Bug 1196814 – VUL-0: CVE-2022-26505: minidlna: DNS rebinding in v1.3.0 and below

Bug 1196814 - (CVE-2022-26505) VUL-0: CVE-2022-26505: minidlna: DNS rebinding in v1.3.0 and below

(CVE-2022-26505)
Summary:	VUL-0: CVE-2022-26505: minidlna: DNS rebinding in v1.3.0 and below

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major (vote)
Target Milestone:	---
Assigned To:	Ruediger Oertel
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/325418/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-03-07 10:00 UTC by Thomas Leroy
Modified:	2022-03-11 02:18 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-03-07 10:00:42 UTC

CVE-2022-26505

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a
remote web server to exfiltrate media files.

Upstream fix commit:
https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26505
https://seclists.org/oss-sec/2022/q1/169
https://www.openwall.com/lists/oss-security/2022/03/03/1
http://www.openwall.com/lists/oss-security/2022/03/06/1
http://www.cvedetails.com/cve/CVE-2022-26505/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26505
https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/

Comment 1 Thomas Leroy 2022-03-07 10:04:01 UTC

Affected codestreams:
- openSUSE:Factory                 v1.3.0
- openSUSE:Backports:SLE-15-SP3    v1.3.0
- openSUSE:Backports:SLE-15-SP4    v1.3.0

Comment 2 Ruediger Oertel 2022-03-07 12:02:58 UTC

updating to the (not completely) released 1.3.1 version
(all files there but not tagged, no tarball release ...)

959869  State:review     By:oertel       When:2022-03-07T12:00:03
        submit:          multimedia:apps/minidlna@9d482f97932acae248742598c2e2948e -> openSUSE:Factory

959870  State:review     By:oertel       When:2022-03-07T12:01:15
        submit:          multimedia:apps/minidlna@9d482f97932acae248742598c2e2948e -> openSUSE:Backports:SLE-15-SP4

959871  State:review     By:oertel       When:2022-03-07T12:01:32
        maintenance_incident: multimedia:apps/minidlna@9d482f97932acae248742598c2e2948e -> openSUSE:Maintenance (release in openSUSE:Backports:SLE-15-SP3:Update)

Comment 3 OBSbugzilla Bot 2022-03-07 12:40:09 UTC

This is an autogenerated message for OBS integration:
This bug (1196814) was mentioned in
https://build.opensuse.org/request/show/959869 Factory / minidlna
https://build.opensuse.org/request/show/959870 Backports:SLE-15-SP4 / minidlna
https://build.opensuse.org/request/show/959871 Backports:SLE-15-SP3 / minidlna

Comment 4 Swamp Workflow Management 2022-03-11 02:18:14 UTC

openSUSE-SU-2022:0079-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1181400,1196814
CVE References: CVE-2022-26505
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    minidlna-1.3.1-bp153.2.3.1