Package: minidlna
Version: 1.3.0+dfsg-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

ReadyMedia [1] (formerly MiniDLNA) v1.3.0 and below is vulnerable to DNS 
rebinding attacks. A malicious remote web server may trick the user browser 
into triggering arbitrary UPnP requests on the local DLNA server and observe 
the result of these actions. Moreover, the shared media files are accessible 
through DNS rebinding as well.

A remote malicious server could exploit the user browser in order to:

* list the available media files and exfiltrate this list;
* download the media files and exfiltrate them.

This has been fixed in ReadyMedia v1.3.1.

[1] https://sourceforge.net/projects/minidlna/


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-11-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages minidlna depends on:
ii  adduser              3.118
ii  init-system-helpers  1.60
ii  libavformat58        7:4.3.3-0+deb11u1
ii  libavutil56          7:4.3.3-0+deb11u1
ii  libc6                2.31-13+deb11u2
ii  libexif12            0.6.22-3
ii  libflac8             1.3.3-2
ii  libid3tag0           0.15.1b-14
ii  libjpeg62-turbo      1:2.0.6-4
ii  libogg0              1.3.4-0.1
ii  libsqlite3-0         3.34.1-3
ii  libvorbis0a          1.3.7-1
ii  lsb-base             11.1.0

minidlna recommends no packages.

minidlna suggests no packages.

Reply via email to