.2.5 =========== – Fix introspection annotation for send_action_list – Fix potential fd leak in linux CM – Fix potential NULL pointer dereference when evaluating unset ServiceProxyActions – Fix leaking the message string if an action is never sent – Fix leaking the ServiceProxyAction if sending fails in call_action – Fix introspection annotation for send_action and call_action_finish to prevent a double-free – Make ServiceIntrospection usable from gobject-introspection – Add Python examle – Add C example – Fix JavaScript example – Fix potential use-after-free if service proxy is destroxed before libsoup request finishes in control point – Fix potential data leak due to being vulnerable to DNS rebind attacs
Bugs fixed in this release: – gitlab.gnome.org/GNOME/gupnp/issues/47gitlab.gnome.org/GNOME/gupnp/issues/46gitlab.gnome.org/GNOME/gupnp/issues/23gitlab.gnome.org/GNOME/gupnp/issues/24
All contributors to this release: – Jens Georg <mail@jensge.org> – Doug Nazar <nazard@nazar.ca> – Andre Klapper <a9016009@gmx.de>
_______________________________________________ gnome-announce-list mailing list gnome-announce-list@gnome.org mail.gnome.org/mailman/listinfo/gnome-announce-list