Bugzilla – Bug 1172700
VUL-0: CVE-2020-12695: hostapd: UPnP SUBSCRIBE misbehavior WPS AP
Last modified: 2021-04-12 13:18:24 UTC
CVE-2020-12695 The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12695 http://www.openwall.com/lists/oss-security/2020/06/08/2 http://seclists.org/oss-sec/2020/q2/173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695 https://github.com/yunuscadirci/CallStranger https://www.callstranger.com https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of https://www.kb.cert.org/vuls/id/339275
Tumbleweed: https://build.opensuse.org/request/show/838564
Fixed with version hostapd-2.9-69.18
This is an autogenerated message for OBS integration: This bug (1172700) was mentioned in https://build.opensuse.org/request/show/883563 15.2 / hostapd https://build.opensuse.org/request/show/883564 15.3 / hostapd
This is an autogenerated message for OBS integration: This bug (1172700) was mentioned in https://build.opensuse.org/request/show/883614 Backports:SLE-15-SP3 / hostapd
openSUSE-SU-2021:0519-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1150934,1172700,1184348 CVE References: CVE-2019-16275,CVE-2020-12695,CVE-2021-30004 JIRA References: Sources used: openSUSE Leap 15.2 (src): hostapd-2.9-lp152.2.3.1
openSUSE-SU-2021:0545-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1150934,1172700,1184348 CVE References: CVE-2019-16275,CVE-2020-12695,CVE-2021-30004 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): hostapd-2.9-bp152.2.3.1