Your message dated Fri, 23 Jul 2010 16:32:20 +0000
with message-id <e1oclaa-0005aw...@franck.debian.org>
and subject line Bug#580120: fixed in mediatomb 0.12.0~svn2018-6.1
has caused the Debian Bug report #580120,
regarding mediatomb allows anyone to browse and export the whole filesystem
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
580120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580120
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mediatomb
Version: 0.12.0~svn2018-6
Severity: grave
Tags: security
Justification: user security hole

This bug was reported to Ubuntu via Launchpad:
https://launchpad.net/bugs/569763

>From the upstream documentation:
at http://mediatomb.cc/pages/documentation#id2856362:

"The server has an integrated filesystem browser, that means that anyone
who has access to the UI can browse your filesystem (with user
permissions under which the server is running) and also download your
data! If you want maximum security - disable the UI completely! Account
authentication offers simple protection that might hold back your kids,
but it is not secure enough for use in an untrusted environment! Note:
since the server is meant to be used in a home LAN environment the UI is
enabled by default and accounts are deactivated, thus allowing anyone on
your network to connect to the user interface."

Unfortunately, the Debian/Ubuntu packaging preserves these installation
defaults, which IMHO is incorrect behavior for a distribution. A few
ways to solve this are:
 * the web UI should be disabled on new installs
 * a debconf question should prompt the user to enable the web UI, but
   default to 'no'
 * enable the web UI, but create an account for connecting to it

Upstream doesn't seem confident in mediatomb's handling of
authentication, so it would probably makes sense to not rely on it and
simply disable the feature, documenting how to enable it and the
pitfalls of enabling it in README.Debian.

-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



--- End Message ---
--- Begin Message ---
Source: mediatomb
Source-Version: 0.12.0~svn2018-6.1

We believe that the bug you reported is fixed in the latest version of
mediatomb, which is due to be installed in the Debian FTP archive:

mediatomb-common_0.12.0~svn2018-6.1_amd64.deb
  to main/m/mediatomb/mediatomb-common_0.12.0~svn2018-6.1_amd64.deb
mediatomb-daemon_0.12.0~svn2018-6.1_all.deb
  to main/m/mediatomb/mediatomb-daemon_0.12.0~svn2018-6.1_all.deb
mediatomb_0.12.0~svn2018-6.1.debian.tar.gz
  to main/m/mediatomb/mediatomb_0.12.0~svn2018-6.1.debian.tar.gz
mediatomb_0.12.0~svn2018-6.1.dsc
  to main/m/mediatomb/mediatomb_0.12.0~svn2018-6.1.dsc
mediatomb_0.12.0~svn2018-6.1_all.deb
  to main/m/mediatomb/mediatomb_0.12.0~svn2018-6.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 580...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl <toli...@debian.org> (supplier of updated mediatomb 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 16 Jul 2010 15:52:21 +0200
Source: mediatomb
Binary: mediatomb-common mediatomb-daemon mediatomb
Architecture: source amd64 all
Version: 0.12.0~svn2018-6.1
Distribution: unstable
Urgency: low
Maintainer: Debian multimedia packages maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alexander Reichle-Schmehl <toli...@debian.org>
Description: 
 mediatomb  - UPnP MediaServer (main package)
 mediatomb-common - UPnP MediaServer (base package)
 mediatomb-daemon - UPnP MediaServer (daemon package)
Closes: 580120
Changes: 
 mediatomb (0.12.0~svn2018-6.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Disable user interface (Closes: #580120)
Checksums-Sha1: 
 21e4e000ab9effa944b9ab208b86e8400346e4b0 1671 mediatomb_0.12.0~svn2018-6.1.dsc
 ea373011544e2077781f8eb4dec0c4b1173b717b 243019 
mediatomb_0.12.0~svn2018-6.1.debian.tar.gz
 c2fff651a85ec2e39c20e55aea06df9798e66667 1027800 
mediatomb-common_0.12.0~svn2018-6.1_amd64.deb
 4bbd63d801cf938d4fa4de2ecbe18550eacba4bf 23456 
mediatomb-daemon_0.12.0~svn2018-6.1_all.deb
 75c4be936be7c0f04ff47e5b6073af3f80ea96ec 21078 
mediatomb_0.12.0~svn2018-6.1_all.deb
Checksums-Sha256: 
 d792e76c5cd0b050de26b838b8a487eb6395dff861635d26d72502d9645ab908 1671 
mediatomb_0.12.0~svn2018-6.1.dsc
 cfa61222e10137ecc374ec741a7e242d4200b9a89e4432d6814a454dcb56efb9 243019 
mediatomb_0.12.0~svn2018-6.1.debian.tar.gz
 cde551eb6577b64106b8232d26e0530eb7003088d446aca709e2f77397f6dc3d 1027800 
mediatomb-common_0.12.0~svn2018-6.1_amd64.deb
 33ba9753a8cd0cd016a44359cd2bf1902db888bd119fa8debe2100e720bf8e62 23456 
mediatomb-daemon_0.12.0~svn2018-6.1_all.deb
 ad7bafa91aac8966c24cc2984dcca24377158d1b178ef4cd713ac8359e18bb79 21078 
mediatomb_0.12.0~svn2018-6.1_all.deb
Files: 
 e5af8217e337d555fac247a9155b1c2a 1671 net optional 
mediatomb_0.12.0~svn2018-6.1.dsc
 ca901d6a484e90cf9e88b1be7080f081 243019 net optional 
mediatomb_0.12.0~svn2018-6.1.debian.tar.gz
 7dc6b1c62c7159d6af9d077186e4748f 1027800 net optional 
mediatomb-common_0.12.0~svn2018-6.1_amd64.deb
 adc1b9d06e55e68dd539ef0c54e4a1d9 23456 net optional 
mediatomb-daemon_0.12.0~svn2018-6.1_all.deb
 982e57ec473b760ff19b35732ee57c2c 21078 net optional 
mediatomb_0.12.0~svn2018-6.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxAfxYACgkQBxd04ADYzRbKsQCgsrXckILyX7YpDH9x+eDnhZrD
nb4AoLJPP2+LcV4/As9rNKPi33bQKx2h
=+AtQ
-----END PGP SIGNATURE-----



--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to