Bug 30115 - minidlna new DNS rebinding security issue (CVE-2022-26505)
Summary: minidlna new DNS rebinding security issue (CVE-2022-26505)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-03-04 19:06 CET by David Walser
Modified: 2022-10-28 08:55 CEST (History)
5 users (show)

See Also:
Source RPM: minidlna-1.3.0-1.mga8.src.rpm
CVE: CVE-2022-26505
Status comment:


Description David Walser 2022-03-04 19:06:14 CET
A security issue fixed upstream in 1.3.1 has been announced on March 3:

Mageia 8 is also affected.
David Walser 2022-03-04 19:06:33 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => jani.valimaa, mhrambo3501
Status comment: (none) => Fixed upstream in 1.3.1

Comment 1 David Walser 2022-03-07 17:51:36 CET
CVE-2022-26505 has been assigned:

Summary: minidlna new DNS rebinding security issue => minidlna new DNS rebinding security issue (CVE-2022-26505)

Comment 2 Lewis Smith 2022-03-07 20:44:04 CET
This SRPM is officially with Jani, who is active on it, so assigning appropriately.

CC: jani.valimaa => (none)
Assignee: bugsquad => jani.valimaa

Comment 3 David Walser 2022-03-11 21:43:19 CET
openSUSE has issued an advisory for this on March 10:
Comment 4 David Walser 2022-04-10 16:18:21 CEST
Debian-LTS has issued an advisory for this on April 9:
Comment 5 Jani Välimaa 2022-04-10 17:43:27 CEST
There's no 1.3.1 release tarball available.

Comment 6 David Walser 2022-04-10 17:52:42 CEST
Probably have to use the Git feature to download a snapshot.
Comment 7 Nicolas Salguero 2022-10-19 16:30:48 CEST
Suggested advisory:

The updated package fixes a security vulnerability:

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. (CVE-2022-26505)


Updated package in core/updates_testing:

from SRPM:

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.3.1 => (none)
Version: Cauldron => 8
Assignee: jani.valimaa => qa-bugs
CVE: (none) => CVE-2022-26505

Comment 8 Herman Viaene 2022-10-25 14:13:58 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tried bug 27755 for more info on how this works, but .....
Found https://www.smarthomebeginner.com/install-minidlna-on-ubuntu-ultimate-guide/ and tried to follow the recommendations there, more or less.
I have in /etc/minidlna.conf added the line
but when trying to start , I get error (from # systemctl -l status minidlna)

Oct 25 14:02:19 mach7.hviaene.thuis minidlnad[5907]: [2022/10/25 14:02:19] minidlna.c:669: error: Media directory "/home/tester8/Music" not accessible [Permission denied]
but of course
# cd /home/tester8/Music
# ls
'13beste strangers'/
So I have no clue where this comes from or what it really means.

CC: (none) => herman.viaene

Comment 9 David Walser 2022-10-25 15:08:26 CEST
Probably your home directory is inaccessible to the service.  Try chmod o+x /home/tester8
Comment 10 Herman Viaene 2022-10-25 15:41:00 CEST
That get rid of this error, but there are more, and I don't feel like to dable in the conf options to get where????
Giving up on this one.
Comment 11 Dave Hodgins 2022-10-25 16:00:59 CEST
Added the line with "media_dir=/home/dave/Music" to /etc/minidlna.conf and
started the server. No other changes.

[root@x3 ~]# systemctl status minidlna.service 
* minidlna.service - MiniDLNA is a DLNA/UPnP-AV server software
     Loaded: loaded (/usr/lib/systemd/system/minidlna.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-10-25 09:58:31 EDT; 10s ago
   Main PID: 95574 (minidlnad)
      Tasks: 2 (limit: 19118)
     Memory: 2.9M
        CPU: 14ms
     CGroup: /system.slice/minidlna.service
             `-95574 /usr/sbin/minidlnad -S

Oct 25 09:58:31 x3.hodgins.homeip.net systemd[1]: Started MiniDLNA is a DLNA/UPnP-AV server software.
Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:523: warn: Using unsupported non-utf8 locale 'en_CA'
Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:1134: warn: Starting MiniDLNA version 1.3.1.
Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:1182: warn: HTTP listening on port 8200


Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2022-10-28 03:49:22 CEST

Keywords: (none) => advisory

Comment 12 Mageia Robot 2022-10-28 08:55:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.