| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| libupnp-2.0.2.tar.bz2 | 2026-06-17 | 770.6 kB | |
| libupnp-2.0.2.tar.bz2.sha256 | 2026-06-17 | 88 Bytes | |
| README.md | 2026-06-17 | 1.2 kB | |
| release-2.0.2 source code.tar.gz | 2026-06-17 | 883.5 kB | |
| release-2.0.2 source code.zip | 2026-06-17 | 1.1 MB | |
| Totals: 5 Items | 2.7 MB | 11 | |
Security release — all users are encouraged to upgrade.
This release fixes three security vulnerabilities:
-
GHSA-gcj7-j9f7-q84c —
Transfer-Encoding: chunkedbodies bypassed theg_maxContentLengthlimit. Becausecontent_lengthis never set for chunked transfers, the existing size checks were skipped while the decoded entity accumulated past the configured maximum. Fixed by also checkingentity.lengthinhttp_RecvMessage(). -
GHSA-q54q-vx78-v9rq — NULL dereference in
ixmlNode_compare(). Non-namespaced attributes havenodeValue,namespaceURI,prefix, andlocalNameas NULL, but the function passed them directly tostrcmp(). Comparing two distinct attribute objects with the same name (asremoveAttributeNodedoes) triggered a crash. Fixed by using a NULL-safe wrapper. -
GHSA-g6c2-x4r9-352g — Integer truncation in
raw_to_int(). The function usedstrtol()(returnslong, 64-bit on LP64) and cast the result toint(32-bit), silently truncatingContent-Lengthvalues aboveINT_MAX. A value like4294967301(2³²+5) was stored as5, bypassing size limits. Fixed by switching tostrtoll()with an explicitINT_MAXbound check.