Debian Bug report logs -
#717131
minidlna: CVE-2013-2745 CVE-2013-2738 CVE-2013-2739
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 17 Jul 2013 07:42:29 UTC
Severity: grave
Tags: fixed-upstream, security
Fixed in version minidlna/1.1.2+dfsg-1
Done: Benoît Knecht <benoit.knecht@fsfe.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Wed, 17 Jul 2013 07:42:33 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
.
(Wed, 17 Jul 2013 07:42:33 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: minidlna
Severity: grave
Tags: security
Justification: user security hole
Please see http://www.securityfocus.com/archive/1/527299/30/0
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Sun, 23 Mar 2014 11:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>
:
Extra info received and forwarded to list. Copy sent to Benoît Knecht <benoit.knecht@fsfe.org>
.
(Sun, 23 Mar 2014 11:15:04 GMT) (full text, mbox, link).
Message #10 received at 717131@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Just a note on investigations so far, the debian/watch file in 1.0.24
incorrectly points to 1.0.25 as the new upstream release but
sourceforge as 1.1.2.
https://launchpad.net/bugs/cve/CVE-2013-2745
--
Neil Williams
=============
http://www.linux.codehelp.co.uk/
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Sun, 23 Mar 2014 12:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>
:
Extra info received and forwarded to list. Copy sent to Benoît Knecht <benoit.knecht@fsfe.org>
.
(Sun, 23 Mar 2014 12:57:10 GMT) (full text, mbox, link).
Message #15 received at 717131@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The new upstream release builds cleanly and includes the majority of
changes currently provided as patches in Debian as well as other
updates.
I've prepared a local build of 1.1.2 which only needs patches to the
minidlna.conf file for better clarity of the comments and I propose to
take the manpages from upstream (minidlna.conf.5 needs a trivial patch
for what-is support).
The possible changelog at this stage would look like:
Source: minidlna
Version: 1.1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Neil Williams <codehelp@debian.org>
Date: Sun, 23 Mar 2014 11:53:42 +0000
Closes: 697613 711234 717131 724207 732087
Changes:
minidlna (1.1.2-1) unstable; urgency=medium
.
* Hijack to move to new upstream release
* Move to upstream 1.1.2 which is no longer prone
to CVE-2013-2745 CVE-2013-2738 and CVE-2013-2739,
builds cleanly and has migrated to libavformat54
and libavutil52. (Closes: #717131) (Closes: #711234)
(Closes: #724207) (Closes: #732087)
* Add logrotate config - thanks to Guilhem Bonnefille.
(Closes: #697613)
I need to do more testing of the built package and allow time for
Benoit to respond to this and my earlier email about minidlna. I do not
propose to retain the existing git packaging - I'll decide where to put
the new packaging at a later date.
If others are interested in testing minidlna, I can make my changes
available.
Note that the binary has changed from /usr/bin/minidlna
to /usr/sbin/minidlnad - I'll add a NEWS item about this if the hijack
is to proceed and allow minidlna into Jessie.
--
Neil Williams
=============
http://www.linux.codehelp.co.uk/
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Sun, 23 Mar 2014 13:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>
:
Extra info received and forwarded to list. Copy sent to Benoît Knecht <benoit.knecht@fsfe.org>
.
(Sun, 23 Mar 2014 13:30:04 GMT) (full text, mbox, link).
Message #20 received at 717131@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I have emailed Benoit privately and an MIA check shows that he has not
responded to the first MIA ping in February 2014. He has also made no
uploads to any packages in two years. So in order to fix the
outstanding bugs and because I am using minidlna currently, I decided
to test out the idea of a hijack on the basis of a non-responsive
maintainer and an active upstream.
--
Neil Williams
=============
http://www.linux.codehelp.co.uk/
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Fri, 11 Apr 2014 19:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillem Jover <guillem@debian.org>
:
Extra info received and forwarded to list. Copy sent to Benoît Knecht <benoit.knecht@fsfe.org>
.
(Fri, 11 Apr 2014 19:27:05 GMT) (full text, mbox, link).
Message #25 received at 717131@bugs.debian.org (full text, mbox, reply):
Hi!
On Sun, 2014-03-23 at 12:52:50 +0000, Neil Williams wrote:
> The possible changelog at this stage would look like:
>
> Source: minidlna
> Version: 1.1.2-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Neil Williams <codehelp@debian.org>
> Date: Sun, 23 Mar 2014 11:53:42 +0000
> Closes: 697613 711234 717131 724207 732087
> Changes:
> minidlna (1.1.2-1) unstable; urgency=medium
> .
> * Hijack to move to new upstream release
> * Move to upstream 1.1.2 which is no longer prone
> to CVE-2013-2745 CVE-2013-2738 and CVE-2013-2739,
> builds cleanly and has migrated to libavformat54
> and libavutil52. (Closes: #717131) (Closes: #711234)
> (Closes: #724207) (Closes: #732087)
> * Add logrotate config - thanks to Guilhem Bonnefille.
> (Closes: #697613)
>
> I need to do more testing of the built package and allow time for
> Benoit to respond to this and my earlier email about minidlna. I do not
> propose to retain the existing git packaging - I'll decide where to put
> the new packaging at a later date.
>
> If others are interested in testing minidlna, I can make my changes
> available.
Regardless of the upload procedure (either waiting for the MIA team
to make the honors, or a stright hijack), I'd be interested in testing
the new package, to try to help for when this gets uploaded one way or
another.
