Published: 02 February 2014
Cantata before 1.2.2 does not restrict access to files in the play queue, which allows remote attackers to obtain sensitive information by reading the songs in the queue.
From the Ubuntu security team
Automatically started HTTP server listens on all interfaces and will serve any file that the user running the HTTP server has access to, including e.g. ssh private keys.
according to debian bug report, 1.1.3 package does not start httpd server by default