On jeu., 2012-11-15 at 16:48 +0400, Vladimir Volovich wrote: > (sorry for the duplicate email - forgot to send a CC to bugs.debian.org) > > On Thu, Nov 15, 2012 at 4:15 PM, Yves-Alexis Perez <cor...@debian.org> wrote: > > Control: severity -1 important > > > > On jeu., 2012-11-15 at 12:57 +0400, Vladimir Volovich wrote: > >> Package: mediatomb-common > >> Version: 0.12.1-4+b1 > >> Severity: critical > > > > No need to over-estimate severity. > > Critical is described as "makes unrelated software on the system (or > the whole system) break, or causes serious data loss, or introduces a > security hole on systems where you install the package." > > I think that it falls into this category, since if I have mediatomb > running, it exposes its web interface to the public. Its web interface > is listening on port 49152 and if the system where mediatomb is > installed has an external IP, it exposes this web interface to anyone > on the internet, and I think it's a security hole. > > So please change it back to critical, or explain why you think it is > not a security hole.
Well, by itself this is not a security bug, unless the interface itself is buggy. I agree it might not be a good idea to expose this to everyone, and we usually prefer to not bind on all interfaces when possible, but that doesn't make it a security hole. > > Is the feature supposed to be supported by mediatomb (and it doesn't > > work) or is it not supported at all? > > The feature is supposed to be supported by mediatomb, and it doesn't > work. The option --ip apparently has no effect at all. (And possibly > the same with the --interface oprion). > Thanks. -- Yves-Alexis _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
