Package: mediatomb-common Version: 0.12.1-4+b1 Severity: critical File: /usr/bin/mediatomb Tags: security
Attempt to force mediatomb to bind to a specific IP address (or interface) is ignored. E.g. I've tried to change setting in /etc/default/mediatomb as follows: OPTIONS="-i 10.0.10.2" and mediatomb is started with the "-i 10.0.10.2" option: $ pgrep -a mediatomb 17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i 10.0.10.2 but it binds to all interfaces: $ sudo netstat -anp | grep mediatomb tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 17000/mediatomb udp 0 0 0.0.0.0:1900 0.0.0.0:* 17000/mediatomb udp 0 0 127.0.0.1:39862 0.0.0.0:* 17000/mediatomb Apparently this has been reported upstream: http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780 but this is not fixed. Could the debian team please fix this issue in the debian package, since it is obviously a security issue? -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mediatomb-common depends on: ii libavformat53 7:0.10.3-dmo1 ii libavutil51 7:1.0-dmo3 ii libc6 2.13-36 ii libcurl3-gnutls 7.28.0-2 ii libexif12 0.6.20-3 ii libexpat1 2.1.0-1 ii libffmpegthumbnailer4 2.0.7-2 ii libgcc1 1:4.7.2-4 ii libjs-prototype 1.7.0-2 ii libmagic1 5.11-2 ii libmozjs185-1.0 1.8.5-1.0.0+dfsg-4 ii libmysqlclient18 5.5.28+dfsg-1 ii libsqlite3-0 3.7.14.1-1 ii libstdc++6 4.7.2-4 ii libtag1c2a 1.8-dmo1 ii zlib1g 1:1.2.7.dfsg-13 mediatomb-common recommends no packages. mediatomb-common suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
