Bug#1011629: minidlna: can't access localhost:8200 - DNS rebinding attack suspected
Thanks for that. Just tried and it works with only IP:8200 I was using localhost:8200 Cheers, Marcos On Wed, 13 Jul 2022 at 10:54, Oliver Freyermuth wrote: > On Fri, 8 Jul 2022 21:50:32 +0800 =?UTF-8?Q?Marcos_Ra=C3=BAl_Carot?= < > marcos.ca...@gmail.com> wrote: > > Oh, so there is no way now to access the web page from minidlna? Cheers. > > The code (as also used upstream[0]) validates that the hostname in the > HTTP request consists only of numbers, dots or colons. > > Given this change, it seems the only remaining functional way is to visit > the IPv4 IP address of the minidlna server directly, > e.g. if your server is running at 192.168.178.32, you would visit: > http://192.168.178.32:8200 > in your browser. > > An upstream bug about this issue has reported already at: > https://sourceforge.net/p/minidlna/bugs/346/ > > [0] > https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/ > > -- Marcos R Carot
Bug#1011629: minidlna: can't access localhost:8200 - DNS rebinding attack suspected
On Fri, 8 Jul 2022 21:50:32 +0800 =?UTF-8?Q?Marcos_Ra=C3=BAl_Carot?= wrote: Oh, so there is no way now to access the web page from minidlna? Cheers. The code (as also used upstream[0]) validates that the hostname in the HTTP request consists only of numbers, dots or colons. Given this change, it seems the only remaining functional way is to visit the IPv4 IP address of the minidlna server directly, e.g. if your server is running at 192.168.178.32, you would visit: http://192.168.178.32:8200 in your browser. An upstream bug about this issue has reported already at: https://sourceforge.net/p/minidlna/bugs/346/ [0] https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
Bug#1011629: minidlna: can't access localhost:8200 - DNS rebinding attack suspected
On vrijdag 8 juli 2022 15:50:32 CEST Marcos Raúl Carot wrote: > On Fri, 8 Jul 2022 at 21:06, Diederik de Haas wrote: > > On 25 May 2022 22:13:27 +0800 Marcos Carot wrote: > > > Please note, this seems to be a security issue: > > > https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090 > > > > Isn't that the result of the patch that addresses that specific issue? > > IIUC version 1.3.0+dfsg-2.2 was specifically to address that. > > Oh, so there is no way now to access the web page from minidlna? Cheers. I was only asking a question to make the issue more clear. If that's the result, I can see that could be an unwanted side effect. signature.asc Description: This is a digitally signed message part.
Bug#1011629: minidlna: can't access localhost:8200 - DNS rebinding attack suspected
Oh, so there is no way now to access the web page from minidlna? Cheers. On Fri, 8 Jul 2022 at 21:06, Diederik de Haas wrote: > On 25 May 2022 22:13:27 +0800 Marcos Carot wrote: > > Package: minidlna > > Version: 1.3.0+dfsg-2.2 > > > >* What led up to the situation? browse localhost:8200 > >* What was the outcome of this action? "not found" page shown - > >logs show upnphttp.c:922: error: DNS rebinding attack suspected > >* What outcome did you expect instead? page shown. > > > > Please note, this seems to be a security issue: > > https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090 > > Isn't that the result of the patch that addresses that specific issue? > IIUC version 1.3.0+dfsg-2.2 was specifically to address that. > > > https://tracker.debian.org/news/1315039/accepted-minidlna-130dfsg-22-source-into-unstable/ > > Changes: > minidlna (1.3.0+dfsg-2.2) unstable; urgency=medium > . >* Non-maintainer upload. >* CVE-2022-26505 > Validate HTTP requests to protect against DNS rebinding, thus forbid > a remote web server to exfiltrate media files. > (Closes: #1006798) > > > https://salsa.debian.org/debian/minidlna/-/commit/9017019ac446b945c92a976a8dcebab3d7789927 > is the commit in the salsa repo for this. -- Marcos R Carot
Bug#1011629: minidlna: can't access localhost:8200 - DNS rebinding attack suspected
On 25 May 2022 22:13:27 +0800 Marcos Carot wrote: > Package: minidlna > Version: 1.3.0+dfsg-2.2 > >* What led up to the situation? browse localhost:8200 >* What was the outcome of this action? "not found" page shown - >logs show upnphttp.c:922: error: DNS rebinding attack suspected >* What outcome did you expect instead? page shown. > > Please note, this seems to be a security issue: > https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090 Isn't that the result of the patch that addresses that specific issue? IIUC version 1.3.0+dfsg-2.2 was specifically to address that. https://tracker.debian.org/news/1315039/accepted-minidlna-130dfsg-22-source-into-unstable/ Changes: minidlna (1.3.0+dfsg-2.2) unstable; urgency=medium . * Non-maintainer upload. * CVE-2022-26505 Validate HTTP requests to protect against DNS rebinding, thus forbid a remote web server to exfiltrate media files. (Closes: #1006798) https://salsa.debian.org/debian/minidlna/-/commit/9017019ac446b945c92a976a8dcebab3d7789927 is the commit in the salsa repo for this. signature.asc Description: This is a digitally signed message part.
Bug#1011629: minidlna: can't access localhost:8200 - DNS rebinding attack suspected
Package: minidlna Version: 1.3.0+dfsg-2.2 Severity: important X-Debbugs-Cc: marcos.ca...@gmail.com Dear Maintainer, * What led up to the situation? browse localhost:8200 * What was the outcome of this action? "not found" page shown - logs show upnphttp.c:922: error: DNS rebinding attack suspected * What outcome did you expect instead? page shown. Please note, this seems to be a security issue: https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090 -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:es:en_US Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages minidlna depends on: ii adduser 3.121 ii init-system-helpers 1.62 ii libavformat587:4.4.2-1 ii libavutil56 7:4.4.2-1 ii libc62.33-7 ii libexif120.6.24-1 ii libflac8 1.3.4-1 ii libid3tag0 0.15.1b-14 ii libjpeg62-turbo 1:2.1.2-1 ii libogg0 1.3.4-0.1 ii libsqlite3-0 3.38.5-1 ii libvorbis0a 1.3.7-1 ii lsb-base 11.1.0 minidlna recommends no packages. minidlna suggests no packages. -- Configuration Files: /etc/minidlna.conf changed [not included] -- no debconf information
