minidlna: CVE-2013-2745 CVE-2013-2738 CVE-2013-2739

Debian Bug report logs - #717131
minidlna: CVE-2013-2745 CVE-2013-2738 CVE-2013-2739

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: minidlna: CVE-2013-2745 CVE-2013-2738 CVE-2013-2739

Date: Wed, 17 Jul 2013 09:36:16 +0200

Package: minidlna
Severity: grave
Tags: security
Justification: user security hole

Please see http://www.securityfocus.com/archive/1/527299/30/0

Cheers,
        Moritz

Message #10 received at 717131@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 717131@bugs.debian.org

Subject: watch file indicates wrong upstream version

Date: Sun, 23 Mar 2014 11:13:04 +0000

[Message part 1 (text/plain, inline)]

Just a note on investigations so far, the debian/watch file in 1.0.24
incorrectly points to 1.0.25 as the new upstream release but
sourceforge as 1.1.2.

https://launchpad.net/bugs/cve/CVE-2013-2745

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 717131@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 717131@bugs.debian.org

Subject: Possible hijack

Date: Sun, 23 Mar 2014 12:52:50 +0000

[Message part 1 (text/plain, inline)]

The new upstream release builds cleanly and includes the majority of
changes currently provided as patches in Debian as well as other
updates.

I've prepared a local build of 1.1.2 which only needs patches to the
minidlna.conf file for better clarity of the comments and I propose to
take the manpages from upstream (minidlna.conf.5 needs a trivial patch
for what-is support).

The possible changelog at this stage would look like:

Source: minidlna
Version: 1.1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Neil Williams <codehelp@debian.org>
Date: Sun, 23 Mar 2014 11:53:42 +0000
Closes: 697613 711234 717131 724207 732087
Changes: 
 minidlna (1.1.2-1) unstable; urgency=medium
 .
   * Hijack to move to new upstream release
   * Move to upstream 1.1.2 which is no longer prone
     to CVE-2013-2745 CVE-2013-2738 and CVE-2013-2739,
     builds cleanly and has migrated to libavformat54
     and libavutil52. (Closes: #717131) (Closes: #711234)
     (Closes: #724207) (Closes: #732087)
   * Add logrotate config - thanks to Guilhem Bonnefille.
     (Closes: #697613)

I need to do more testing of the built package and allow time for
Benoit to respond to this and my earlier email about minidlna. I do not
propose to retain the existing git packaging - I'll decide where to put
the new packaging at a later date.

If others are interested in testing minidlna, I can make my changes
available.

Note that the binary has changed from /usr/bin/minidlna
to /usr/sbin/minidlnad - I'll add a NEWS item about this if the hijack
is to proceed and allow minidlna into Jessie.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 717131@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 717131@bugs.debian.org

Subject: update

Date: Sun, 23 Mar 2014 13:27:52 +0000

[Message part 1 (text/plain, inline)]

I have emailed Benoit privately and an MIA check shows that he has not
responded to the first MIA ping in February 2014. He has also made no
uploads to any packages in two years. So in order to fix the
outstanding bugs and because I am using minidlna currently, I decided
to test out the idea of a hijack on the basis of a non-responsive
maintainer and an active upstream.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 717131@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Neil Williams <codehelp@debian.org>, 717131@bugs.debian.org

Subject: Re: Bug#717131: Possible hijack

Date: Fri, 11 Apr 2014 21:25:11 +0200

Hi!

On Sun, 2014-03-23 at 12:52:50 +0000, Neil Williams wrote:
> The possible changelog at this stage would look like:
> 
> Source: minidlna
> Version: 1.1.2-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Neil Williams <codehelp@debian.org>
> Date: Sun, 23 Mar 2014 11:53:42 +0000
> Closes: 697613 711234 717131 724207 732087
> Changes: 
>  minidlna (1.1.2-1) unstable; urgency=medium
>  .
>    * Hijack to move to new upstream release
>    * Move to upstream 1.1.2 which is no longer prone
>      to CVE-2013-2745 CVE-2013-2738 and CVE-2013-2739,
>      builds cleanly and has migrated to libavformat54
>      and libavutil52. (Closes: #717131) (Closes: #711234)
>      (Closes: #724207) (Closes: #732087)
>    * Add logrotate config - thanks to Guilhem Bonnefille.
>      (Closes: #697613)
> 
> I need to do more testing of the built package and allow time for
> Benoit to respond to this and my earlier email about minidlna. I do not
> propose to retain the existing git packaging - I'll decide where to put
> the new packaging at a later date.
> 
> If others are interested in testing minidlna, I can make my changes
> available.

Regardless of the upload procedure (either waiting for the MIA team
to make the honors, or a stright hijack), I'd be interested in testing
the new package, to try to help for when this gets uploaded one way or
another.

