Bug#580120: marked as done (mediatomb allows anyone to browse and export the whole filesystem)
Your message dated Thu, 30 Jul 2015 21:18:39 + with message-id and subject line Bug#778669: fixed in mediatomb 0.12.1-4+deb7u1 has caused the Debian Bug report #778669, regarding mediatomb allows anyone to browse and export the whole filesystem to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 778669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763 >From the upstream documentation: at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to 'no' * enable the web UI, but create an account for connecting to it Upstream doesn't seem confident in mediatomb's handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- Source: mediatomb Source-Version: 0.12.1-4+deb7u1 We believe that the bug you reported is fixed in the latest version of mediatomb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 778...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel A. Colón Vélez (supplier of updated mediatomb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 28 Jul 2015 12:13:10 -0400 Source: mediatomb Binary: mediatomb-common mediatomb-daemon mediatomb mediatomb-dbg Architecture: source amd64 all Version: 0.12.1-4+deb7u1 Distribution: oldstable Urgency: high Maintainer: Debian multimedia packages maintainers Changed-By: Miguel A. Colón Vélez Description: mediatomb - UPnP MediaServer (main package) mediatomb-common - UPnP MediaServer (base package) mediatomb-daemon - UPnP MediaServer (daemon package) mediatomb-dbg - UPnP MediaServer (debug package) Closes: 580120 778669 Changes: mediatomb (0.12.1-4+deb7u1) oldstable; urgency=high . * Backport fix for #580120, #778669 from 0.12.1-47-g7ab7616-1 and 0.12.0~svn2018-6.1 to wheezy. . [ IOhannes m zmölnig ] * Disabled User-Interface by default. (Closes: #580120, #778669) Checksums-Sha1: 8530e03865ad66e2faf6c7bc16503be49cd645d2 2478 mediatomb_0.12.1-4+deb7u1.dsc 70bdd03f026fc51891db36c1df95fb87adcaa4ea 32002 mediatomb_0.12.1-4+deb7u1.debian.tar.gz 5987ee60de03cd28c260a4f557fc647c4598c69f 951164 mediatomb-common_0.12.1-4+deb7u1_amd64.deb fb6f8848b5e16fd9b999b4dab31aaf29bd49d268 26526 mediatomb-daemon_0.12.1-4+deb7u1_all.deb eb5d85f8b31abacac9487d47f7ebb200f27d0024 23878 mediatomb_0.12.1-4+deb7u1_all.deb 17fb61a65a0f38b9f6d887d501ab7423881e6f24 2828800 mediatomb-dbg_0.12.1-4+deb7u1_amd64.deb Checksums-Sha256: 9df31bcf91f7b84c29996ddc350eef8a6e3ad6887ffab72b09cdf5e76a9c34a9 2478
Bug#580120: marked as done (mediatomb allows anyone to browse and export the whole filesystem)
Your message dated Thu, 30 Jul 2015 21:18:39 + with message-id and subject line Bug#580120: fixed in mediatomb 0.12.1-4+deb7u1 has caused the Debian Bug report #580120, regarding mediatomb allows anyone to browse and export the whole filesystem to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 580120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580120 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763 >From the upstream documentation: at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to 'no' * enable the web UI, but create an account for connecting to it Upstream doesn't seem confident in mediatomb's handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- Source: mediatomb Source-Version: 0.12.1-4+deb7u1 We believe that the bug you reported is fixed in the latest version of mediatomb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 580...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel A. Colón Vélez (supplier of updated mediatomb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 28 Jul 2015 12:13:10 -0400 Source: mediatomb Binary: mediatomb-common mediatomb-daemon mediatomb mediatomb-dbg Architecture: source amd64 all Version: 0.12.1-4+deb7u1 Distribution: oldstable Urgency: high Maintainer: Debian multimedia packages maintainers Changed-By: Miguel A. Colón Vélez Description: mediatomb - UPnP MediaServer (main package) mediatomb-common - UPnP MediaServer (base package) mediatomb-daemon - UPnP MediaServer (daemon package) mediatomb-dbg - UPnP MediaServer (debug package) Closes: 580120 778669 Changes: mediatomb (0.12.1-4+deb7u1) oldstable; urgency=high . * Backport fix for #580120, #778669 from 0.12.1-47-g7ab7616-1 and 0.12.0~svn2018-6.1 to wheezy. . [ IOhannes m zmölnig ] * Disabled User-Interface by default. (Closes: #580120, #778669) Checksums-Sha1: 8530e03865ad66e2faf6c7bc16503be49cd645d2 2478 mediatomb_0.12.1-4+deb7u1.dsc 70bdd03f026fc51891db36c1df95fb87adcaa4ea 32002 mediatomb_0.12.1-4+deb7u1.debian.tar.gz 5987ee60de03cd28c260a4f557fc647c4598c69f 951164 mediatomb-common_0.12.1-4+deb7u1_amd64.deb fb6f8848b5e16fd9b999b4dab31aaf29bd49d268 26526 mediatomb-daemon_0.12.1-4+deb7u1_all.deb eb5d85f8b31abacac9487d47f7ebb200f27d0024 23878 mediatomb_0.12.1-4+deb7u1_all.deb 17fb61a65a0f38b9f6d887d501ab7423881e6f24 2828800 mediatomb-dbg_0.12.1-4+deb7u1_amd64.deb Checksums-Sha256: 9df31bcf91f7b84c29996ddc350eef8a6e3ad6887ffab72b09cdf5e76a9c34a9 2478
Bug#580120: marked as done (mediatomb allows anyone to browse and export the whole filesystem)
Your message dated Mon, 13 Jul 2015 18:04:36 + with message-id and subject line Bug#778669: fixed in mediatomb 0.12.1-47-g7ab7616-1 has caused the Debian Bug report #778669, regarding mediatomb allows anyone to browse and export the whole filesystem to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 778669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763 >From the upstream documentation: at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to 'no' * enable the web UI, but create an account for connecting to it Upstream doesn't seem confident in mediatomb's handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- Source: mediatomb Source-Version: 0.12.1-47-g7ab7616-1 We believe that the bug you reported is fixed in the latest version of mediatomb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 778...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hector Oron (supplier of updated mediatomb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 13 Jul 2015 19:41:42 +0200 Source: mediatomb Binary: mediatomb-common mediatomb-daemon mediatomb mediatomb-dbg Architecture: source i386 all Version: 0.12.1-47-g7ab7616-1 Distribution: unstable Urgency: medium Maintainer: Debian multimedia packages maintainers Changed-By: Hector Oron Description: mediatomb - UPnP MediaServer (main package) mediatomb-common - UPnP MediaServer (base package) mediatomb-daemon - UPnP MediaServer (daemon package) mediatomb-dbg - UPnP MediaServer (debug package) Closes: 580120 730391 778669 Changes: mediatomb (0.12.1-47-g7ab7616-1) unstable; urgency=medium . [ Miguel A. Colón Vélez ] * New upstream snapshot. - Added subtitle support for Samsung devices. (Closes: #730391) * debian/control: - Build depend on pkg-config to fix FTBFS. - Explicitly build depend on libavutil-dev. - Bump libav requirement to 10. - Build depend on libflac-dev to enable FLAC metadata extraction. - Build depend on uuid-dev to use the system's libuuid. * debian/patches: - Refresh and update all patches. - Use a more robust patch for building wih libmp4v2. - Revert an upstream commit to fix building with libmp4v2. - Drop internal libuuid and use the system's libuuid. - Drop patches that were fixed upstream: + 0005_buffer_overrun_999hours.patch + 0006a_js_1.8_support.patch + 0006b_js_parse.patch + 0006c_j
Bug#580120: marked as done (mediatomb allows anyone to browse and export the whole filesystem)
Your message dated Mon, 13 Jul 2015 18:04:36 + with message-id and subject line Bug#580120: fixed in mediatomb 0.12.1-47-g7ab7616-1 has caused the Debian Bug report #580120, regarding mediatomb allows anyone to browse and export the whole filesystem to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 580120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580120 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763 >From the upstream documentation: at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to 'no' * enable the web UI, but create an account for connecting to it Upstream doesn't seem confident in mediatomb's handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- Source: mediatomb Source-Version: 0.12.1-47-g7ab7616-1 We believe that the bug you reported is fixed in the latest version of mediatomb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 580...