What's the minimum version of miniupnpc which has the fix for both CVE ? The build is already unsupported (except when using the depends) on Jessie, Stretch and Xenial due to other dependencies (Boost, libevent, ...). It is worth looking if we can just bump the minimum version high enough to prevent building against these old versions. Currently we enforce miniupnpc >= 1.5.

In D8211#191688, @Fabien wrote:

What's the minimum version of miniupnpc which has the fix for both CVE ? The build is already unsupported (except when using the depends) on Jessie, Stretch and Xenial due to other dependencies (Boost, libevent, ...). It is worth looking if we can just bump the minimum version high enough to prevent building against these old versions. Currently we enforce miniupnpc >= 1.5.

I believe 1.9 still has a vulnerability. That one is the version in ubuntu 16.04 but also 18.04, as far as I understand.
I have not figured out how to link the version number to API version number.

If I trust the discussion associated with the PR, some versions with API 16 still have a vulnerability. And API version 17 is the most recent version.

To summarize the situation :
CVE-2017-8798 was solved on 2017/05/05
CVE-2017-1000494 was solved on 2017/12/11

Both fixes were released in version 2.1 (2018/05/07)

Version in major linux distros:

1.6 (API_VERSION < 9): CentOS 6
1.9 (API_VERSION 10): Ubuntu 16.04 & 18.04, Debian 8 & 9
2.0 (API_VERSION 16): CentOS 7
2.1 (API_VERSION 17): Ubuntu 20.04 & 20.10, Debian 10 & 11, Fedora 31-33, Alpine 3.9-3.12