Package: minidlna Version: 1.3.0+dfsg-2 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
ReadyMedia [1] (formerly MiniDLNA) v1.3.0 and below is vulnerable to DNS rebinding attacks. A malicious remote web server may trick the user browser into triggering arbitrary UPnP requests on the local DLNA server and observe the result of these actions. Moreover, the shared media files are accessible through DNS rebinding as well. A remote malicious server could exploit the user browser in order to: * list the available media files and exfiltrate this list; * download the media files and exfiltrate them. This has been fixed in ReadyMedia v1.3.1. [1] https://sourceforge.net/projects/minidlna/ -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-11-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages minidlna depends on: ii adduser 3.118 ii init-system-helpers 1.60 ii libavformat58 7:4.3.3-0+deb11u1 ii libavutil56 7:4.3.3-0+deb11u1 ii libc6 2.31-13+deb11u2 ii libexif12 0.6.22-3 ii libflac8 1.3.3-2 ii libid3tag0 0.15.1b-14 ii libjpeg62-turbo 1:2.0.6-4 ii libogg0 1.3.4-0.1 ii libsqlite3-0 3.34.1-3 ii libvorbis0a 1.3.7-1 ii lsb-base 11.1.0 minidlna recommends no packages. minidlna suggests no packages.