(sorry for the duplicate email - forgot to send a CC to bugs.debian.org) On Thu, Nov 15, 2012 at 4:15 PM, Yves-Alexis Perez <cor...@debian.org> wrote: > Control: severity -1 important > > On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote: >> Package: mediatomb-common >> Version: 0.12.1-4+b1 >> Severity: critical > > No need to over-estimate severity.
Critical is described as "makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package." I think that it falls into this category, since if I have mediatomb running, it exposes its web interface to the public. Its web interface is listening on port 49152 and if the system where mediatomb is installed has an external IP, it exposes this web interface to anyone on the internet, and I think it's a security hole. So please change it back to critical, or explain why you think it is not a security hole. >> File: /usr/bin/mediatomb >> Tags: security >> >> Attempt to force mediatomb to bind to a specific IP address (or interface) is >> ignored. E.g. I've tried to change setting in /etc/default/mediatomb as >> follows: >> OPTIONS="-i 10.0.10.2" >> >> and mediatomb is started with the "-i 10.0.10.2" option: >> >> $ pgrep -a mediatomb >> 17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g >> mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i 10.0.10.2 >> >> but it binds to all interfaces: >> >> $ sudo netstat -anp | grep mediatomb >> tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN >> 17000/mediatomb >> udp 0 0 0.0.0.0:1900 0.0.0.0:* >> 17000/mediatomb >> udp 0 0 127.0.0.1:39862 0.0.0.0:* >> 17000/mediatomb >> >> Apparently this has been reported upstream: >> >> http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780 >> >> but this is not fixed. Could the debian team please fix this issue in the >> debian package, since it is obviously a security issue? >> >> > Is the feature supposed to be supported by mediatomb (and it doesn't > work) or is it not supported at all? The feature is supposed to be supported by mediatomb, and it doesn't work. The option --ip apparently has no effect at all. (And possibly the same with the --interface oprion). > Regards, > -- > Yves-Alexis Best wishes, Vladimir -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