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hector Oron (supplier of updated mediatomb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 13 Jul 2015 19:41:42 +0200 Source: mediatomb Binary: mediatomb-common mediatomb-daemon mediatomb mediatomb-dbg Architecture: source i386 all Version: 0.12.1-47-g7ab7616-1 Distribution: unstable Urgency: medium Maintainer: Debian multimedia packages maintainers Changed-By: Hector Oron Description: mediatomb - UPnP MediaServer (main package) mediatomb-common - UPnP MediaServer (base package) mediatomb-daemon - UPnP MediaServer (daemon package) mediatomb-dbg - UPnP MediaServer (debug package) Closes: 580120 730391 778669 Changes: mediatomb (0.12.1-47-g7ab7616-1) unstable; urgency=medium . [ Miguel A. Colón Vélez ] * New upstream snapshot. - Added subtitle support for Samsung devices. (Closes: #730391) * debian/control: - Build depend on pkg-config to fix FTBFS. - Explicitly build depend on libavutil-dev. - Bump libav requirement to 10. - Build depend on libflac-dev to enable FLAC metadata extraction. - Build depend on uuid-dev to use the system's libuuid. * debian/patches: - Refresh and update all patches. - Use a more robust patch for building wih libmp4v2. - Revert an upstream commit to fix building with libmp4v2. - Drop internal libuuid and use the system's libuuid. - Drop patches that were fixed upstream: + 0005_buffer_overrun_999hours.patch + 0006a_js_1.8_support.patch + 0006b_js_parse.patch + 0006c_j
Bug#580120: marked as done (mediatomb allows anyone to browse and export the whole filesystem)
Your message dated Fri, 23 Jul 2010 16:32:20 + with message-id and subject line Bug#580120: fixed in mediatomb 0.12.0~svn2018-6.1 has caused the Debian Bug report #580120, regarding mediatomb allows anyone to browse and export the whole filesystem to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 580120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580120 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763 >From the upstream documentation: at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to 'no' * enable the web UI, but create an account for connecting to it Upstream doesn't seem confident in mediatomb's handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- Source: mediatomb Source-Version: 0.12.0~svn2018-6.1 We believe that the bug you reported is fixed in the latest version of mediatomb, which is due to be installed in the Debian FTP archive: mediatomb-common_0.12.0~svn2018-6.1_amd64.deb to main/m/mediatomb/mediatomb-common_0.12.0~svn2018-6.1_amd64.deb mediatomb-daemon_0.12.0~svn2018-6.1_all.deb to main/m/mediatomb/mediatomb-daemon_0.12.0~svn2018-6.1_all.deb mediatomb_0.12.0~svn2018-6.1.debian.tar.gz to main/m/mediatomb/mediatomb_0.12.0~svn2018-6.1.debian.tar.gz mediatomb_0.12.0~svn2018-6.1.dsc to main/m/mediatomb/mediatomb_0.12.0~svn2018-6.1.dsc mediatomb_0.12.0~svn2018-6.1_all.deb to main/m/mediatomb/mediatomb_0.12.0~svn2018-6.1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 580...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alexander Reichle-Schmehl (supplier of updated mediatomb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 16 Jul 2010 15:52:21 +0200 Source: mediatomb Binary: mediatomb-common mediatomb-daemon mediatomb Architecture: source amd64 all Version: 0.12.0~svn2018-6.1 Distribution: unstable Urgency: low Maintainer: Debian multimedia packages maintainers Changed-By: Alexander Reichle-Schmehl Description: mediatomb - UPnP MediaServer (main package) mediatomb-common - UPnP MediaServer (base package) mediatomb-daemon - UPnP MediaServer (daemon package) Closes: 580120 Changes: mediatomb (0.12.0~svn2018-6.1) unstable; urgency=low . * Non-maintainer upload. * Disable user interface (Closes: #580120) Checksums-Sha1: 21e4e000ab9effa944b9ab208b86e8400346e4b0 1671 mediatomb_0.12.0~svn2018-6.1.dsc ea373011544e2077781f8eb4dec0c4b1173b717b 243019 mediatomb_0.12.0~svn2018-6.1.debian.tar.gz c2fff651a85ec2e39c20e55aea06df9798e7 1027800 mediatomb-common_0.12.0~svn2018-6.1_amd64.deb 4bbd63d801cf938d4f