A security issue fixed upstream in 1.3.1 has been announced on March 3: https://www.openwall.com/lists/oss-security/2022/03/03/1 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOCC: (none) => jani.valimaa, mhrambo3501Status comment: (none) => Fixed upstream in 1.3.1
CVE-2022-26505 has been assigned: https://www.openwall.com/lists/oss-security/2022/03/06/1
Summary: minidlna new DNS rebinding security issue => minidlna new DNS rebinding security issue (CVE-2022-26505)
This SRPM is officially with Jani, who is active on it, so assigning appropriately.
CC: jani.valimaa => (none)Assignee: bugsquad => jani.valimaa
openSUSE has issued an advisory for this on March 10: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXEFRXJEYR7QPAMYNWTJIYKTVX5OEQ7O/
Debian-LTS has issued an advisory for this on April 9: https://www.debian.org/lts/security/2022/dla-2973
There's no 1.3.1 release tarball available. https://sourceforge.net/p/minidlna/support-requests/78/
Probably have to use the Git feature to download a snapshot.
Suggested advisory: ======================== The updated package fixes a security vulnerability: A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. (CVE-2022-26505) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26505 https://www.openwall.com/lists/oss-security/2022/03/03/1 https://www.openwall.com/lists/oss-security/2022/03/06/1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXEFRXJEYR7QPAMYNWTJIYKTVX5OEQ7O/ https://www.debian.org/lts/security/2022/dla-2973 ======================== Updated package in core/updates_testing: ======================== minidlna-1.3.2-1.mga8 from SRPM: minidlna-1.3.2-1.mga8.src.rpm
CC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 1.3.1 => (none)Version: Cauldron => 8Assignee: jani.valimaa => qa-bugsCVE: (none) => CVE-2022-26505
MGA8-64 MATE on Acer Aspire 5253 No installation issues Tried bug 27755 for more info on how this works, but ..... Found https://www.smarthomebeginner.com/install-minidlna-on-ubuntu-ultimate-guide/ and tried to follow the recommendations there, more or less. I have in /etc/minidlna.conf added the line media_dir=/home/tester8/Music but when trying to start , I get error (from # systemctl -l status minidlna) Oct 25 14:02:19 mach7.hviaene.thuis minidlnad[5907]: [2022/10/25 14:02:19] minidlna.c:669: error: Media directory "/home/tester8/Music" not accessible [Permission denied] but of course # cd /home/tester8/Music # ls '13beste strangers'/ So I have no clue where this comes from or what it really means.
CC: (none) => herman.viaene
Probably your home directory is inaccessible to the service. Try chmod o+x /home/tester8
That get rid of this error, but there are more, and I don't feel like to dable in the conf options to get where???? Giving up on this one.
Added the line with "media_dir=/home/dave/Music" to /etc/minidlna.conf and started the server. No other changes. [root@x3 ~]# systemctl status minidlna.service * minidlna.service - MiniDLNA is a DLNA/UPnP-AV server software Loaded: loaded (/usr/lib/systemd/system/minidlna.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-10-25 09:58:31 EDT; 10s ago Main PID: 95574 (minidlnad) Tasks: 2 (limit: 19118) Memory: 2.9M CPU: 14ms CGroup: /system.slice/minidlna.service `-95574 /usr/sbin/minidlnad -S Oct 25 09:58:31 x3.hodgins.homeip.net systemd[1]: Started MiniDLNA is a DLNA/UPnP-AV server software. Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:523: warn: Using unsupported non-utf8 locale 'en_CA' Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:1134: warn: Starting MiniDLNA version 1.3.1. Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:1182: warn: HTTP listening on port 8200 Validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0391.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED