Debian Bug report logs -
#1006798
minidlna: CVE-2022-26505: DNS rebinding attack
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Alexander GQ Gerasiov <gq@debian.org>:
Bug#1006798; Package minidlna.
(Sat, 05 Mar 2022 10:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gabriel Corona <gabriel.corona@enst-bretagne.fr>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Alexander GQ Gerasiov <gq@debian.org>.
(Sat, 05 Mar 2022 10:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: minidlna
Version: 1.3.0+dfsg-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
ReadyMedia [1] (formerly MiniDLNA) v1.3.0 and below is vulnerable to DNS rebinding attacks. A malicious remote web server may trick the user browser into triggering arbitrary UPnP requests on the local DLNA server and observe the result of these actions. Moreover, the shared media files are accessible through DNS rebinding as well.
A remote malicious server could exploit the user browser in order to:
* list the available media files and exfiltrate this list;
* download the media files and exfiltrate them.
This has been fixed in ReadyMedia v1.3.1.
[1] https://sourceforge.net/projects/minidlna/
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-11-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages minidlna depends on:
ii adduser 3.118
ii init-system-helpers 1.60
ii libavformat58 7:4.3.3-0+deb11u1
ii libavutil56 7:4.3.3-0+deb11u1
ii libc6 2.31-13+deb11u2
ii libexif12 0.6.22-3
ii libflac8 1.3.3-2
ii libid3tag0 0.15.1b-14
ii libjpeg62-turbo 1:2.0.6-4
ii libogg0 1.3.4-0.1
ii libsqlite3-0 3.34.1-3
ii libvorbis0a 1.3.7-1
ii lsb-base 11.1.0
minidlna recommends no packages.
minidlna suggests no packages.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 06 Mar 2022 08:21:03 GMT) (full text, mbox, link).
Changed Bug title to 'minidlna: CVE-2022-26505: DNS rebinding attack' from 'minidlna: DNS rebinding attack'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 06 Mar 2022 08:21:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Mar 6 13:08:48 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon