Page MenuHomePhabricator

Drop support of insecure miniUPnPc versions
ClosedPublic

Authored by PiRK on Oct 31 2020, 18:06.

Details

Reviewers
Fabien
Group Reviewers
Restricted Owners Package(Owns No Changed Paths)
Restricted Project
Commits
rABC5d0575f2a455: Drop support of insecure miniUPnPc versions
Summary

The minimum supported miniUPnPc API version is set to 10 (debian 8 and ubuntu 16.04)

This is a backport of Core PR15993

Included commits:

Test Plan

ninja all check-all

Diff Detail

Event Timeline

Owners added a reviewer: Restricted Owners Package.Oct 31 2020, 18:06
PiRK requested review of this revision.Oct 31 2020, 18:06
PiRK edited the summary of this revision. (Show Details)

What's the minimum version of miniupnpc which has the fix for both CVE ? The build is already unsupported (except when using the depends) on Jessie, Stretch and Xenial due to other dependencies (Boost, libevent, ...). It is worth looking if we can just bump the minimum version high enough to prevent building against these old versions. Currently we enforce miniupnpc >= 1.5.

Fabien requested changes to this revision.Nov 1 2020, 08:46
Fabien added inline comments.
doc/release-notes.md
34

The note is misleading as we already don't support building against the system packages for these OS.

This revision now requires changes to proceed.Nov 1 2020, 08:46

What's the minimum version of miniupnpc which has the fix for both CVE ? The build is already unsupported (except when using the depends) on Jessie, Stretch and Xenial due to other dependencies (Boost, libevent, ...). It is worth looking if we can just bump the minimum version high enough to prevent building against these old versions. Currently we enforce miniupnpc >= 1.5.

I believe 1.9 still has a vulnerability. That one is the version in ubuntu 16.04 but also 18.04, as far as I understand.
I have not figured out how to link the version number to API version number.

If I trust the discussion associated with the PR, some versions with API 16 still have a vulnerability. And API version 17 is the most recent version.

To summarize the situation :
CVE-2017-8798 was solved on 2017/05/05
CVE-2017-1000494 was solved on 2017/12/11

Both fixes were released in version 2.1 (2018/05/07)

Version in major linux distros:

1.6 (API_VERSION < 9): CentOS 6
1.9 (API_VERSION 10): Ubuntu 16.04 & 18.04, Debian 8 & 9
2.0 (API_VERSION 16): CentOS 7
2.1 (API_VERSION 17): Ubuntu 20.04 & 20.10, Debian 10 & 11, Fedora 31-33, Alpine 3.9-3.12

PiRK edited the summary of this revision. (Show Details)

update dependencies.md minimum version, change misleading release note

This revision is now accepted and ready to land.Nov 3 2020, 15:55