Thanks,
Guillem
Information forwarded
to debian-bugs-dist@lists.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Tue, 22 Apr 2014 07:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Aiko Barz <aiko@torrentkino.de>
:
Extra info received and forwarded to list. Copy sent to Benoît Knecht <benoit.knecht@fsfe.org>
.
(Tue, 22 Apr 2014 07:51:09 GMT) (full text, mbox, link).
Message #30 received at 717131@bugs.debian.org (full text, mbox, reply):
Hello,
is there any progress on this topic? I volunteer for testing too. :)
Kind regards,
Aiko Barz
--
:wq ✉
Added tag(s) fixed-upstream.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Tue, 22 Apr 2014 12:12:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Wed, 23 Apr 2014 09:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Aiko Barz <aiko@torrentkino.de>
:
Extra info received and forwarded to list. Copy sent to Benoît Knecht <benoit.knecht@fsfe.org>
.
(Wed, 23 Apr 2014 09:09:09 GMT) (full text, mbox, link).
Message #37 received at 717131@bugs.debian.org (full text, mbox, reply):
I'm using git://gitorious.org/debian-pkg/minidlna.git for tests and
a working installation now.
--
:wq ✉
Information forwarded
to debian-bugs-dist@lists.debian.org, Benoît Knecht <benoit.knecht@fsfe.org>
:
Bug#717131
; Package minidlna
.
(Sat, 26 Apr 2014 14:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thanos Kyritsis <djart@linux.gr>
:
Extra info received and forwarded to list. Copy sent to Benoît Knecht <benoit.knecht@fsfe.org>
.
(Sat, 26 Apr 2014 14:18:04 GMT) (full text, mbox, link).
Message #42 received at 717131@bugs.debian.org (full text, mbox, reply):
I'm also using Benoît's gitorious packaging to test and use minidlna
1.1.2 on Ubuntu 14.04.
If you need further assistance or testing of a different debian
packaging, let us know, it would be nice to see minidlna back into sid,
in order for derivative distributions to benefit as well.
Reply sent
to Benoît Knecht <benoit.knecht@fsfe.org>
:
You have taken responsibility.
(Fri, 09 May 2014 11:09:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Fri, 09 May 2014 11:09:14 GMT) (full text, mbox, link).
Message #47 received at 717131-close@bugs.debian.org (full text, mbox, reply):
Source: minidlna
Source-Version: 1.1.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
minidlna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 717131@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benoît Knecht <benoit.knecht@fsfe.org> (supplier of updated minidlna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 28 Apr 2014 12:05:41 +0200
Source: minidlna
Binary: minidlna
Architecture: source amd64
Version: 1.1.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Benoît Knecht <benoit.knecht@fsfe.org>
Changed-By: Benoît Knecht <benoit.knecht@fsfe.org>
Description:
minidlna - lightweight DLNA/UPnP-AV server targeted at embedded systems
Closes: 711234 717131
Changes:
minidlna (1.1.2+dfsg-1) unstable; urgency=low
.
* New upstream version (Closes: #711234)
* The new upstream version is no longer affected by CVE-2013-2745,
CVE-2013-2738 or CVE-2013-2739 (Closes: #717131)
* Use SIGUSR1 instead of SIGHUP to reopen the log file after a logrotate,
since upstream is now using SIGHUP to reload the network interfaces
* Update copyright information for upstream files
* Bump Standards-Version to 3.9.5 (no changes required)
* Override lintian warning debian-watch-may-check-gpg-signature, as upstream
doesn't sign the source tarball
Checksums-Sha1:
698c9f8a94cebf4db21af37a07512bff2820969e 1386 minidlna_1.1.2+dfsg-1.dsc
f179345d826ea7db9dabf7b96e4d2c61d1e4d16c 302068 minidlna_1.1.2+dfsg.orig.tar.xz
faa96d0391e7d0c227b59e9b68dfdf1351dbcc56 23316 minidlna_1.1.2+dfsg-1.debian.tar.xz
84f2987f7b867ec2cfc06d4695fcd1b26c35b653 133112 minidlna_1.1.2+dfsg-1_amd64.deb
Checksums-Sha256:
6862042f4edc1c29e6ac12a56928d189bdb91b54f3ddeeaa4d9e3b2a454310b8 1386 minidlna_1.1.2+dfsg-1.dsc
60f9053a261043fef409439261e3bb92c523437a6113664be02fa0297eed27e8 302068 minidlna_1.1.2+dfsg.orig.tar.xz
2eff0c9479dd393d8b11db92f94b29e79b6f1bc718c1f191b15f03412b4a3eb3 23316 minidlna_1.1.2+dfsg-1.debian.tar.xz
5876a08fa0ea43a7c5eb2433c2037c1ca046afac9cd2143cc921bc56be8209ed 133112 minidlna_1.1.2+dfsg-1_amd64.deb
Files:
8e508b803c59de192cbfadc67af16726 133112 net optional minidlna_1.1.2+dfsg-1_amd64.deb
fc704bcf201f483493381d86f445e88c 1386 net optional minidlna_1.1.2+dfsg-1.dsc
3d364a502fdd6c60a9b7af38b1d83f9a 302068 net optional minidlna_1.1.2+dfsg.orig.tar.xz
260c7c36f0fc1bc6dd7c833b7dc1b7c3 23316 net optional minidlna_1.1.2+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlNssTYACgkQLARVQsm1XazAUgCfTvpuULGHw+p8A+Dk2gbtrZmV
lGsAnR7jr7NBGrRTE26QoazEfLMjTVda
=b7kt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 26 Apr 2015 07:35:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:49:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.