Control: severity -1 important On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote: > Package: mediatomb-common > Version: 0.12.1-4+b1 > Severity: critical
No need to over-estimate severity. > File: /usr/bin/mediatomb > Tags: security > > Attempt to force mediatomb to bind to a specific IP address (or interface) is > ignored. E.g. I've tried to change setting in /etc/default/mediatomb as > follows: > OPTIONS="-i 10.0.10.2" > > and mediatomb is started with the "-i 10.0.10.2" option: > > $ pgrep -a mediatomb > 17000 /usr/bin/mediatomb -c /etc/mediatomb/config.xml -d -u mediatomb -g > mediatomb -P /var/run/mediatomb.pid -l /var/log/mediatomb.log -i 10.0.10.2 > > but it binds to all interfaces: > > $ sudo netstat -anp | grep mediatomb > tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN > 17000/mediatomb > udp 0 0 0.0.0.0:1900 0.0.0.0:* > 17000/mediatomb > udp 0 0 127.0.0.1:39862 0.0.0.0:* > 17000/mediatomb > > Apparently this has been reported upstream: > > http://sourceforge.net/tracker/?func=detail&aid=3039645&group_id=129766&atid=715780 > > but this is not fixed. Could the debian team please fix this issue in the > debian package, since it is obviously a security issue? > > Is the feature supposed to be supported by mediatomb (and it doesn't work) or is it not supported at all? Regards, -- Yves-Alexis -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
