git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commit

author	Adolf Belka <adolf.belka@ipfire.org>
	Sat, 30 Apr 2022 17:34:58 +0000 (19:34 +0200)
committer	Peter Müller <peter.mueller@ipfire.org>
	Sun, 1 May 2022 08:45:12 +0000 (08:45 +0000)
commit	e1e94ae75b5cb4835d9a35a7c054db66778a8114
tree	4973372ec8d54688616a3bf75d7f4bcb5d3cac1d	tree \| snapshot
parent	53736cfe67a21848b095746b123119c96b2d5dac	commit \| diff

minidlna: Addition of patches to fix CVE-2022-26505

- CVE-2022-26505  A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
   allows a remote web server to exfiltrate media files. CVE created on 6th March 2022
- minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for
   version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on
   14th March 2022 in the source forge support system asking to "Please publish a tarball
   for 1.3.1" but there was no reply from the developer so far.
- In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but
   the link to the sourceforge page is only the patches applied for the fix
- I used those diff descriptions to create a patch to implement on the existing 1.3.0
   version in IPFire and this patch submission applies that fix
- Incremented the lfs PAK_VER

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

lfs/minidlna		diff \| blob \| blame \| history
src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch	[new file with mode: 0644]	blob