ASA-202104-8 log generated external raw

[ASA-202104-8] libupnp: content spoofing
Arch Linux Security Advisory ASA-202104-8 ========================================= Severity: High Date : 2021-04-29 CVE-ID : CVE-2021-29462 Package : libupnp Type : content spoofing Remote : Yes Link : Summary ======= The package libupnp before version 1.14.6-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 1.14.6-1. # pacman -Syu "libupnp>=1.14.6-1" The problem has been fixed upstream in version 1.14.6. Workaround ========== None. Description =========== The server part of pupnp (libupnp) appears to be vulnerable to DNS rebinding attacks because it does not check the value of the `Host` header. This can be mitigated by using DNS revolvers which block DNS- rebinding attacks. The vulnerability is fixed in version 1.14.6 and later. Impact ====== An attacker is able to perform a DNS rebinding attack against a client browser to trigger local UPnP services. This can be used to, for example, exfiltrate or tamper data of a client. References ==========