miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Security and version numbers of releases

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request
View previous topic :: View next topic  
Author Message
Squat



Joined: 15 Jan 2008
Posts: 4
Location: Trondheim, Norway

PostPosted: Tue Jan 15, 2008 11:11 am    Post subject: Security and version numbers of releases Reply with quote

According to releases: Would be nice if the releases could be named more mainstreamed, like only numbers? Many package systems/managers doesn't support naming version with "rc" (fewer understand if 1.0rc13 is before or after 1.0).
As I see it, miniupnpd is stable enough to deserve a 1.0.1 or 1.1 (or something like that) version number? :-)

Also, I'm maintaining the FreeBSD port of miniupnpd, in that relation it would be nice to have an "announcement service" (like a mailing list?) where new releases were announced? As I don't check this website everyday, that could help me with keeping the FreeBSD-port more current.

This is my first post on this forum, so I would like to thank all the developers for making and updating miniupnpd!
Back to top
View user's profile Send private message
Squat



Joined: 15 Jan 2008
Posts: 4
Location: Trondheim, Norway

PostPosted: Tue Jan 15, 2008 11:13 am    Post subject: Reply with quote

Do you know if miniupnpd is vulnerable for the security issues mention at:
www.gnucitizen.org/projects/hacking-the-interwebs/
?

Sorry, this was intended to be in the first post: but was splitted because I wasn't allowed to post URLs in my first port.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Jan 16, 2008 9:03 am    Post subject: Re: Security and version numbers of releases Reply with quote

Squat wrote:
According to releases: Would be nice if the releases could be named more mainstreamed, like only numbers? Many package systems/managers doesn't support naming version with "rc" (fewer understand if 1.0rc13 is before or after 1.0).
As I see it, miniupnpd is stable enough to deserve a 1.0.1 or 1.1 (or something like that) version number? Smile

I guess you are right, I should release the next version as 1.0 Smile

Squat wrote:
Also, I'm maintaining the FreeBSD port of miniupnpd, in that relation it would be nice to have an "announcement service" (like a mailing list?) where new releases were announced? As I don't check this website everyday, that could help me with keeping the FreeBSD-port more current.

You can subscribe to http://freshmeat.net/projects/miniupnp/
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Jan 16, 2008 9:04 am    Post subject: Reply with quote

Squat wrote:
Do you know if miniupnpd is vulnerable for the security issues mention at:
www.gnucitizen.org/projects/hacking-the-interwebs/
?

I have a timeout trying to reach this page.

Squat wrote:
Sorry, this was intended to be in the first post: but was splitted because I wasn't allowed to post URLs in my first port.

It could be annoying for first time poster but it is pretty efficient against spambots !
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Squat



Joined: 15 Jan 2008
Posts: 4
Location: Trondheim, Norway

PostPosted: Wed Jan 16, 2008 4:06 pm    Post subject: Reply with quote

miniupnp wrote:
Squat wrote:
Do you know if miniupnpd is vulnerable for the security issues mention at:
www.gnucitizen.org/projects/hacking-the-interwebs/
?

I have a timeout trying to reach this page.

Strange, works for me. Maybe it was down when you tried to access it?
You could try to reach it through google's cache at:
http://www.google.com/search?q=cache:N-KVXc3eBxgJ:www.gnucitizen.org/blog/hacking-the-interwebs+www.gnucitizen.org/projects/hacking-the-interwebs/
The issue is also referred to at:
http://it.slashdot.org/article.pl?sid=08/01/14/1319256

I can send you the text in e-mail, if you still can't access it?

Edit: This is also the same case as noted in this topic:
http://miniupnp.tuxfamily.org/forum/viewtopic.php?t=435
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Jan 16, 2008 6:01 pm    Post subject: Reply with quote

Squat wrote:
miniupnp wrote:
Squat wrote:
Do you know if miniupnpd is vulnerable for the security issues mention at:
www.gnucitizen.org/projects/hacking-the-interwebs/
?

I have a timeout trying to reach this page.

Strange, works for me. Maybe it was down when you tried to access it?
You could try to reach it through google's cache at:
http://www.google.com/search?q=cache:N-KVXc3eBxgJ:www.gnucitizen.org/blog/hacking-the-interwebs+www.gnucitizen.org/projects/hacking-the-interwebs/
The issue is also referred to at:
http://it.slashdot.org/article.pl?sid=08/01/14/1319256

I can send you the text in e-mail, if you still can't access it?

Edit: This is also the same case as noted in this topic:
http://miniupnp.tuxfamily.org/forum/viewtopic.php?t=435

I read the article. Indeed, miniupnpd could be vulnerable to such attack but the article does not explain how it is possible to get the URL to POST the SOAP request.
In the example given, this URL is hardcoded so the attack would have to be hardcoded with miniupnpd HTTP listening port and path.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Jan 16, 2008 6:28 pm    Post subject: Reply with quote

also forwarding to port 445 would normally be prohibited by a well written miniupnpd.conf
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sun Jan 27, 2008 11:07 pm    Post subject: Reply with quote

MiniUPnPd version 1.0 was just released Wink
it adds a "secure" mode in which clients can only redirect a port to their own ip.
next miniupnpd version will be 1.0.1 or 1.1 ...
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.