[Bug 270998] net/minidlna: update to avoid bug introduced <= 1.3.2

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 22 Apr 2023 11:44:13 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270998

            Bug ID: 270998
           Summary: net/minidlna: update to avoid bug introduced <= 1.3.2
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: glebius@FreeBSD.org
          Reporter: t.m.guymer@thomasguymer.co.uk
          Assignee: glebius@FreeBSD.org
             Flags: maintainer-feedback?(glebius@FreeBSD.org)

Hi,

The web interface no longer works if connecting via example.com:8200 due to an
overzealous DNS rebinding attack check recently introduced in MiniDLNA.
Connecting via 1.2.3.4:8200 still works fine though. There is a good discussion
of the issue over on the Debian bug system:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011629 This bug is also
reported upstream over on SourceForge:
https://sourceforge.net/p/minidlna/bugs/346/ I can confirm that on my FreeBSD
system my /var/log/minidlna.log file contains a:

[2023/04/22 12:28:23] upnphttp.c:938: error: DNS rebinding attack suspected
(Host: example.com:8200)

... line when I try to connect via a web browser using the hostname, but it
works fine if I cheat and explicitly connect using the server's IPv4 address.
The Debian bug indicates that the issue is fixed, however, the SourceForge
ticket is still open, so I don't know the status of the upstream patch.

Thanks,

Tom

-- 
You are receiving this mail because:
You are the assignee for the bug.