Summary: | <net-misc/minidlna-1.3.1: DNS rebinding vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | peteru <bugs.gentoo.org> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mgorny, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceforge.net/p/minidlna/git/ci/v1_3_1/tree/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=736226 | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 842783 | ||
Bug Blocks: |
Description
peteru
2022-03-06 03:05:53 UTC
News: 1.3.1 - Released 11-Feb-2022 -------------------------------- - Fixed a potential crash in SSDP request parsing. - Fixed a configure script failure on some platforms. - Protect against DNS rebinding attacks. - Fix an socket leakage issue on some platforms. - Minor bug fixes. (In reply to Sam James from comment #1) > News: > > 1.3.1 - Released 11-Feb-2022 > -------------------------------- > - Fixed a potential crash in SSDP request parsing. Is this CVE-2021-27202 (bug 736226)? > - Fixed a configure script failure on some platforms. > - Protect against DNS rebinding attacks. > - Fix an socket leakage issue on some platforms. > - Minor bug fixes. CVE-2022-26505 (https://www.openwall.com/lists/oss-security/2022/03/03/1): A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. It seems that the release was never really published though: https://sourceforge.net/p/minidlna/support-requests/78/ cleanup done. Thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=366b6b3c7d9599739538780d8fd82308c8c20893 commit 366b6b3c7d9599739538780d8fd82308c8c20893 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-11-25 10:21:19 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-25 10:21:47 +0000 [ GLSA 202311-12 ] MiniDLNA: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/834642 Bug: https://bugs.gentoo.org/907926 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202311-12.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) |