Your message dated Thu, 30 Jul 2015 21:18:39 +0000 with message-id <e1zkvdr-0003ym...@franck.debian.org> and subject line Bug#778669: fixed in mediatomb 0.12.1-4+deb7u1 has caused the Debian Bug report #778669, regarding mediatomb allows anyone to browse and export the whole filesystem to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 778669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mediatomb Version: 0.12.0~svn2018-6 Severity: grave Tags: security Justification: user security hole This bug was reported to Ubuntu via Launchpad: https://launchpad.net/bugs/569763 >From the upstream documentation: at http://mediatomb.cc/pages/documentation#id2856362: "The server has an integrated filesystem browser, that means that anyone who has access to the UI can browse your filesystem (with user permissions under which the server is running) and also download your data! If you want maximum security - disable the UI completely! Account authentication offers simple protection that might hold back your kids, but it is not secure enough for use in an untrusted environment! Note: since the server is meant to be used in a home LAN environment the UI is enabled by default and accounts are deactivated, thus allowing anyone on your network to connect to the user interface." Unfortunately, the Debian/Ubuntu packaging preserves these installation defaults, which IMHO is incorrect behavior for a distribution. A few ways to solve this are: * the web UI should be disabled on new installs * a debconf question should prompt the user to enable the web UI, but default to 'no' * enable the web UI, but create an account for connecting to it Upstream doesn't seem confident in mediatomb's handling of authentication, so it would probably makes sense to not rely on it and simply disable the feature, documenting how to enable it and the pitfalls of enabling it in README.Debian. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: mediatomb Source-Version: 0.12.1-4+deb7u1 We believe that the bug you reported is fixed in the latest version of mediatomb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 778...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel A. Colón Vélez <debian.mic...@gmail.com> (supplier of updated mediatomb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Jul 2015 12:13:10 -0400 Source: mediatomb Binary: mediatomb-common mediatomb-daemon mediatomb mediatomb-dbg Architecture: source amd64 all Version: 0.12.1-4+deb7u1 Distribution: oldstable Urgency: high Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> Changed-By: Miguel A. Colón Vélez <debian.mic...@gmail.com> Description: mediatomb - UPnP MediaServer (main package) mediatomb-common - UPnP MediaServer (base package) mediatomb-daemon - UPnP MediaServer (daemon package) mediatomb-dbg - UPnP MediaServer (debug package) Closes: 580120 778669 Changes: mediatomb (0.12.1-4+deb7u1) oldstable; urgency=high . * Backport fix for #580120, #778669 from 0.12.1-47-g7ab7616-1 and 0.12.0~svn2018-6.1 to wheezy. . [ IOhannes m zmölnig ] * Disabled User-Interface by default. (Closes: #580120, #778669) Checksums-Sha1: 8530e03865ad66e2faf6c7bc16503be49cd645d2 2478 mediatomb_0.12.1-4+deb7u1.dsc 70bdd03f026fc51891db36c1df95fb87adcaa4ea 32002 mediatomb_0.12.1-4+deb7u1.debian.tar.gz 5987ee60de03cd28c260a4f557fc647c4598c69f 951164 mediatomb-common_0.12.1-4+deb7u1_amd64.deb fb6f8848b5e16fd9b999b4dab31aaf29bd49d268 26526 mediatomb-daemon_0.12.1-4+deb7u1_all.deb eb5d85f8b31abacac9487d47f7ebb200f27d0024 23878 mediatomb_0.12.1-4+deb7u1_all.deb 17fb61a65a0f38b9f6d887d501ab7423881e6f24 2828800 mediatomb-dbg_0.12.1-4+deb7u1_amd64.deb Checksums-Sha256: 9df31bcf91f7b84c29996ddc350eef8a6e3ad6887ffab72b09cdf5e76a9c34a9 2478 mediatomb_0.12.1-4+deb7u1.dsc ad55cbc72b17771e52d1303bb27c1ec0449d3ef233a322f1d4d34e32e288a616 32002 mediatomb_0.12.1-4+deb7u1.debian.tar.gz e96c727486fb60ca1484d25c235297ac94411975f6058a21be4906a18b68ac8e 951164 mediatomb-common_0.12.1-4+deb7u1_amd64.deb 9da4b37affe8a22633519173c05ef90d6dcdaa34e690d3a1f098a8457fca58a2 26526 mediatomb-daemon_0.12.1-4+deb7u1_all.deb 91358679f4ccc55981e2b267765a4708e45a5260ca387bbaafc0986676ba7134 23878 mediatomb_0.12.1-4+deb7u1_all.deb a8acbec58834895510fd4fe42bd328bcd9c0fbb89a1d0c59bb264fd6cd344963 2828800 mediatomb-dbg_0.12.1-4+deb7u1_amd64.deb Files: e85f16fb949ff31bf4540b11cafbaa1d 2478 net optional mediatomb_0.12.1-4+deb7u1.dsc 3d67958f6ad83fa7c404d9d60d8b740e 32002 net optional mediatomb_0.12.1-4+deb7u1.debian.tar.gz 625012e55dee9f864962792bf78b31a5 951164 net optional mediatomb-common_0.12.1-4+deb7u1_amd64.deb 0c2dc0f3b88d0e782a236ec9bb35f38e 26526 net optional mediatomb-daemon_0.12.1-4+deb7u1_all.deb 99cb1a0a942beab0193750d96f077435 23878 net optional mediatomb_0.12.1-4+deb7u1_all.deb 083099a7bc56fa801ac752a0fedfd65d 2828800 debug extra mediatomb-dbg_0.12.1-4+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVuFDpAAoJEOikiuUxHXZaMPwP/2KLOZZyPYxu7LXQtVfVOT/M R9VY0+OTzGV29GbcGVLFytPfdGo6hvN+nR7W06zbjQz13yTSLrTSTtEmEHGVgUxh cJ14UvLQb3yaRiUJ1Qb6HkAsq9bFK1PQc2qvfBW8IZfoxi+ZvpY5kVw9IDvCBLT8 xPHoBED/Zkhw3+S0Az0RsfJuuC/cn7e1+F7awUuuQhGY1jYj/VRWfg0ct6iXk21b ZcSbYgO7kBEqRiDv3LgHitStUA+g/WamAdwzZ0uTd/HTi8wL7BcJNx9rBR+rwyxn EWBHWfS+ESx3Ex+9oE7uy5v3GnrRII6ijuGrTw3jCpA0BEeM4G+wA7JgihABBMPs zrHPPKMKKgmPlXgSLURGzYcZaHa0YB9IaqrbVW08SBWRReGG/wBnH8vP4hmHoUIq fkRMIoMUK9nrSQKwj6zJ+/9er9E6rt1rQDpyBVDeUht5R6EwbLFm0q60Cs0Ai9M6 Lf1rAnndd/wc+U+wYJW7A73cEvO928gtBKBSTAbLma+NFb1p+UpdGWs0YANwT9/9 LadoDl0ebcClLa2sIAa1naFRBejQD83GAHLVODrQe58gP/mibbyUNZYDhwMISu+E KU4vRM/3ZqrPmEQOZ5rN8SqjGl2PNWs+OeVDCJmYRgcQ3lBvXrSOnkiERFtmWxla 5eCtGScJSONe5Yip3Vda =Ir7h -----END PGP SIGNATURE-----
--- End Message ---
