| Message ID | 20260224190451.1596179-8-skandigraun@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-webserver,whinlatter,1/8] nginx: patch CVE-2026-1642 | expand |
diff --git a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc index cb2a1865e8..0dd297098c 100644 --- a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc +++ b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc @@ -43,3 +43,4 @@ SYSTEMD_SERVICE:${PN} = "minidlna.service" INITSCRIPT_NAME = "minidlna" INITSCRIPT_PARAMS = "defaults 90" +CVE_STATUS[CVE-2024-51442] = "not-applicable-config: vulnerability requires root access"
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-51442 The description of the vulnerability says "attacker [...] execute arbitrary OS commands via a specially crafted minidlna.conf configuration file". There is no official fix for this CVE, and upstream seems to be inactive for the past 3 years. The reason for ignoring this CVE is that the referenced minidlna.conf file is in the /etc folder, and the file is not world-writable. Which means that this vulnerability can be exploited only when someone is root - but if the attacker is already root, they don't need to resort to minidlna config-file modifications to execute any command they want. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- meta-multimedia/recipes-multimedia/minidlna/minidlna.inc | 1 + 1 file changed, 1 insertion(+)