Thanks,
Guillem

Message #30 received at 717131@bugs.debian.org (full text, mbox, reply):

From: Aiko Barz <aiko@torrentkino.de>

To: 717131@bugs.debian.org

Subject: I volunteer for testing too

Date: Tue, 22 Apr 2014 09:39:05 +0200

Hello,

is there any progress on this topic? I volunteer for testing too. :)

Kind regards,
Aiko Barz
-- 
:wq ✉

Message #37 received at 717131@bugs.debian.org (full text, mbox, reply):

From: Aiko Barz <aiko@torrentkino.de>

To: 717131@bugs.debian.org

Subject: Re: I volunteer for testing too

Date: Wed, 23 Apr 2014 10:59:48 +0200

I'm using git://gitorious.org/debian-pkg/minidlna.git for tests and
a working installation now.

-- 
:wq ✉

Message #42 received at 717131@bugs.debian.org (full text, mbox, reply):

From: Thanos Kyritsis <djart@linux.gr>

To: 717131@bugs.debian.org

Subject: Re: I volunteer for testing too

Date: Sat, 26 Apr 2014 17:16:38 +0300

I'm also using Benoît's gitorious packaging to test and use minidlna
1.1.2 on Ubuntu 14.04.

If you need further assistance or testing of a different debian
packaging, let us know, it would be nice to see minidlna back into sid,
in order for derivative distributions to benefit as well.

Message #47 received at 717131-close@bugs.debian.org (full text, mbox, reply):

From: Benoît Knecht <benoit.knecht@fsfe.org>

To: 717131-close@bugs.debian.org

Subject: Bug#717131: fixed in minidlna 1.1.2+dfsg-1

Date: Fri, 09 May 2014 11:04:31 +0000

Source: minidlna
Source-Version: 1.1.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
minidlna, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 717131@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benoît Knecht <benoit.knecht@fsfe.org> (supplier of updated minidlna package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 28 Apr 2014 12:05:41 +0200
Source: minidlna
Binary: minidlna
Architecture: source amd64
Version: 1.1.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Benoît Knecht <benoit.knecht@fsfe.org>
Changed-By: Benoît Knecht <benoit.knecht@fsfe.org>
Description: 
 minidlna   - lightweight DLNA/UPnP-AV server targeted at embedded systems
Closes: 711234 717131
Changes: 
 minidlna (1.1.2+dfsg-1) unstable; urgency=low
 .
   * New upstream version (Closes: #711234)
   * The new upstream version is no longer affected by CVE-2013-2745,
     CVE-2013-2738 or CVE-2013-2739 (Closes: #717131)
   * Use SIGUSR1 instead of SIGHUP to reopen the log file after a logrotate,
     since upstream is now using SIGHUP to reload the network interfaces
   * Update copyright information for upstream files
   * Bump Standards-Version to 3.9.5 (no changes required)
   * Override lintian warning debian-watch-may-check-gpg-signature, as upstream
     doesn't sign the source tarball
Checksums-Sha1: 
 698c9f8a94cebf4db21af37a07512bff2820969e 1386 minidlna_1.1.2+dfsg-1.dsc
 f179345d826ea7db9dabf7b96e4d2c61d1e4d16c 302068 minidlna_1.1.2+dfsg.orig.tar.xz
 faa96d0391e7d0c227b59e9b68dfdf1351dbcc56 23316 minidlna_1.1.2+dfsg-1.debian.tar.xz
 84f2987f7b867ec2cfc06d4695fcd1b26c35b653 133112 minidlna_1.1.2+dfsg-1_amd64.deb
Checksums-Sha256: 
 6862042f4edc1c29e6ac12a56928d189bdb91b54f3ddeeaa4d9e3b2a454310b8 1386 minidlna_1.1.2+dfsg-1.dsc
 60f9053a261043fef409439261e3bb92c523437a6113664be02fa0297eed27e8 302068 minidlna_1.1.2+dfsg.orig.tar.xz
 2eff0c9479dd393d8b11db92f94b29e79b6f1bc718c1f191b15f03412b4a3eb3 23316 minidlna_1.1.2+dfsg-1.debian.tar.xz
 5876a08fa0ea43a7c5eb2433c2037c1ca046afac9cd2143cc921bc56be8209ed 133112 minidlna_1.1.2+dfsg-1_amd64.deb
Files: 
 8e508b803c59de192cbfadc67af16726 133112 net optional minidlna_1.1.2+dfsg-1_amd64.deb
 fc704bcf201f483493381d86f445e88c 1386 net optional minidlna_1.1.2+dfsg-1.dsc
 3d364a502fdd6c60a9b7af38b1d83f9a 302068 net optional minidlna_1.1.2+dfsg.orig.tar.xz
 260c7c36f0fc1bc6dd7c833b7dc1b7c3 23316 net optional minidlna_1.1.2+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlNssTYACgkQLARVQsm1XazAUgCfTvpuULGHw+p8A+Dk2gbtrZmV
lGsAnR7jr7NBGrRTE26QoazEfLMjTVda
=b7kt
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.